# My FreeBSD does spam - Sendmail?



## BjoernG (Jan 3, 2014)

After I returned from my holiday,  my webserver where was hacked by marocan Moroccan hackers!!!! *A*fter some research I found out, that they came in t*h*rough a*n* unsecure *J*oomla component. I guess I fixed the whole *J*oomla stuff, but what I actually see is that *S*endmail is sending mails permanently! First I set[]up a drop rule on my firewall on port 25 to see what happens: lots of spam. Then I set[]up my rc.conf file to stop *S*endmail:


```
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
```

but this is not the real solution.

Here is a snip from my /var/log/maillog file:

Oh maybe this helps first, here is my etc/hosts file:


```
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
"my public ip"            "hostname.domain.com"
```


```
Jan  3 03:30:48 "hostname" sendmail[4774]: r94HUWFw038403: to=<kariannesondresen@hotmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:00:14, xdelay=00:00:02, mailer=esmtp, pri=960717, relay=mx2.hotmail.com. [65.55.92.152], dsn=5.0.0, stat=Service unavailable
Jan  3 03:30:48 "hostname" sendmail[4774]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan  3 03:30:51 "hostname" sendmail[4774]: r94HUWFw038403: to=<oubleclick.netprivacy@doubleclick.net>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:00:17, xdelay=00:00:03, mailer=esmtp, pri=960717, relay=aspmx.l.google.com. [173.194.70.26], dsn=5.1.1, stat=User unknown
Jan  3 03:30:51 "hostname" sendmail[4774]: r94HUWFw038403: s0324raY004774: DSN: User unknown
Jan  3 03:30:52 "hostname" sendmail[4774]: s0324raY004774: to=<www@"hostname.domain.com">, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=31990, relay=local, dsn=2.0.0, stat=Sent
Jan  3 03:30:57 "hostname" sendmail[4774]: r94HTPA6038174: to=<nationpd@hotmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:30, xdelay=00:00:02, mailer=esmtp, pri=960717, relay=mx4.hotmail.com. [65.55.92.152], dsn=5.0.0, stat=Service unavailable
Jan  3 03:30:57 "hostname" sendmail[4774]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan  3 03:30:58 "hostname" sendmail[4774]: r94HTPA6038174: to=<super824693@gmail.com>,<tcostello86@gmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:31, xdelay=00:00:01, mailer=esmtp, pri=960717, relay=gmail-smtp-in.l.google.com. [173.194.70.26], dsn=5.0.0, stat=Service unavailable
Jan  3 03:30:59 "hostname" sendmail[4774]: STARTTLS=client, relay=mailin-02.mx.aol.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan  3 03:31:00 "hostname" sendmail[4774]: r94HTPA6038174: mailin-02.mx.aol.com.: SMTP DATA-2 protocol error: 521 5.2.1 :  AOL will not accept delivery of this message.
Jan  3 03:31:00 "hostname" sendmail[4774]: r94HTPA6038174: to=<tang364@aol.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:33, xdelay=00:00:02, mailer=esmtp, pri=960717, relay=mailin-02.mx.aol.com. [64.12.88.163], dsn=5.5.0, stat=Remote protocol error
Jan  3 03:31:04 "hostname" sendmail[4774]: STARTTLS=client, relay=mta6.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-CAMELLIA256-SHA, bits=256/256
Jan  3 03:31:08 "hostname" sendmail[4774]: r94HTPA6038174: to=<missiontravel64@yahoo.com>,<mitch_j19@yahoo.com>,<moyamae29@yahoo.com>,<mrsasia718@yahoo.com>,<palecca@yahoo.com>,<peroastra2000@yahoo.com>,<pittpittfamily@yahoo.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:41, xdelay=00:00:08, mailer=esmtp, pri=960717, relay=mta7.am0.yahoodns.net. [63.250.192.45], dsn=4.0.0, stat=Deferred: 451 Message temporarily deferred - [70]
Jan  3 03:31:09 "hostname" sendmail[4774]: r94HTPA6038174: to=<srmireya4@hotmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:42, xdelay=00:00:01, mailer=esmtp, pri=960717, relay=mx2.hotmail.com. [65.55.37.72], dsn=5.1.1, stat=User unknown
Jan  3 03:31:10 "hostname" sendmail[4774]: r94HTPA6038174: to=<rayflanagan453@hotmail.com>,<richard_penman@hotmail.com>,<rmarqt@hotmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:43, xdelay=00:00:02, mailer=esmtp, pri=960717, relay=mx2.hotmail.com. [65.55.37.72], dsn=5.0.0, stat=Service unavailable
Jan  3 03:31:13 "hostname" sendmail[4774]: STARTTLS=client, relay=c650-2.bendbroadband.com., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan  3 03:31:13 "hostname" sendmail[4774]: r94HTPA6038174: to=<williamm@bendbroadband.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+09:01:46, xdelay=00:00:03, mailer=esmtp, pri=960717, relay=c650-2.bendbroadband.com. [216.228.160.147], dsn=5.1.1, stat=User unknown
Jan  3 03:31:14 "hostname" sendmail[4774]: r94HTPA6038174: s0324raZ004774: DSN: Cannot send message for 5 days
Jan  3 03:31:14 "hostname" sendmail[4774]: s0324raZ004774: to=<www@"hostname.domain.com">, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31990, relay=local, dsn=2.0.0, stat=Sent
Jan  3 03:31:19 "hostname" sendmail[4774]: r94FCKAs005664: to=<renzoviero@hotmail.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+11:18:52, xdelay=00:00:04, mailer=esmtp, pri=960717, relay=mx2.hotmail.com. [65.55.92.136], dsn=5.0.0, stat=Service unavailable
Jan  3 03:31:21 "hostname" sendmail[4774]: STARTTLS=client, relay=mail.b-io.co., version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan  3 03:31:22 "hostname" sendmail[4774]: r94FCKAs005664: to=<ron@bestbuiltin.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+11:18:55, xdelay=00:00:03, mailer=esmtp, pri=960717, relay=mail.b-io.co. [50.112.106.254], dsn=2.0.0, stat=Sent (Ok: queued as 91F9F436004)
Jan  3 03:31:22 "hostname" sendmail[4774]: r94FCKAs005664: to=<ort67@aol.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+11:18:55, xdelay=00:00:00, mailer=esmtp, pri=960717, relay=mailin-02.mx.aol.com. [64.12.91.195], dsn=5.1.1, stat=User unknown
Jan  3 03:31:24 "hostname" sendmail[4774]: r94FCKAs005664: mailin-02.mx.aol.com.: SMTP DATA-2 protocol error: 521 5.2.1 :  AOL will not accept delivery of this message.
Jan  3 03:31:24 "hostname" sendmail[4774]: r94FCKAs005664: to=<tomhar184@aol.com>, ctladdr=<www@"hostname.domain.com"> (80/80), delay=90+11:18:57, xdelay=00:00:02, mailer=esmtp, pri=960717, relay=mailin-02.mx.aol.com. [64.12.91.195], dsn=5.5.0, stat=Remote protocol error
```

