Re: Strange locally-originating spam messages from sport.qc.ca
Hi.
On Thu, Mar 30, 2023 at 12:19:24PM +0100, Julian Gilbey wrote:
> The log seems quite unhelpful here, though I may be missing
> something. Here is an example:
I disagree. There's nothing to miss here, thus you're correct.
> 2023-03-29 00:07:19 1phIPT-0047NQ-0H <= <> H=(LOCALHOSTNAME) [::1] P=smtp S=2878
That, my friend, is a locally queued mail.
I.e. some process on that very host connected to exim on tcp:25 on the
same host and
> 2023-03-29 00:07:19 1phIPT-0047NQ-0H ** frpjxbkekuek@sport.qc.ca <FRPJXbKeKuek@sport.qc.ca> R=nonlocal: Mailing to remote domains not supported
tried to send a e-mail to that e-mail above.
That exim is probably configured as "local" MTA, so it refused to send
that e-mail.
> It seems to have originated locally ([::1]), which is why I wonder
> whether I've got a virus of some sort.
"Virus" is such a harsh word.
It's a malware, plain and simple.
I suggest you to:
1) Poweroff problematic host ASAP.
2) Remove HDD from that host.
3) Attach the HDD to known clean host, preferably with a different CPU
architecture, mount filesystems.
4) Check Debian software for validity (debsums -ac -r ...).
5) Check crontabs (both system and users'), double-check www-data
crontab.
6) Check systemd timers, both system and users'.
7) Consider using very strict Apparmor policy for any LAN-facing
services that you have there in the future (aa-genprof).
> On my internet-facing host, these messages appear to originate from a
> Canadian ISP, but I don't know whether to believe it, given what's
> happening on my other machine.
Be generous, ban whole AS of that ISP via iptables/nft first.
Consider repeating the steps outlined above for internet-facing host
too.
Reco
Reply to: