Hacking

收到帶有伺服器數據的奇怪電子郵件。這是否意味著我被黑客入侵了?

  • October 15, 2014

我剛剛收到以下“未發送郵件”到我的 postmaster@mydomain.com

這是否意味著有人可能試圖(或成功)入侵我?

(出於隱私目的,我替換了下面的某些部分,這並不是我在這裡收到的 100% 的原件。)

This is the mail system at host mydomain.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<ubahreasons@yahoo.com>: host mta7.am0.yahoodns.net[98.138.112.35] said: 554
   delivery error: dd Sorry your message to ubahreasons@yahoo.com cannot be
   delivered. This account has been disabled or discontinued [#102]. -
   mta1303.mail.ne1.yahoo.com (in reply to end of DATA command)



Reporting-MTA: dns; mydomain.com
X-Postfix-Queue-ID: 684A933780CC
X-Postfix-Sender: rfc822; root@mydomain.com
Arrival-Date: Tue, 14 Oct 2014 21:16:56 +0200 (CEST)

Final-Recipient: rfc822; ubahreasons@yahoo.com
Original-Recipient: rfc822;ubahreasons@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mta7.am0.yahoodns.net
Diagnostic-Code: smtp; 554 delivery error: dd Sorry your message to
   ubahreasons@yahoo.com cannot be delivered. This account has been disabled
   or discontinued [#102]. - mta1303.mail.ne1.yahoo.com


ForwardedMessage.eml
Subject:
TESTING - 2012
From:
root@mydomain.com (root)
Date:
10/14/2014 9:16 PM
To:
ubahreasons@yahoo.com

#############################iNFOS#############################
#############################FOR YOU#############################
Linux servername 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root) context=system_u:system_r:initrc_t

#############################SSH iNFOS#############################
#############################FOR YOU#############################
#UsePAM no
UsePAM yes
PermitRootLogin 
#GatewayPorts no
#ListenAddress 0.0.0.0
#ListenAddress ::
#############################SHADOWFILE#############################
#############################SHADOWFILE#############################
root:$1$H4zwKrgL$NA37jPGoTCiPA0mrq/OKq/:15231:0:99999:7:::
bin:*:15431:0:99999:7:::
daemon:*:15431:0:99999:7:::
info:$1$dO1pvRG.$DZUXjGeS4NgDpGNCwX.0b0:14241:0:99999:7::::::
postmaster:$1$gW7jPsgB$dh09VlQ/W0FALpPlR1fPt/:16127:0:99999:7:::
... more stuff like that

#############################iPS#############################
#############################iPS#############################
         inet addr:111.11.111.11  Bcast:111.11.111.11  Mask:255.255.255.0
         inet6 addr: ff11::11ff:11ff:ffff:1111/64 Scope:Link
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
#############################USERS WITH SHELL#############################
#############################USERS WITH SHELL#############################
root:x:0:0:root:/root:/bin/bash
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
... some more stuff like the first three lines

我不是最有經驗的,所以如果有人可以就這意味著什麼以及下一步做什麼給我建議……謝謝!

更新:

在違規時,我的 httpd 日誌文件中有以下內容:

80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "POST http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-"
80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "CONNECT 80.65.51.219:6667 HTTP/1.0" 302 225 "-" "-"
80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "PUT http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-"

否則我找不到任何可疑的東西。

對以前看過類似內容的任何人有任何進一步的建議,請發表評論或回答。謝謝!

是否有人使用您的伺服器故意向 ubahreasons@yahoo.com 發送電子郵件?如果是這樣,那麼這只是一個 NDR - 未送達報告。

如果沒有,那麼您可能被黑客入侵了。

/Edit Aha - 出於某種原因,我從您的本地郵件中讀取了這封電子郵件的較低內容作為診斷資訊。現在我發現更有可能是退回的不成功電子郵件的內容 - 是的,你已經被騙了。把它燒到地上,然後重新開始。

引用自:https://serverfault.com/questions/637024