sustained exim attack - syntax errors - mitigation measures

[fcbinfo]

Thanks again quizknows. You are a god!

Let-me try to understand.

1) Edit: in /etc/csf/regex.custom.pm add in the middle of the file:

 if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\d+\D+\d+\D+\d+ \d+\D+\d+\D+\d+ SMTP call from \[(\d+\.\d+\.\d+\.\d+)\]:\d+ dropped: too many syntax or protocol errors/)) {
               return ("Failed exim syntax from","$1","eximdosmatch","2","25,143","1");
       }

2) Then in /etc/csf/csf.conf, set CUSTOM1_LOG to /var/log/exim_mainlog

3) Restart csf and ldf

Able to tail -f /var/log/lfd.log and watch as it starts blocking IP addresses

Is that?

On csf we have an option: I have it enabled
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = 1
LF_EXIMSYNTAX_PERM = 1

And now, I have IP block limit 4999, and its working very fast without problems.

And again... thanks for the help.

(PS: do you believe that lot of udp 53 connections is because of this exim attack?)

I have this on my iftop now:

* :25                                      <=> 117.212.103.226:2555                            0b     77b     19b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:4441             0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:25353            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:49783          0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:62799          0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:33484          0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:45476          0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:28208            0b     60b     15b
 * :53                                      <=> 61-220-4-100.HINET-IP.hinet.net:58775           0b     60b     15b
 * :53                                      <=> nsm5.seed.net.tw:29904                        236b     47b     12b
 * :25                                      <=> nsc64.90.5-166.newsouth.net:62873             208b     42b     10b
 * :25                                      <=> adsl.viettel.vn:21138                           0b     38b     29b
 * :80                                      <=> 178-223-238-6.dynamic.isp.telekom.rs:22315      0b     38b     29b
 * :25                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7342  192b     38b     10b
 * :80                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7334  192b     38b     10b
 * :80                                      <=> static.vdc.vn:64852                             0b     32b      8b
 * :80                                      <=> baiduspider-180-76-5-66.crawl.baidu.co:43190    0b      0b   7.00kb
 * :80                                      <=> baiduspider-180-76-5-184.crawl.baidu.c:45462    0b      0b   6.29kb
 * :80                                      <=> baiduspider-180-76-5-87.crawl.baidu.co:25040    0b      0b   6.18kb
 * :80                                      <=> baiduspider-180-76-5-156.crawl.baidu.c:25302    0b      0b   5.91kb
 * :80                                      <=> crawl-66-249-66-104.googlebot.com:53018         0b      0b   1.49kb
 * :2086                                    <=> 177.207.204.213.static.gvt.net.br:62892         0b      0b    345b
 * :45288                                   <=> 199.83.134.69.ip.incapdns.net:80                0b      0b    317b
 * :80                                      <=> p11202-ipngn201okidate.aomori.ocn.ne.j:54641    0b      0b    309b
 * :45289                                   <=> 199.83.134.69.ip.incapdns.net:80                0b      0b    309b
 * :80                                      <=> ppp-110-169-233-167.revip5.asianet.co.:65044    0b      0b    288b
 * :80                                      <=> 115.132.161.100:60613                           0b      0b    254b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:47100            0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:1457           300b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:54987            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:13889          0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:61389            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:21299          0b     60b     15b
 * :53                                      <=> 61-220-8-131.HINET-IP.hinet.net:50622           0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:58107            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:12636        300b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:6581             0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:14682          0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:33893            0b     60b     15b
 * :53                                      <=> 61-220-4-120.HINET-IP.hinet.net:40199           0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:40531          300b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:35178            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:65442          0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:22863        300b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:33402            0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:19103            0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:59906            0b     60b     15b
 * :53                                      <=> 61-220-8-198.HINET-IP.hinet.net:28916           0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:7319           0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:30352            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:47869          0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:11234            0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:42858            0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:43604            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:49925          0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:22648        300b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:44139            0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:56657            0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:36254            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:45378          0b     60b     15b
 * :53                                      <=> 61-220-4-120.HINET-IP.hinet.net:23712           0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:49019            0b     60b     15b
 * :53                                      <=> 61-220-4-100.HINET-IP.hinet.net:26035           0b     60b     15b
 * :53                                      <=> 61-220-5-44.HINET-IP.hinet.net:45472          300b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:51584            0b     60b     15b
 * :53                                      <=> 61-220-10-122.HINET-IP.hinet.net:21437        300b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:24051            0b     60b     15b
 * :53                                      <=> 61-220-8-62.HINET-IP.hinet.net:3926             0b     60b     15b
 * :53                                      <=> 61-220-8-131.HINET-IP.hinet.net:11263         288b     58b     14b
 * :143                                     <=> 189-105-104-55.user.veloxzone.com.br:59785      0b     83b     42b
 * :80                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7314  192b     77b     19b
 * :80                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7316  192b     77b     19b
 * :80                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7318  192b     77b     19b
 * :25                                      <=> 77.28.143.217:17539                           192b     77b     19b
 * :80                                      <=> dynamic-ip-adsl-190.186.178.52.cotas.c:22492    0b     77b     19b
 * :53                                      <=> 203.113.188.6:35416                             0b     56b     14b
 * :53                                      <=> 27.68.243.62:22013                              0b     56b     14b
 * :53                                      <=> 27.68.243.54:36814                              0b     56b     14b
 * :53                                      <=> 27.68.243.54:41963                              0b     56b     14b
 * :53                                      <=> 203.113.131.9:41424                             0b     56b     14b
 * :53                                      <=> 203.113.188.3:47519                             0b     56b     14b
 * :53                                      <=> 203.113.188.6:43733                             0b     56b     14b
 * :53                                      <=> nsm5.seed.net.tw:8843                         256b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:18288                          0b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:62021                          0b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:46979                          0b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:10281                          0b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:20515                          0b     51b     13b
 * :53                                      <=> nsm5.seed.net.tw:59044                          0b     47b     12b
 * :53                                      <=> 27.68.243.62:63890                              0b     47b     12b
 * :53                                      <=> 27.68.243.54:45816                              0b     47b     12b
 * :53                                      <=> nsm5.seed.net.tw:29904                        236b     47b     12b
 * :25                                      <=> nsc64.90.5-166.newsouth.net:62873             208b     42b     10b
 * :25                                      <=> adsl.viettel.vn:21138                           0b     38b     29b
 * :80                                      <=> 178-223-238-6.dynamic.isp.telekom.rs:22315      0b     38b     29b
 * :25                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7342  192b     38b     10b
 * :80                                      <=> 59-104-198-253.adsl.dynamic.seed.net.tw:7334  192b     38b     10b
 * :80                                      <=> static.vdc.vn:64852                             0b     32b      8b
 * :80                                      <=> baiduspider-180-76-5-66.crawl.baidu.co:43190    0b      0b   7.00kb
 * :80                                      <=> baiduspider-180-76-5-184.crawl.baidu.c:45462    0b      0b   6.29kb
 * :80                                      <=> baiduspider-180-76-5-87.crawl.baidu.co:25040    0b      0b   6.18kb
 * :80                                      <=> baiduspider-180-76-5-156.crawl.baidu.c:25302    0b      0b   5.91kb
 * :80                                      <=> crawl-66-249-66-104.googlebot.com:53018         0b      0b   1.49kb
 * :2086                                    <=> 177.207.204.213.static.gvt.net.br:62892         0b      0b    345b
 * :45288                                   <=> 199.83.134.69.ip.incapdns.net:80                0b      0b    317b
 * :80                                      <=> p11202-ipngn201okidate.aomori.ocn.ne.j:54641    0b      0b    309b
 * :45289                                   <=> 199.83.134.69.ip.incapdns.net:80                0b      0b    309b
 * :80                                      <=> ppp-110-169-233-167.revip5.asianet.co.:65044    0b      0b    288b
 * :80                                      <=> 115.132.161.100:60613                           0b      0b    254b

