我刚刚收到以下“未传送的邮件”给我的邮箱[email protected]
这是否意味着有人可能试图(或成功)黑客?
(为了隐私的目的,我在下面replace了某些部分,这不是我在这里收到的原来的100%)。
This is the mail system at host mydomain.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <[email protected]>: host mta7.am0.yahoodns.net[98.138.112.35] said: 554 delivery error: dd Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102]. - mta1303.mail.ne1.yahoo.com (in reply to end of DATA command) Reporting-MTA: dns; mydomain.com X-Postfix-Queue-ID: 684A933780CC X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Tue, 14 Oct 2014 21:16:56 +0200 (CEST) Final-Recipient: rfc822; [email protected] Original-Recipient: rfc822;[email protected] Action: failed Status: 5.0.0 Remote-MTA: dns; mta7.am0.yahoodns.net Diagnostic-Code: smtp; 554 delivery error: dd Sorry your message to [email protected] cannot be delivered. This account has been disabled or discontinued [#102]. - mta1303.mail.ne1.yahoo.com ForwardedMessage.eml Subject: TESTING - 2012 From: [email protected] (root) Date: 10/14/2014 9:16 PM To: [email protected] #############################iNFOS############################# #############################FOR YOU############################# Linux servername 2.6.18-164.el5 #1 SMP Thu Sep 3 03:33:56 EDT 2009 i686 i686 i386 GNU/Linux uid=0(root) gid=0(root) context=system_u:system_r:initrc_t #############################SSH iNFOS############################# #############################FOR YOU############################# #UsePAM no UsePAM yes PermitRootLogin #GatewayPorts no #ListenAddress 0.0.0.0 #ListenAddress :: #############################SHADOWFILE############################# #############################SHADOWFILE############################# root:$1$H4zwKrgL$NA37jPGoTCiPA0mrq/OKq/:15231:0:99999:7::: bin:*:15431:0:99999:7::: daemon:*:15431:0:99999:7::: info:$1$dO1pvRG.$DZUXjGeS4NgDpGNCwX.0b0:14241:0:99999:7:::::: postmaster:$1$gW7jPsgB$dh09VlQ/W0FALpPlR1fPt/:16127:0:99999:7::: ... more stuff like that #############################iPS############################# #############################iPS############################# inet addr:111.11.111.11 Bcast:111.11.111.11 Mask:255.255.255.0 inet6 addr: ff11::11ff:11ff:ffff:1111/64 Scope:Link inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host #############################USERS WITH SHELL############################# #############################USERS WITH SHELL############################# root:x:0:0:root:/root:/bin/bash shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash ... some more stuff like the first three lines 我不是最有经验的,所以如果任何人都可以给我这个意思和接下来该怎么做的build议…谢谢!
更新:
在违规时,我在我的httpd日志文件中有以下内容:
80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "POST http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-" 80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "CONNECT 80.65.51.219:6667 HTTP/1.0" 302 225 "-" "-" 80.65.51.220 - - [14/Oct/2014:21:56:52 +0200] "PUT http://80.65.51.219:6667/ HTTP/1.0" 302 225 "-" "-"
否则我找不到任何可疑的东西。
任何进一步的build议,任何人看过类似的东西之前,留下评论或答案。 谢谢!
有没有人使用你的服务器有意发送电子邮件至[email protected]? 如果是这样,那么这只是一个NDR – 未送达报告。
如果没有,那么你可能被黑客入侵。
/编辑阿哈 – 由于某种原因,我从本地邮件读取这封电子邮件的较低内容作为诊断信息。 现在我看到,这是不成功的电子邮件的内容更有可能被反弹 – 你已经被淹没了。 烧到地上,重新开始。