我正在运行带有虚拟用户/别名的 dovecot/postfix 服务器。根据http://www.mailradar.com/openrelay/等工具,我没有任何开放中继。但是,我的系统日志中显示了很多记录,这会导致我认为正在访问不应访问的某些内容。这是我的系统日志的一部分(当然更改了自我识别信息):
Feb 18 10:13:42 server1 postfix/pickup[3995]: 1A6413627F: uid=33 from=<www-data>
Feb 18 10:13:42 server1 postfix/cleanup[3826]: 1A6413627F: message-id=<20160218161342.1A6413627F@server1.myserverdomain.com>
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:13:42 server1 opendkim[4285]: 1A6413627F: no signature data
Feb 18 10:13:42 server1 postfix/qmgr[4479]: 1A6413627F: from=<www-data@myemaildomain.com>, size=2153, nrcpt=1 (queue active)
Feb 18 10:13:43 server1 postfix/smtp[4007]: 1A6413627F: to=<a...a@mail.ru>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.9, delays=0.01/0/0.77/1.1, dsn=2.0.0, status=sent (250 OK id=1aWRD5-0005o9-J0)
Feb 18 10:13:43 server1 postfix/qmgr[4479]: 1A6413627F: removed
Feb 18 10:13:54 server1 postfix/pickup[3995]: 5CF523627F: uid=33 from=<www-data>
Feb 18 10:13:54 server1 postfix/cleanup[3826]: 5CF523627F: message-id=<20160218161354.5CF523627F@server1.myserverdomain.com>
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:13:54 server1 opendkim[4285]: 5CF523627F: no signature data
Feb 18 10:13:54 server1 postfix/qmgr[4479]: 5CF523627F: from=<www-data@myemaildomain.com>, size=2158, nrcpt=1 (queue active)
Feb 18 10:13:55 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:48:b9:08:00 SRC=45.33.58.84 DST=216.58.192.14 LEN=73 TOS=0x00 PREC=0x00 TTL=63 ID=45696 PROTO=UDP SPT=53 DPT=51450 LEN=53
Feb 18 10:13:55 server1 postfix/smtp[3982]: 5CF523627F: to=<y...s@mail.ru>, relay=mxs.mail.ru[217.69.139.150]:25, delay=1.6, delays=0.01/0/0.55/1, dsn=2.0.0, status=sent (250 OK id=1aWRDH-0003yi-IS)
Feb 18 10:13:55 server1 postfix/qmgr[4479]: 5CF523627F: removed
Feb 18 10:14:02 server1 postfix/pickup[3995]: A72D73627F: uid=33 from=<www-data>
Feb 18 10:14:02 server1 postfix/cleanup[3826]: A72D73627F: message-id=<20160218161402.A72D73627F@server1.myserverdomain.com>
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:14:02 server1 opendkim[4285]: A72D73627F: no signature data
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: from=<www-data@myemaildomain.com>, size=2172, nrcpt=1 (queue active)
Feb 18 10:14:02 server1 postfix/smtp[4002]: A72D73627F: to=<c....8@gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:400e:c03::1b]:25, delay=0.24, delays=0.01/0/0.09/0.14, dsn=2.0.0, status=sent (250 2.0.0 OK 1455812042 u6si8951789par.57 - gsmtp)
Feb 18 10:14:02 server1 postfix/qmgr[4479]: A72D73627F: removed
Feb 18 10:14:44 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33433 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:14:47 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33434 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:14:53 server1 kernel: iptables denied: IN=eth0 OUT= MAC=a3:5d:83:43:56:f1:97:d4:35:6f:f2:a4:08:00 SRC=181.194.185.98 DST=216.58.192.14 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33435 DF PROTO=TCP SPT=54753 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Feb 18 10:15:01 server1 /USR/SBIN/CRON[4054]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Feb 18 10:15:02 server1 postfix/pickup[3995]: CDA813627F: uid=33 from=<www-data>
Feb 18 10:15:02 server1 postfix/cleanup[3826]: CDA813627F: message-id=<20160218161502.CDA813627F@server1.myserverdomain.com>
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signing table match for 'noreply@server1.myserverdomain.com'
Feb 18 10:15:02 server1 opendkim[4285]: CDA813627F: no signature data
Feb 18 10:15:02 server1 postfix/qmgr[4479]: CDA813627F: from=<www-data@myemaildomain.com>, size=2141, nrcpt=1 (queue active)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: host mta6.am0.yahoodns.net[98.138.112.35] said: 421 4.7.0 [GL01] Message from (216.58.192.14) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html (in reply to MAIL FROM command)
Feb 18 10:15:03 server1 postfix/smtp[4007]: CDA813627F: lost connection with mta6.am0.yahoodns.net[98.138.112.35] while sending RCPT TO
Feb 18 10:15:04 server1 postfix/smtp[4007]: CDA813627F: to=<s...6@yahoo.com>, relay=mta6.am0.yahoodns.net[66.196.118.34]:25, delay=1.3, delays=0.02/0/0.49/0.77, dsn=2.0.0, status=sent (250 ok dirdel)
Feb 18 10:15:04 server1 postfix/qmgr[4479]: CDA813627F: removed
任何想法是什么问题?
这些消息源自运行 Web 服务器及其 Web 应用程序的用户 ID。简而言之,您的网站已被黑客入侵,并被用于发送垃圾邮件。