But if i press J... have a lot more... A LOT

 

[fcbinfo]

Wow... now I'm getting a lot of Relay alert from so many different IPs.

They are success using my smtp to send e-mails?

Time: Fri Oct 25 14:52:22 2013 -0200
Type: RELAY, Remote IP - IP OF MY SERVER (US/United States/MY.HOSTNAME)
Count: 101 emails relayed
Blocked: No

 

[quizknows]

Your first steps are correct. In the CSF conf, did you disable these options?

LF_EMAIL_ALERT
and
LF_PERMBLOCK_ALERT

(set both from 1 to 0)

Otherwise your server will try to e-mail you every time it blocks an IP (which will be a LOT). I think that's your relaying problem. Again, restart csf/lfd after changing these options.

If that does not fix it, run "exim -bp" to see what is in the mail queue. You can examine individual messages in WHM mail queue manager or with command line options like

exim -Mvh 1VZu8T-0001oa-EU #view headers
exim -Mvb 1VZu8T-0001oa-EU #view body
exim -Mvl 1VZu8T-0001oa-EU #view logs

If something is relaying spam you should be able to find it that way.

If a users PHP script is sending spam look for the CWD like this:

grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c

This will give a number of e-mails sent from public_html directories.

If it is SMTP login, the above exim commands or info from exim -bp should tell you the compromised account.

 

[quizknows]

Looking into CSF further, the last version update adding LF_EXIMSYNTAX now eliminates the need for the custom regex.

 

[fcbinfo]

Wow... then the option LF_EXIMSYNTAX do the same job?

Thats why i ask for it, because when i see that config, i have enabled this.

 

[quizknows]

Wow... then the option LF_EXIMSYNTAX do the same job?

Yes, it does. They just added it in the last update, after this thread was started.

 

[rligg]

I have been dealing with this on one server for about a month. The server is handling it fine, but it just won't go away.