主题: 我的服务器是不是被黑了,哪位大哥帮我分析下
最近一位员工老是收到系统退信,以下为日志内容:
May 15 05:52:07 mail postfix/qmgr[23210]: A77EA602C0C33: from=<>, size=4277, nrcpt=1 (queue active)
May 15 05:52:07 mail postfix/qmgr[23210]: 639F7602C0C31: removed
May 15 05:52:07 mail amavis[18615]: (18615-12) Passed CLEAN, <yumin@aaabbb.com.cn> -> <theo.van.dijk@exult.net>, Hits: 3.074, tag=2, tag2=6.2, kill=6.9, queued_as: 9AC99602C0C30, L/Y/0/0
May 15 05:52:07 mail postfix/amavis/smtp[17228]: 9E307602C0C26: to=<theo.van.dijk@exult.net>, relay=127.0.0.1[127.0.0.1]:10026, delay=19, delays=17/0/0/1.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9AC99602C0C30)
May 15 05:52:07 mail postfix/qmgr[23210]: 9E307602C0C26: removed
May 15 05:52:07 mail postfix/qmgr[23210]: 26660602C0C2C: from=<yumin@aaabbb.com.cn>, size=240104, nrcpt=1 (queue active)
May 15 05:52:07 mail postfix/pipe[6967]: A77EA602C0C33: to=<yumin@aaabbb.com.cn>, relay=dovecot, delay=0.23, delays=0.05/0/0/0.18, dsn=2.0.0, status=sent (delivered via dovecot service)
May 15 05:52:07 mail postfix/qmgr[23210]: A77EA602C0C33: removed
May 15 05:52:07 mail postfix/smtp[12735]: Untrusted TLS connection established to mail.mwegerano.com[77.240.19.7]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 15 05:52:08 mail postfix/smtps/smtpd[30693]: 1AFEB602C0C31: client=unknown[181.143.94.58], sasl_method=PLAIN, sasl_username=yumin@aaabbb.com.cn
May 15 05:52:08 mail postfix/local[21165]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit
May 15 05:52:08 mail postfix/smtps/smtpd[21054]: warning: unknown[139.28.175.150]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 15 05:52:08 mail postfix/submission/smtpd[6929]: 4A07E602C0C33: client=unknown[187.95.123.74], sasl_method=PLAIN, sasl_username=yumin@aaabbb.com.cn
May 15 05:52:08 mail postfix/10025/smtpd[27486]: 4D174602C0C34: client=mail.aaabbb.com.cn[127.0.0.1]
May 15 05:52:08 mail postfix/cleanup[1890]: 4D174602C0C34: message-id=<qios0tj1hha1ikhge42i1hloj.ap69h6oe6b.74018159115838.kfcgjzjpg1.6es0hobx@mail500.aki29.aaabbb.com.cn>
May 15 05:52:08 mail postfix/qmgr[23210]: 4D174602C0C34: from=<yumin@aaabbb.com.cn>, size=265449, nrcpt=1 (queue active)
May 15 05:52:08 mail amavis[17085]: (17085-19) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [181.143.94.58]:49197 [181.143.94.58] <yumin@aaabbb.com.cn> -> <zexmrfzod@acosberk.com>, Queue-ID: 06276602C0C13, Message-ID: <qios0tj1hha1ikhge42i1hloj.ap69h6oe6b.74018159115838.kfcgjzjpg1.6es0hobx@mail500.aki29.aaabbb.com.cn>, mail_id: gFxKZbgZj-qd, Hits: 4.014, size: 263918, queued_as: 4D174602C0C34, dkim_new=dkim:aaabbb.com.cn, 1658 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HK_RANDOM_FROM=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=2,TVD_RCVD_SINGLE=1.213,TVD_SPACE_RATIO=0.001]
May 15 05:52:08 mail amavis[17085]: (17085-19) Passed CLEAN, <yumin@aaabbb.com.cn> -> <zexmrfzod@acosberk.com>, Hits: 4.014, tag=2, tag2=6.2, kill=6.9, queued_as: 4D174602C0C34, L/Y/0/0
May 15 05:52:08 mail postfix/amavis/smtp[17665]: 06276602C0C13: to=<zexmrfzod@acosberk.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=14, delays=12/0/0/1.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4D174602C0C34)
