Mein Server versendet SPAM in Massen

D

deepforces

Gast
Hallo,

wie man sieht bin ich neu hier und habe mich hier angemeldet um eine Lösung für mein Problem zu finden. Leider hat die Suchfunktion nichts passendes zu meinen Stichpunkten ausgespuckt. Also will ich kurz mein Problem schildern und hoffe auf Hilfe von euch!

Der Webserver ist eine Instanz mit CentOS System von Amazon Web Services, wird sicher der ein oder andere gehört haben. Auf diesem Server laufen einige Kundenprojekte, darunter auch mehrere Wordpress-Systeme. Eines dieser Systeme hatte vor einiger Zeit noch einen alten Softwarestand, weil der Kunde keine Updates gemacht hat. Über eine Sicherheitslücke hat sich dann ein PHP-Script in dem _THEMENAME_/theme/js Ordner eingenistet und von dort aus Spam verschickt. Dieses Script, konnte ich dank Pfadangabe in der /var/log/phpmail.log schnell ausfindig machen und entfernen. Alle Wordpress Systeme wurde natürlich auf einen aktuellen Stand gebracht.

Hier das Script:
http://pastebin.com/grp31ZW4

Nun zu meinem eigentlichen, weiterhin bestehenden Problem:

Irgendwas auf dem Server verschickt immer noch fleißig SPAM-Nachrichten mit sendmail und ich verzweifel daran irgendwie herauszufinden wo der Übeltäter steckt. Ich bin kein Linux Guru und habe mir daher in den letzten Tagen versucht über Google weiterzuhelfen. Bislang komplett erfolglos.

Wenn ich in den Maillog schaue, werden dort halbsekündlich neue Einträge generiert!
Code:
tail -f /var/log/maillog

Code:
-rw-r--r--  1 root   root    309M 25. Apr 13:32 maillog
-rw-r--r--  1 root   root    3,3G 13. Apr 03:07 maillog-20140413
-rw-r--r--  1 root   root    3,0G 20. Apr 03:09 maillog-20140420