How can I fix *S*endmail? How can I find out which files are "infected"*?*

Thanks in advance.


----------



## kpa (Jan 3, 2014)

*Re: my bsd does spam - sendmail?*

Reinstall the whole OS from scratch. Back up your /etc and /usr/local/etc directories first so you can easily restore your configuration files after reviewing them for anything suspicous.

If I was in your shoes now I would set up the web server that runs potentially untrusted addons in a jail(8) of its own so that if the web server gets hacked the real host will still stay secure.


----------



## worldi (Jan 3, 2014)

*Re: my bsd does spam - sendmail?*



			
				kpa said:
			
		

> Reinstall...



+1. Do not even try to clean things up. It's in vain.

And in case you're bored: check your sshd() for funny strings().


----------



## BjoernG (Jan 3, 2014)

*Re: my bsd does spam - sendmail?*

Cheers mates, I just got a backup with a clean installation - sometimes starting from scratch is faster then to debug a*n* infected OS.

Thanks.


----------



## tingo (Jan 3, 2014)

*Re: my bsd does spam - sendmail?*

Now, quickly, update and patch any security issues before the hackers come back.


----------



## BjoernG (Jan 3, 2014)

*Re: my bsd does spam - sendmail?*

For sure*.* *B*efore I opened the firewall I checked for the security holes.


----------