May 15 05:52:08 mail postfix/qmgr[23210]: 06276602C0C13: removed
May 15 05:52:08 mail postfix/smtps/smtpd[21054]: disconnect from unknown[139.28.175.150]
May 15 05:52:08 mail postfix/cleanup[9485]: 1AFEB602C0C31: message-id=<9vh7jv41ver9nt@5E5.aaabbb.com.cn>
May 15 05:52:09 mail postfix/submission/smtpd[22443]: 18A4A602C0C13: client=unknown[77.89.251.138], sasl_method=PLAIN, sasl_username=yumin@aaabbb.com.cn
May 15 05:52:09 mail postfix/master[2111]: warning: process /usr/libexec/postfix/local pid 21165 exit status 1
May 15 05:52:09 mail postfix/master[2111]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
May 15 05:52:09 mail postfix/10025/smtpd[6017]: 5C451602C0C35: client=mail.aaabbb.com.cn[127.0.0.1]
May 15 05:52:09 mail postfix/cleanup[1890]: 5C451602C0C35: message-id=<gdjfgbx22183161.68920569@mail.aaabbb.com.cn>
May 15 05:52:09 mail postfix/qmgr[23210]: 5C451602C0C35: from=<yumin@aaabbb.com.cn>, size=241595, nrcpt=1 (queue active)
May 15 05:52:09 mail amavis[17708]: (17708-17) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [77.89.251.138]:50128 [77.89.251.138] <yumin@aaabbb.com.cn> -> <wiocleag@mozej.com>, Queue-ID: 26660602C0C2C, Message-ID: <gdjfgbx22183161.68920569@mail.aaabbb.com.cn>, mail_id: sDiZdQPazGme, Hits: 2.8, size: 240104, queued_as: 5C451602C0C35, dkim_new=dkim:aaabbb.com.cn, 1574 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=2,TVD_SPACE_RATIO=0.001]
May 15 05:52:09 mail amavis[17708]: (17708-17) Passed CLEAN, <yumin@aaabbb.com.cn> -> <wiocleag@mozej.com>, Hits: 2.8, tag=2, tag2=6.2, kill=6.9, queued_as: 5C451602C0C35, L/Y/0/0
May 15 05:52:09 mail postfix/amavis/smtp[20645]: 26660602C0C2C: to=<wiocleag@mozej.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.7, delays=4.1/0/0/1.6, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5C451602C0C35)
May 15 05:52:09 mail postfix/qmgr[23210]: 26660602C0C2C: removed
May 15 05:52:09 mail postfix/cleanup[17322]: 4A07E602C0C33: message-id=<yvascw317f.2xxg5h9ixn.69576857304544.n5s7g9fmiv.xan18e41@aaabbb.com.cn>
May 15 05:52:09 mail postfix/cleanup[9488]: 18A4A602C0C13: message-id=<ng1l7jx9-p8zr-xro5-3xfr-aqurvs2rt579>
May 15 05:52:10 mail postfix/smtp[1704]: Untrusted TLS connection established to mx1.mtaroutes.com[38.89.254.162]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 15 05:52:10 mail postfix/smtp[11056]: 9AC99602C0C30: host l98upmt1.hewitt.com[204.152.235.218] refused to talk to me: 421 Service not available, closing transmission channel
May 15 05:52:10 mail postfix/qmgr[23210]: 84E5D602C0C28: from=<yumin@aaabbb.com.cn>, size=258524, nrcpt=1 (queue active)
May 15 05:52:10 mail postfix/smtp[11056]: 9AC99602C0C30: host l98upmt1.hewitt.com[204.152.235.9] refused to talk to me: 421 Service not available, closing transmission channel
May 15 05:52:11 mail postfix/smtp[11056]: 9AC99602C0C30: host l4dupmt2.hewitt.com[204.152.239.218] refused to talk to me: 421 Service not available, closing transmission channel
