[Eisfair] Einbruch/Hack?

Stefan Heidrich stefan-in-news at web.de
So Sep 27 13:32:58 CEST 2020


Hallo,

mir ist heute früh in meiner Mail über die Mail Server Statistic
folgendes aufgefallen:

 5 (127.0.0.1)[167.99.233.157] server at checking.net
      => mail.intersales.de[83.169.37.252] csclus.smtp at gmail.com

Das sind beides mir unbekannte Mailadressen.

Bei der Suche in /var/spool/exim/log/mainlog habe ich dazu folgendes
finden müssen:

2020-09-25 05:43:07 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 no host name found for IP address 167.99.233.157
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=advertisement)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=associate)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data
(set_id=\357\273\277accouting)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ar)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ap)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=advertisement)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=associate)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data
(set_id=\357\273\277accouting)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ar)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ap)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=advertisement)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=associate)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data
(set_id=\357\273\277accouting)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ar)
2020-09-25 05:43:08 cram_server authenticator failed for (127.0.0.1)
[167.99.233.157]: 535 Incorrect authentication data (set_id=ap)
2020-09-25 05:43:12 1kLedZ-00035u-OX H=(127.0.0.1) [167.99.233.157]
Warning: This message exceeds the spam threshold (5.5 points) - passed
2020-09-25 05:43:12 1kLedZ-00035v-Oa <= server at checking.net
H=(127.0.0.1) [167.99.233.157] P=esmtpa A=cram_server:ap S=1825
2020-09-25 05:43:12 1kLedZ-00035w-Oc <= server at checking.net
H=(127.0.0.1) [167.99.233.157] P=esmtpa A=cram_server:ar S=1825
2020-09-25 05:43:12 1kLedZ-00035s-OP <= server at checking.net
H=(127.0.0.1) [167.99.233.157] P=esmtpa A=cram_server:advertisement S=1836
2020-09-25 05:43:12 1kLedZ-00035u-OX <= server at checking.net
H=(127.0.0.1) [167.99.233.157] P=esmtpa
A=cram_server:\357\273\277accouting S=2162
2020-09-25 05:43:12 1kLedZ-00035s-OP [83.169.37.252] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2020-09-25 05:43:12 1kLedZ-00035s-OP [83.169.37.252] SSL verify error:
depth=1 error=CRL has expired cert=/C=US/O=Let's Encrypt/CN=Let's
Encrypt Authority X3
2020-09-25 05:43:12 1kLedZ-00035s-OP [83.169.37.252] SSL verify error:
depth=2 error=CRL has expired cert=/O=Digital Signature Trust Co./CN=DST
Root CA X3
2020-09-25 05:43:12 no host name found for IP address 167.99.233.157
2020-09-25 05:43:12 1kLedZ-00035v-Oa [83.169.37.252] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2020-09-25 05:43:12 1kLedZ-00035v-Oa [83.169.37.252] SSL verify error:
depth=1 error=CRL has expired cert=/C=US/O=Let's Encrypt/CN=Let's
Encrypt Authority X3
2020-09-25 05:43:12 1kLedZ-00035v-Oa [83.169.37.252] SSL verify error:
depth=2 error=CRL has expired cert=/O=Digital Signature Trust Co./CN=DST
Root CA X3
2020-09-25 05:43:12 no host name found for IP address 167.99.233.157
2020-09-25 05:43:12 1kLedZ-00035w-Oc [83.169.37.252] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2020-09-25 05:43:12 1kLedZ-00035w-Oc [83.169.37.252] SSL verify error:
depth=1 error=CRL has expired cert=/C=US/O=Let's Encrypt/CN=Let's
Encrypt Authority X3
2020-09-25 05:43:12 1kLedZ-00035w-Oc [83.169.37.252] SSL verify error:
depth=2 error=CRL has expired cert=/O=Digital Signature Trust Co./CN=DST
Root CA X3
2020-09-25 05:43:13 1kLedZ-00035u-OX [83.169.37.252] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2020-09-25 05:43:13 1kLedZ-00035u-OX [83.169.37.252] SSL verify error:
depth=1 error=CRL has expired cert=/C=US/O=Let's Encrypt/CN=Let's
Encrypt Authority X3
2020-09-25 05:43:13 1kLedZ-00035u-OX [83.169.37.252] SSL verify error:
depth=2 error=CRL has expired cert=/O=Digital Signature Trust Co./CN=DST
Root CA X3
2020-09-25 05:43:13 1kLedZ-00035t-OU <= server at checking.net
H=(127.0.0.1) [167.99.233.157] P=esmtpa A=cram_server:associate S=1832
2020-09-25 05:43:13 1kLedZ-00035w-Oc => csclus.smtp at gmail.com
R=smart_route T=remote_smtp H=mail.intersales.de [83.169.37.252]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
DN="/CN=mail.intersales.de" C="250 OK id=1kLedd-0007wQ-A7"
2020-09-25 05:43:13 1kLedZ-00035w-Oc Completed
2020-09-25 05:43:13 1kLedZ-00035v-Oa => csclus.smtp at gmail.com
R=smart_route T=remote_smtp H=mail.intersales.de [83.169.37.252]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
DN="/CN=mail.intersales.de" C="250 OK id=1kLedd-0007wT-Cm"
2020-09-25 05:43:13 1kLedZ-00035v-Oa Completed
2020-09-25 05:43:13 1kLedZ-00035u-OX => csclus.smtp at gmail.com
R=smart_route T=remote_smtp H=mail.intersales.de [83.169.37.252]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
DN="/CN=mail.intersales.de" C="250 OK id=1kLedd-0007wR-Dp"
2020-09-25 05:43:13 1kLedZ-00035u-OX Completed
2020-09-25 05:43:13 1kLedZ-00035t-OU [83.169.37.252] SSL verify error:
depth=0 error=unable to get certificate CRL cert=/CN=mail.intersales.de
2020-09-25 05:43:13 1kLedZ-00035t-OU [83.169.37.252] SSL verify error:
depth=1 error=CRL has expired cert=/C=US/O=Let's Encrypt/CN=Let's
Encrypt Authority X3
2020-09-25 05:43:13 1kLedZ-00035t-OU [83.169.37.252] SSL verify error:
depth=2 error=CRL has expired cert=/O=Digital Signature Trust Co./CN=DST
Root CA X3
2020-09-25 05:43:13 1kLedZ-00035s-OP => csclus.smtp at gmail.com
R=smart_route T=remote_smtp H=mail.intersales.de [83.169.37.252]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
DN="/CN=mail.intersales.de" C="250 OK id=1kLedd-0007wS-LH"
2020-09-25 05:43:13 1kLedZ-00035s-OP Completed
2020-09-25 05:43:13 1kLedZ-00035t-OU => csclus.smtp at gmail.com
R=smart_route T=remote_smtp H=mail.intersales.de [83.169.37.252]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no
DN="/CN=mail.intersales.de" C="250 OK id=1kLedd-0007wa-Qp"
2020-09-25 05:43:13 1kLedZ-00035t-OU Completed
2020-09-25 05:43:15 no host name found for IP address 167.99.233.157
2020-09-25 05:43:16 no host name found for IP address 167.99.233.157
2020-09-25 05:43:16 no host name found for IP address 167.99.233.157


Unbekannte Prozesse laufen meines Erachtens nicht.
Ich habe heute früh alle Passwörter und Keys geändert; sowohl für das
System als auch für Mail und Samba. Außerdem habe ich die Passwörter in
Nextcloud geändert.
Bei der Passwortänderung sind mir folgende Accounts aufgefallen, die ein
Passwort haben und sich damit auch zum Einloggen eignen:
named, spam, ntp
Müssen die einen Account mit Passwort haben oder kann man die auch auf
"invalidate password" setzen?
Zusätzliche neue Accounts konnte ich auch nirgends ausmachen.

Muss ich mir trotzdem Sorgen machen?

Viele Grüße
Stefan

-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : pEpkey.asc
Dateityp    : application/pgp-keys
Dateigröße  : 2464 bytes
Beschreibung: nicht verfügbar
URL         : <http://lists.spline.inf.fu-berlin.de/pipermail/eisfair/attachments/20200927/ddb351f2/attachment.key>


Mehr Informationen über die Mailingliste Eisfair