nyoman

Member
Nov 25, 2008
24
0
51
Hello all,

I was frustrating with our Hosting support, they does not do anything with my problem (more then 7 days, just respond with "We are requesting the data center mitigate the attack.")

Ok, here is the problem.

My server was attacked on smtp/exim services, this make our mailserver busy and the "real" mailserver and our client sometimes got time out message, some email come too late, more then 25 minutes - 1 days (24h).

For temporary solution i was increase the smtp_accept_max = 200

On the exim_mainlog i was found many error, some of them is like this:

Code:
2013-08-23 16:07:42 SMTP syntax error in "r\227`\363&\204\335\230u\261\377+\b[w\307\032\203\026\\024\374\3770\355\027\030\311\0039\263_\222\351.\371\2227\223\221gZ\257'\250\246\222\300\265Z\020Y\265\250t\361M\306\r\211\276\261Z p\233&\270\362\345\210Q\025m=\350\341"<\200\373<\323\030E\366\323\257\223\250\320H\202\227\037\337NM\036w\335\375\231\020Z\324\332\255\362\361sE\313\r\214\335<\371\330t\356\342\244\f\373\226"\245+\204\360;\021\006"\324\275?\247u\320\243k\004t\254\370\2414w\0034\313\031w\321\313g\333i\367[\255\376\356<\364\230\324\276%1\004\254\363\307\214\305D``\225\235n\277\236\267\005\215T\244&=>p\276\241\303\243UU\255o\355\372\024\350\3739}\005\036uU\3311\220o^S\234#\334\353\357I\372\200\363\220Z\033 \262\365\261m7)IFSA\341\267>\216x\252&\331\020\033\022&\250\364->@r\177\244\327\313\241o|\214\347\237\b\346\204\220\247X\353\0029\0334\344\322\247\316\271/;\363V\305\v\242Q_Q\030\353WZ\323l\356\003P\033\210\250\323\315\037}\366\351\265'\024\203M<\2243\346\206M4}\031\367\253\030\031E\020\261c\376\020Hy\037\254\336\307\321\250w8\275\365\016h\252\303\245\032\224\217=\202\022\277\326\234,Vo?Jq\b??\356\2362\360lCQ\241\350\334LXhto\337m\v\357\0375\246U\257\262;%\362\312\3264-\205\354\200\257\250\213\026g\233\2446T\366\271\321\036TE\257 NmO>\226\004\215y\240\v\354\017\2554\307+\305\314\247\264\202\322\366\366\327\376\006\024q\226[\223\333.\3046\225\314aM*f\313?b\376(hM\r\305\b\r.\332\217\301\304\026D#\\226\217\334\365\262c\374\346\275\002$$JPB\2743"\341\255\231\263\327I\216\233K\207\246\265\342\037AQR\277\275\347IQ\004\310\225q\304\017\361\205P\313>\236N=8\024\375-1O\251\243\333\352\202\237\361\002?\021Z\032U\026\311\267Dk\007O\255\302\312f7\241\266\177Ki\002\362H*\020\rn\2454!rm \274$\227\354S\326\240\272k\266V\271\[email protected]\205\233a\364\0024\322\337O\313\325\307\232c\305\025\377\373\264\021\264\253\200\307\262C\327\346\314\332\344\232Js\263\316\037\023>f\235*\020\227\373\246\205\234\Y\303\353Q\366\035\032D\017\220I''k\266\306?\376MQS\230\263W\353\337?\261\222\272\0220*\177h\254\303\312}H\344!?\024y\211\275C\022!\333\334\251Q\310\[email protected]\372DY\332\003?\[email protected]\302\007t9\214\240\366\203\35693\327\325\320M\361li\330\250\354?\313\2207\231\373}\0050_\2436G\367 \322^\320<\352\366N\216P\216\255\254\310B\206\310\340\332`\303\037|\0364\336"
And OK, i found this link http://forums.cpanel.net/f43/exim-acl-block-buffer-overflow-attempts-353841.html that said my exim was not vulnerable. And i can hide the error message from the log.

But this is not prevent my server from the attacker. From the log i still found many error log like this:

Code:
(n139';;H©°#j:13:15 SMTP call from host-87-75-193-31.dslgb.com [87.75.193.31]:20890 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was ýü
             -j
ìǾçVÒ
g5zH¬<©b·%0ñ;Ç&øÖ"[½óµÏL¡¨Ê@BÜݾYaDËÔrÆÚa zæ
                      Õ@Àæq¬Ê<ëæµ²æ  b  4¹****Ôu")
Is there any way to block all those IP to connect to the server ?

For temporary i was block it use iptables;
for X in `grep "dropped: too many syntax or protocol errors" /var/log/exim_mainlog |cut -d'[' -f2 |cut -d']' -f1 |sort |uniq`; do iptables -A INPUT -s $X -p tcp --dport 25 -j DROP; done

I want something automatically, i was try fail2ban but i not very expert on perl or other language/scripting.

Thanks for your help


Nyoman
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Mitigating the attack from the data center may be the best way to resolve this issue. However, there is a user-submitted alternative solution posted on the following thread:

Sustained Exim Attack

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I posted another regex in that thread that should work for you.

Also, you may want to adjust logrotate settings to rotate daily instead of weekly, as this attack can create extremely large exim logs.
 

nyoman

Member
Nov 25, 2008
24
0
51
Hello :)

Mitigating the attack from the data center may be the best way to resolve this issue. However, there is a user-submitted alternative solution posted on the following thread:

Sustained Exim Attack

Thank you.
Thanks Michael.

I posted another regex in that thread that should work for you.

Also, you may want to adjust logrotate settings to rotate daily instead of weekly, as this attack can create extremely large exim logs.
Thanks quizknows, i hope this one is working.