May 15 05:52:11 mail postfix/smtp[1704]: 4D174602C0C34: to=<zexmrfzod@acosberk.com>, relay=mx1.mtaroutes.com[38.89.254.162]:25, delay=3.4, delays=0.08/0/1.9/1.4, dsn=5.0.0, status=bounced (host mx1.mtaroutes.com[38.89.254.162] said: 550 no mailbox by that name is currently available (in reply to RCPT TO command))
May 15 05:52:11 mail postfix/smtps/smtpd[29387]: CD796602C0C2C: client=unknown[92.62.72.252], sasl_method=PLAIN, sasl_username=yumin@aaabbb.com.cn
May 15 05:52:12 mail postfix/smtp[12710]: connect to 1001keqa.com[154.220.64.86]:25: Connection timed out
May 15 05:52:12 mail postfix/smtp[11056]: 9AC99602C0C30: to=<theo.van.dijk@exult.net>, relay=l4dupmt2.hewitt.com[204.152.239.28]:25, delay=4.5, delays=0.09/0.01/4.4/0, dsn=4.0.0, status=deferred (host l4dupmt2.hewitt.com[204.152.239.28] refused to talk to me: 421 Service not available, closing transmission channel)
May 15 05:52:12 mail postfix/smtp[12710]: 9527E602C0C06: to=<123321@1001keqa.com>, relay=none, delay=30, delays=0.08/0.01/30/0, dsn=4.4.1, status=deferred (connect to 1001keqa.com[154.220.64.86]:25: Connection timed out)
May 15 05:52:12 mail postfix/cleanup[9491]: 35511602C0C3A: message-id=<20190514215212.35511602C0C3A@mail.aaabbb.com.cn>
May 15 05:52:12 mail postfix/bounce[17338]: 4D174602C0C34: sender non-delivery notification: 35511602C0C3A
May 15 05:52:12 mail postfix/qmgr[23210]: 35511602C0C3A: from=<>, size=4599, nrcpt=1 (queue active)
May 15 05:52:12 mail postfix/qmgr[23210]: 4D174602C0C34: removed
May 15 05:52:12 mail postfix/pipe[19963]: 35511602C0C3A: to=<yumin@aaabbb.com.cn>, relay=dovecot, delay=0.16, delays=0.03/0/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)
May 15 05:52:12 mail postfix/qmgr[23210]: 35511602C0C3A: removed
May 15 05:52:12 mail postfix/10025/smtpd[32116]: ACC33602C0C3A: client=mail.aaabbb.com.cn[127.0.0.1]
May 15 05:52:12 mail postfix/cleanup[9491]: ACC33602C0C3A: message-id=<hsqmwrk07320298.14178811@mail.aaabbb.com.cn>
May 15 05:52:12 mail postfix/qmgr[23210]: ACC33602C0C3A: from=<yumin@aaabbb.com.cn>, size=260029, nrcpt=1 (queue active)
May 15 05:52:12 mail postfix/cleanup[1890]: CD796602C0C2C: message-id=<wi1jkgte-v94u-2q43-8i35-sa72dn1s8ep2@mlsi.mrid>
May 15 05:52:12 mail amavis[19886]: (19886-07) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [92.62.72.252]:53164 [92.62.72.252] <yumin@aaabbb.com.cn> -> <i.topaloglou@alliedins.gr>, Queue-ID: 84E5D602C0C28, Message-ID: <hsqmwrk07320298.14178811@mail.aaabbb.com.cn>, mail_id: BNRdRHtPf_tm, Hits: 3.6, size: 258524, queued_as: ACC33602C0C3A, dkim_new=dkim:aaabbb.com.cn, 2218 ms, Tests: [ALL_TRUSTED=-1,DKIM_ADSP_NXDOMAIN=0.8,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=2,TVD_SPACE_RATIO=0.001]
May 15 05:52:12 mail postfix/qmgr[23210]: 18A4A602C0C13: from=<yumin@aaabbb.com.cn>, size=241099, nrcpt=1 (queue active)
May 15 05:52:12 mail amavis[19886]: (19886-07) Passed CLEAN, <yumin@aaabbb.com.cn> -> <i.topaloglou@alliedins.gr>, Hits: 3.6, tag=2, tag2=6.2, kill=6.9, queued_as: ACC33602C0C3A, L/Y/0/0
May 15 05:52:12 mail postfix/amavis/smtp[20259]: 84E5D602C0C28: to=<i.topaloglou@alliedins.gr>, relay=127.0.0.1[127.0.0.1]:10026, delay=12, delays=9.4/0/0/2.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as ACC33602C0C3A)
May 15 05:52:12 mail postfix/qmgr[23210]: 84E5D602C0C28: removed
May 15 05:52:13 mail postfix/smtp[12687]: ACC33602C0C3A: to=<i.topaloglou@alliedins.gr>, relay=none, delay=0.53, delays=0.08/0.01/0.44/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=alliedins.gr type=AAAA: Host not found)
May 15 05:52:13 mail postfix/cleanup[9491]: 3DCF4602C0C28: message-id=<20190514215213.3DCF4602C0C28@mail.aaabbb.com.cn>
May 15 05:52:13 mail postfix/bounce[17338]: ACC33602C0C3A: sender non-delivery notification: 3DCF4602C0C28
May 15 05:52:13 mail postfix/qmgr[23210]: 3DCF4602C0C28: from=<>, size=4314, nrcpt=1 (queue active)
May 15 05:52:13 mail postfix/qmgr[23210]: ACC33602C0C3A: removed
May 15 05:52:13 mail postfix/smtp[12735]: 008AE602C0C1D: to=<andi@mwegerano.com>, relay=mail.mwegerano.com[77.240.19.7]:25, delay=8.4, delays=0.09/0.01/3.2/5.1, dsn=2.0.0, status=sent (250 OK id=1hQfLG-00DiOA-6t)
May 15 05:52:13 mail postfix/qmgr[23210]: 008AE602C0C1D: removed
May 15 05:52:13 mail postfix/pipe[6967]: 3DCF4602C0C28: to=<yumin@aaabbb.com.cn>, relay=dovecot, delay=0.16, delays=0.02/0/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)
May 15 05:52:13 mail postfix/qmgr[23210]: 3DCF4602C0C28: removed
May 15 05:52:13 mail postfix/smtp[12771]: Untrusted TLS connection established to mx3.mozej.com[157.230.77.77]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 15 05:52:13 mail postfix/10025/smtpd[6017]: BCAD6602C0C1D: client=mail.aaabbb.com.cn[127.0.0.1]
May 15 05:52:13 mail postfix/cleanup[9488]: BCAD6602C0C1D: message-id=<ng1l7jx9-p8zr-xro5-3xfr-aqurvs2rt579>
May 15 05:52:13 mail postfix/qmgr[23210]: 8E256602C0C0B: from=<yumin@aaabbb.com.cn>, size=242259, nrcpt=1 (queue active)
May 15 05:52:13 mail postfix/qmgr[23210]: BCAD6602C0C1D: from=<yumin@aaabbb.com.cn>, size=242618, nrcpt=1 (queue active)
May 15 05:52:13 mail amavis[17708]: (17708-18) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [77.89.251.138]:50128 [77.89.251.138] <yumin@aaabbb.com.cn> -> <nolimits@1-1-1.biz>, Queue-ID: 18A4A602C0C13, Message-ID: <ng1l7jx9-p8zr-xro5-3xfr-aqurvs2rt579>, mail_id: TWYVMhHP5naA, Hits: 3.967, size: 241099, queued_as: BCAD6602C0C1D, dkim_new=dkim:aaabbb.com.cn, 1056 ms, Tests: [ALL_TRUSTED=-1,HEADER_FROM_DIFFERENT_DOMAINS=0.001,HTML_IMAGE_ONLY_04=0.342,HTML_MESSAGE=0.001,INVALID_MSGID=1.167,LOCALPART_IN_SUBJECT=0.73,MIME_HTML_MOSTLY=0.001,MPART_ALT_DIFF=0.724,TO_NO_BRKTS_HTML_IMG=2,TVD_SPACE_RATIO=0.001]
May 15 05:52:13 mail amavis[17708]: (17708-18) Passed CLEAN, <yumin@aaabbb.com.cn> -> <nolimits@1-1-1.biz>, Hits: 3.967, tag=2, tag2=6.2, kill=6.9, queued_as: BCAD6602C0C1D, L/Y/0/0
May 15 05:52:13 mail postfix/smtp[12771]: 5C451602C0C35: to=<wiocleag@mozej.com>, relay=mx3.mozej.com[157.230.77.77]:25, delay=4.5, delays=0.1/0/4.2/0.26, dsn=5.0.0, status=bounced (host mx3.mozej.com[157.230.77.77] said: 552 Mailbox limit exeeded for this email address (in reply to RCPT TO command))
May 15 05:52:13 mail postfix/amavis/smtp[17665]: 18A4A602C0C13: to=<nolimits@1-1-1.biz>, relay=127.0.0.1[127.0.0.1]:10026, delay=5.2, delays=4.1/0/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BCAD6602C0C1D)
May 15 05:52:13 mail postfix/qmgr[23210]: 18A4A602C0C13: removed
May 15 05:52:14 mail postfix/submission/smtpd[22443]: 018CF602C0C13: client=unknown[77.89.251.138], sasl_method=PLAIN, sasl_username=yumin@aaabbb.com.cn
May 15 05:52:14 mail postfix/smtp[12707]: connect to 1-1-1.biz[153.126.131.221]:25: No route to host
May 15 05:52:14 mail postfix/cleanup[9488]: 163E6602C0C28: message-id=<20190514215214.163E6602C0C28@mail.aaabbb.com.cn>
May 15 05:52:14 mail postfix/smtp[12707]: BCAD6602C0C1D: to=<nolimits@1-1-1.biz>, relay=none, delay=0.32, delays=0.08/0/0.24/0, dsn=4.4.1, status=deferred (connect to 1-1-1.biz[153.126.131.221]:25: No route to host)
May 15 05:52:14 mail postfix/bounce[17338]: 5C451602C0C35: sender non-delivery notification: 163E6602C0C28
May 15 05:52:14 mail postfix/qmgr[23210]: 163E6602C0C28: from=<>, size=4310, nrcpt=1 (queue active)
May 15 05:52:14 mail postfix/qmgr[23210]: 5C451602C0C35: removed
May 15 05:52:14 mail postfix/pipe[19963]: 163E6602C0C28: to=<yumin@aaabbb.com.cn>, relay=dovecot, delay=0.18, delays=0.05/0/0/0.13, dsn=2.0.0, status=sent (delivered via dovecot service)
May 15 05:52:14 mail postfix/qmgr[23210]: 163E6602C0C28: removed
May 15 05:52:14 mail postfix/cleanup[9491]: 018CF602C0C13: message-id=<by365apopv.6lagdl3gbu.16653492734609.qpzjgfqzd5.1vioi2fe@aaabbb.com.cn>
May 15 05:52:14 mail postfix/10025/smtpd[27486]: D36F2602C0C28: client=mail.aaabbb.com.cn[127.0.0.1]^C
[root@mail log]# vi maillog
May 17 07:50:09 mail postfix/master[25338]: warning: process /usr/libexec/postfix/local pid 2735 exit status 1
May 17 07:50:09 mail postfix/master[25338]: warning: /usr/libexec/postfix/local: bad command startup -- throttling
May 17 07:50:10 mail postfix/smtp[24332]: BAFAF602BDF9D: to=<ricoh_5001_lt6@pupuk-indonesia.com>, relay=smtp-gw.pupuk-indonesia.com[118.97.119.133]:25, delay=180435, delays=180133/0.24/303/0, dsn=4.4.2, status=deferred (conversation with smtp-gw.pupuk-indonesia.com[118.97.119.133] timed out while receiving the initial server greeting)
May 17 07:50:11 mail postfix/submission/smtpd[31734]: warning: 96-66-200-209-static.hfc.comcastbusiness.net[96.66.200.209]: SASL PLAIN authentication failed:
May 17 07:50:11 mail postfix/smtp[24311]: 3EF76602CFB9A: conversation with post.mil.dk[152.115.47.77] timed out while receiving the initial server greeting
May 17 07:50:18 mail postfix/submission/smtpd[31734]: warning: 96-66-200-209-static.hfc.comcastbusiness.net[96.66.200.209]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 17 07:50:18 mail postfix/submission/smtpd[31734]: disconnect from 96-66-200-209-static.hfc.comcastbusiness.net[96.66.200.209]ay 17 07:50:10 mail postfix/smtp[24332]: BAFAF602BDF9D: to=<ricoh_5001_lt6@pupuk-indonesia.com>, relay=smtp-gw.pupuk-indonesia.com[118.97.119.133]:25, delay=180435, delays=180133/0.24/303/0, dsn=4.4.2, status=deferred (conversation with smtp-gw.pupuk-indonesia.com[118.97.119.133] timed out while receiving the initial server greeting)