Hier ein Auszug aus der aktuellen Maillog Datei
Code:
Apr 25 13:31:26 _SERVER-IP_ sendmail[6903]: s3MA3VMU019603: to=<loraine_mcfarland@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+14:34:13, xdelay=00:00:00, mailer=esmtp, pri=932242, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:26 _SERVER-IP_ sendmail[6903]: s3MJ3VVL029838: to=<esperanza_foreman@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+13:26:35, xdelay=00:00:00, mailer=esmtp, pri=932242, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:26 _SERVER-IP_ sendmail[6903]: s3MA3VCd019603: to=<julianne_gilmore@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+23:32:04, xdelay=00:00:00, mailer=esmtp, pri=932242, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:26 _SERVER-IP_ sendmail[6903]: s3MK3VFT032435: to=<margaret_mcleod@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+12:45:13, xdelay=00:00:00, mailer=esmtp, pri=932242, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:26 _SERVER-IP_ sendmail[6903]: s3N0cjop002493: to=<maritza_hatfield@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+12:52:41, xdelay=00:00:00, mailer=esmtp, pri=932242, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:27 _SERVER-IP_ sendmail[6903]: s3MH0awR014985: to=<kelsey_hardin@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+20:30:50, xdelay=00:00:00, mailer=esmtp, pri=932243, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:27 _SERVER-IP_ sendmail[6903]: s3M83Vjv002102: to=<christine_perez@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=3+00:59:12, xdelay=00:00:00, mailer=esmtp, pri=932243, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:27 _SERVER-IP_ sendmail[1571]: s3MLMeQm019285: to=<stios16@hotmail.co.uk>, delay=2+16:08:47, xdelay=00:00:02, mailer=esmtp, pri=1560912, relay=mx3.hotmail.com. [207.46.8.199], dsn=4.0.0, stat=Deferred: 421 RP-001 (BAY0-MC6-F26) Unfortunately, some messages from 54.228.241.30 weren't sent. Pl...t per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
Apr 25 13:31:27 _SERVER-IP_ sendmail[1571]: s3MHenGd021795: to=<jubileeperwad@yahoo.cm>, delay=2+19:50:38, xdelay=00:00:00, mailer=esmtp, pri=1200912, relay=yahoo.cm., dsn=4.0.0, stat=Deferred: Connection timed out with yahoo.cm.
Apr 25 13:31:27 _SERVER-IP_ sendmail[1571]: s3MNOiPI016277: to=<aseemasong@aol.com>, delay=2+14:06:43, xdelay=00:00:00, mailer=esmtp, pri=1560912, relay=mailin-04.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:27 _SERVER-IP_ sendmail[32568]: s3MAZ40p023743: to=<quan.hoang40@yahoo.com>, delay=3+02:56:23, xdelay=00:00:02, mailer=esmtp, pri=840952, relay=mta6.am0.yahoodns.net. [98.138.112.38], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 54.228.241.30 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Apr 25 13:31:27 _SERVER-IP_ sendmail[32568]: s3MBUXo3029652: SYSERR(root): readqf: cannot open ./dfs3MBUXo3029652: No such file or directory
Apr 25 13:31:27 _SERVER-IP_ sendmail[405]: s3MNmmrW022355: to=<hagenpagz@yahoo.com>, delay=2+13:42:39, xdelay=00:00:02, mailer=esmtp, pri=1561030, relay=mta6.am0.yahoodns.net. [63.250.192.45], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 54.228.241.30 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Apr 25 13:31:27 _SERVER-IP_ sendmail[405]: s3MNN9BB015216: to=<aande15875@aol.com>, delay=2+14:08:18, xdelay=00:00:00, mailer=esmtp, pri=1561030, relay=mailin-02.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:27 _SERVER-IP_ sendmail[3535]: s3MGrR38014416: to=<williammolina84@hotmail.com>, delay=2+20:38:00, xdelay=00:00:02, mailer=esmtp, pri=1110998, relay=mx1.hotmail.com. [65.55.37.88], dsn=4.0.0, stat=Deferred: 421 RP-001 (COL0-MC2-F30) Unfortunately, some messages from 54.228.241.30 weren't sent. Pl...t per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
Apr 25 13:31:27 _SERVER-IP_ sendmail[405]: s3MLmqbS026389: to=<volcomestone228@aol.com>, delay=2+15:42:35, xdelay=00:00:00, mailer=esmtp, pri=1561031, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:27 _SERVER-IP_ sendmail[759]: s3N4xFkV020281: to=<gmatthewst@gmail.com>, delay=2+08:32:12, xdelay=00:01:37, mailer=esmtp, pri=1200971, relay=alt4.gmail-smtp-in.l.google.com. [74.125.193.26], dsn=4.2.2, stat=Deferred: 452-4.2.2 The email account that you tried to reach is over quota. Please direct
Apr 25 13:31:27 _SERVER-IP_ sendmail[8619]: s3MIiVpE027814: to=<sjrhey@hotmail.com>, delay=2+18:46:56, xdelay=00:00:02, mailer=esmtp, pri=1290995, relay=mx4.hotmail.com. [65.54.188.126], dsn=4.0.0, stat=Deferred: 421 RP-001 (BAY0-MC4-F22) Unfortunately, some messages from 54.228.241.30 weren't sent. Pl...t per hour and per day. You can also refer to http://mail.live.com/mail/troubleshooting.aspx#errors.
Apr 25 13:31:27 _SERVER-IP_ sendmail[8218]: s3MGeg6N011968: to=<niraj273@yahoo.com>, delay=2+20:50:45, xdelay=00:00:02, mailer=esmtp, pri=1021096, relay=mta5.am0.yahoodns.net. [98.136.217.202], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 54.228.241.30 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Apr 25 13:31:28 _SERVER-IP_ sendmail[7891]: s3NB3Bx4013728: to=<thesearch1979@yahoo.com>, delay=2+02:28:17, xdelay=00:00:02, mailer=esmtp, pri=1200974, relay=mta6.am0.yahoodns.net. [98.136.217.203], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 54.228.241.30 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Apr 25 13:31:28 _SERVER-IP_ sendmail[7891]: s3O7NWt8006397: to=<charlescuchiara@aol.com>, delay=1+06:04:42, xdelay=00:00:00, mailer=esmtp, pri=1200974, relay=mailin-04.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:28 _SERVER-IP_ sendmail[7891]: s3O0gKxf012852: to=<ghiaconv@aol.com>, delay=1+12:49:08, xdelay=00:00:00, mailer=esmtp, pri=1200974, relay=mailin-01.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:28 _SERVER-IP_ sendmail[7891]: s3MFcskt007031: to=<dtrettenbach@aol.com>, delay=2+21:52:34, xdelay=00:00:00, mailer=esmtp, pri=930974, relay=mailin-02.mx.aol.com., dsn=4.0.0, stat=Deferred
Apr 25 13:31:28 _SERVER-IP_ sendmail[32568]: s3MBUXo3029652: to=<vallwschristopher@yahoo.com>, delay=3+02:00:54, xdelay=00:00:01, mailer=esmtp, pri=840952, relay=mta5.am0.yahoodns.net. [66.196.118.36], dsn=4.0.0, stat=Deferred: 421 4.7.1 [TS03] All messages from 54.228.241.30 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
Apr 25 13:31:28 _SERVER-IP_ sendmail[32568]: s3MBGI11026947: SYSERR(root): readqf: cannot open ./dfs3MBGI11026947: No such file or directory
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MJ3VVI029838: to=<aurelia_lambert@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+13:26:52, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MI3VCM024164: to=<corine_cross@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+14:37:28, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3ME3VZt004466: to=<georgia_randall@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+18:08:05, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MH3VGE015787: to=<helga_galloway@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+15:50:19, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MA3VEA019603: to=<latisha_nunez@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+23:25:18, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MC3V0W031060: to=<verna_keller@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+21:40:05, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MD3Vlu002713: to=<kathleen_baxter@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+20:47:12, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MD3Vme002713: to=<shelia_campos@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+20:40:40, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MA3VEH019603: to=<latisha_nunez@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+23:24:51, xdelay=00:00:00, mailer=esmtp, pri=932245, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MC3V4t031060: to=<carmen_harper@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+20:33:54, xdelay=00:00:00, mailer=esmtp, pri=932246, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MEbL2O005067: to=<wilda_irwin@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+22:54:08, xdelay=00:00:00, mailer=esmtp, pri=932246, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3M93VYn013450: to=<bonnie_levy@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=3+00:25:42, xdelay=00:00:00, mailer=esmtp, pri=932246, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.
Apr 25 13:31:29 _SERVER-IP_ sendmail[6903]: s3MB3V27026039: to=<penny_levine@kundenserver-876378923.eu-west-1.elb.amazonaws.com>, delay=2+22:20:06, xdelay=00:00:00, mailer=esmtp, pri=932246, relay=kundenserver-876378923....elb.amazonaws.com., dsn=4.0.0, stat=Deferred: Connection refused by kundenserver-876378923.eu-west-1.elb.amazonaws.com.

Anmerkung:
"kundenserver-876378923.eu-west-1.elb.amazonaws.com." ist ein Elastic Load Balancer (ELB) der den Traffic auf die Instanz weiterleitet.

Vielleicht hat jemand einen Tipp für mich und ich bekomme das irgendwie in den Griff. Mittlerweile ist der Server auch schon blacklisted und Kunden E-Mails landen wenn überhaupt höchstens im SPAM Ordner. :/

Gruß & Danke,
Tim
 

Ähnliche Themen

Autostart von X mit google-chrome durch systemd

Rollei Mini Wifi Camcorder

Mail via Terminal will nicht

dovecot und postfix Konfiguration Problem

Festplatte stirbt, dd funktioniert nicht

Sucheingaben

98.136.217.203

Neueste Beiträge

Oben