<div dir="ltr">Hi,<br><br>Need some help about this as it's gotten me really concerned.<br><br>I'm probably reading too much into this but for about two weeks now my daily log has increased by almost 10 times.<br><br>
After running through a couple of days of logs with a script, it seems that I'm getting flooded on SMTP from this IP<br><a href="http://219.64.114.52">219.64.114.52</a>
which belongs to VSNL and appears to be statically assigned IP
(<a href="http://219.64.114.52.chn.bb-static.vsnl.net">219.64.114.52.chn.bb-static.vsnl.net</a>). This IP address is apparently
listed in the <a href="http://spamhous.org">spamhous.org</a> Policy Block List, eXploit Block List and
Composite Block List, which basically indicates it's either an open
proxy or a hijacked system.<br><br>I'm not sure what it's trying to do,
but for exactly 10 hours a day which correspond to India 9:30am or so
until 7pm or so, I will get massive amounts of SMTP connections from
this host. It will attempt to masquerade as domains on my server while
trying to send to non-existent accounts on these domains.<br><br><div class="xoopsCode"><code></code><pre>2008-08-06 13:32:58 H=(****.com) [<a href="http://219.64.114.52">219.64.114.52</a>] F=<<a href="mailto:lnyz@hush.com">lnyz@hush.com</a>> rejected RCPT <484f6f23.8020304@****.com>:<br>
2008-08-06 13:32:58 H=(****.com) [<a href="http://219.64.114.52">219.64.114.52</a>] incomplete transaction (connection lost) from <<a href="mailto:djclg@hotmail.com">djclg@hotmail.com</a>><br>2008-08-06 13:32:58 unexpected disconnection while reading SMTP command from (****.com) [<a href="http://219.64.114.52">219.64.114.52</a>]<br>
2008-08-06 13:32:58 H=(****.com) [<a href="http://219.64.114.52">219.64.114.52</a>] F=<48720243.8060909@****.com> rejected RCPT <285.8030501@****.com>:<br>2008-08-06 13:32:58 H=(****.com) [<a href="http://219.64.114.52">219.64.114.52</a>] incomplete transaction (connection lost) from <<a href="mailto:lnyz@hush.com">lnyz@hush.com</a>><br>
2008-08-06 13:32:58 unexpected disconnection while reading SMTP command from (****.com) [<a href="http://219.64.114.52">219.64.114.52</a>]<br></pre></div><br><br>At this point, I thought it was just a case of a
dedicated spamming, until I decided I had enough of multi-megabytes
daily logs flooding my mailbox, plus the fact it was probably
contributing to an increase server load in the past weeks as the mail
daemon had to handle the connections.<br><br>So I thought I could just block the IP using iptables.<br><br>I
had a bad experience locking myself out by accident after editing the
iptables file so for this time I decided to test from command line
first using instructions from the Internet like this<br><br>/sbin/iptables -A RH-Firewall-1-INPUT -s <a href="http://219.64.114.52">219.64.114.52</a> -j DROP<br><br>and I got an error that chain/command<br><br>/sbin/iptables -L produces "blank" output<br>
<div class="xoopsCode"><code></code><pre>[root@myserver confused]# /sbin/iptables -L<br>Chain INPUT (policy ACCEPT)<br>target prot opt source destination<br><br>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination<br>
<br>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br></pre></div><br><br>which was of course a shock to me, since that seems to say that my server firewall is basically non-existent.<br>
<br>I
did a /sbin/service iptables restart and iptables -L produced the
expected output showing all the rules on file. I could then add the new
rule from command line without any messages.<br><br>Minutes later, my tail -f on the exim log started spewing the smtp messages AGAIN. <br><br>iptables -L again shows NO RULES<br><br>Everytime
I restart, iptables, for a short while, the rules are there. But
minutes later, it's wiped. So I'm very concerned that the server had
been compromised and something is wiping my iptables.<br><br>Or am I just badly mistaken about the way iptables -L is supposed to work?<br><br>If not, what should I do next to find and eliminate this problem? Thanks in advance for any advice!<br>
<br><br></div>