Spam in Queue - "invoked by network" unable to find source

[mikcanavan]

I have read though numerous posts regarding "invoked by UID XX" but cannot apply the same solutions to my issue.

Example header :

Received: (qmail 5822 invoked from network); 22 Oct 2008 11:52:19 +0100
Received: from XXX.MYSERVER.co.uk (HELO a-5dea45b301664) (121.206.72.108)
by XXX.MYSERVER.co.uk with SMTP; 22 Oct 2008 11:52:18 +0100
From: =?gb2312?B?QVpLWVjXorLhseC6xQ==?= <[email protected]>
Subject: =?gb2312?B?xPq1xNDCSUQ6NzI5NTg5NTk=?=
To: [email protected]
Content-Type: text/html;
charset="gb2312"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Date: Wed, 22 Oct 2008 18:52:19 +0800

Example of maillog:

/usr/local/psa/var/log/maillog:Oct 22 09:47:24 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3011 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:47:24 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3007 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:47:26 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:47:26 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:47:26 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:47:26 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:48:34 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3162 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:48:34 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3165 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:48:34 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3168 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:48:35 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:48:35 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:48:35 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:48:35 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:43 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3416 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:49:44 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3419 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:49:45 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:45 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:45 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:45 plesk1 smtp_auth: smtp_auth: FAILED: www - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:45 plesk1 relaylock: /var/qmail/bin/relaylock: mail from 121.206.72.108:3426 (plesk1.fivenines.co.uk)
/usr/local/psa/var/log/maillog:Oct 22 09:49:47 plesk1 smtp_auth: SMTP connect from (null)@plesk1.fivenines.co.uk [121.206.72.108]
/usr/local/psa/var/log/maillog:Oct 22 09:49:47 plesk1 smtp_auth: smtp_auth: FAILED: administrator - password incorrect from (null)@plesk1.fivenines.co.uk [121.206.72.108]

All I can see is FAILED - no successful logins? And as far as I can understand it - this person must have authenticated somehow, as I have the server set to require SMTP authentication.

Any ideas how I can track down how this person is logging in?

 

[faris]

Where is that header from?

The log does seem to indicate that IP is trying but failing to authenticate, and therefore not able to send email.

But if you have headers I presume there's email somewhere?

Faris.

 

[4drob]

Did you ever figure this out? I'm seeing this on my server. Spam messages sent FROM one of my Plesk servers "invoked from network." According to http://kb.odin.com/en/766 this means a user is compromised, but I can't locate which. I found the IP, but /usr/local/psa/var/log/maillog is no help as it only shows:

Dec 25 06:33:34 server relaylock: /var/qmail/bin/relaylock: mail from xx.xx.xx.xxx:14358
Dec 25 06:33:34 server smtp_auth: SMTP connect from (null)@xx.xx.net [xx.xx.xx.xxx]
Dec 25 06:33:34 server smtp_auth: smtp_auth: SMTP user ° /lib/plesk/mail/auth/passwd.db : logged in from (null)@xx.xx.net [xx.xx.xx.xxx]
Dec 25 06:33:42 server relaylock: /var/qmail/bin/relaylock: mail from xx.xx.net [xx.xx.xx.xxx]
Dec 25 06:33:42 server smtp_auth: SMTP connect from (null)@xx.xx.net [xx.xx.xx.xxx]
Dec 25 06:33:42 server smtp_auth: smtp_auth: SMTP user /lib/plesk/mail/auth/passwd.db : logged in from (null)@xx.xx.net [xx.xx.xx.xxx]

(replaced actual IP)