Postfix

A

akshin

Hi!
Please help me.
I have not installed postfix.
I have not installed perl.
Then why HTOP shows me these lines?
Code: 
  PID USER      PRI  NI  VIRT   RES S CPU% MEM%   TIME+  Command
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
12236 www        22   0 17484  3576 S  4.0  0.0  3h54:18 /usr/libexec/postfix/master
2464 www        22   0 17484  3532 S  4.0  0.0  5h18:31 /usr/libexec/postfix/master
3322 www        22   0 17484  3556 S  4.0  0.0  4h15:45 /usr/libexec/postfix/master
8545 www        22   0 17508  3448 S  4.0  0.0 23h40:06 /usr/libexec/postfix/master
9754 www        22   0 17484  3508 S  4.0  0.0 44h05:49 /usr/libexec/postfix/master
15909 www        21   0 17484  3560 S  4.0  0.0  3h45:55 /usr/libexec/postfix/master
4155 www        22   0 17484  3556 S  4.0  0.0  4h13:43 /usr/libexec/postfix/master
I have installed nginx, mysql, php, memcached, apache, clamav, python27, python36, python37, letsencrypt.
 
Try:
pkg info | grep perl
pkg info | grep postfix
to see if either comes up. Maybe they installed as a dependency of another program.

Perl is a common dependency.
 
Code: 
root@haf1:/usr/local/etc/rc.d# pkg info | grep perl
perl5-5.26.2                   Practical Extraction and Report Language
perl5.28-5.28.3                Practical Extraction and Report Language
root@haf1:/usr/local/etc/rc.d# pkg info | grep postfix
root@haf1:/usr/local/etc/rc.d#
How to stop postfix?
 
pkill postfix
or
kill [then PID number]

Use:
ps ax | grep postfix to find the PID.

Otherwise, you'll have to find out what starts it, and work your way to it. You may have to try it from root. These kill commands don't always work.

Try:
cd /usr/libexec/postfix
pkg which master

It could be in the base system, but the files and directories you showed don't show on my computer.
 
Code: 
root@haf1:/usr/local/etc/rc.d# cd /usr/libexec/postfix
/usr/libexec/postfix: No such file or directory.
root@haf1:/usr/local/etc/rc.d#
Code: 
root@haf1:/usr/local/etc/rc.d# pkg info | grep postfix
root@haf1:/usr/local/etc/rc.d#
 
Code: 
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
Is that directory correct? Go to this postfix directory and do pkg which on a file from there.
 
Снимок.PNG
 
Yes multiple times.
Code: 
  PID USER      PRI  NI  VIRT   RES S CPU% MEM%   TIME+  Command
5500 www       102   0 17500  3360 R 100.  0.0 79h53:27 /usr/libexec/postfix/master
12236 www        22   0 17484  3576 S  4.0  0.0  3h54:18 /usr/libexec/postfix/master
2464 www        22   0 17484  3532 S  4.0  0.0  5h18:31 /usr/libexec/postfix/master
3322 www        22   0 17484  3556 S  4.0  0.0  4h15:45 /usr/libexec/postfix/master
8545 www        22   0 17508  3448 S  4.0  0.0 23h40:06 /usr/libexec/postfix/master
9754 www        22   0 17484  3508 S  4.0  0.0 44h05:49 /usr/libexec/postfix/master
15909 www        21   0 17484  3560 S  4.0  0.0  3h45:55 /usr/libexec/postfix/master
4155 www        22   0 17484  3556 S  4.0  0.0  4h13:43 /usr/libexec/postfix/master
 
Are you sure it isn't
Code: 
/usr/local/libexec/postfix/master
? Or maybe it's softlinked, to show that output from an aliased directory. Maybe yours installed it by custom into the directory by /etc/make.conf. Sometimes /var/db/pkg gets deleted, and packages don't show by pkg which.

Maybe your installation is configured differently by custom settings, or from within a jail. Postfix is likely from a package or from ports. Postfix's license is likely incompatible to be in FreeBSD's base.
 
That's an odd install. Perhaps a custom install. I don't know why pkg which doesn't show it, and why it's in that directory.

kill it with PID, or pkill it from root after doing some investigating.

This may be far fetched, but try installing and running security/rkhunter, and seeing if there's a rootkit on your computer that doesn't belong.

Or maybe it's in a jail.

Maybe postfix got installed through a custom buildworld? You should be able to find the directory that contains the subdirectory, libexec/postfix. Search for it in different places, including jails or other places.
 
don't you find it odd that the postfix process is run by www?
your process is running from
Code: 
/usr/libexec/postfix/
which most than likely tells you that postfix was installed from source and not from packages/ports.
the one coming from packages/ports goes into
Code: 
/usr/local/libexec/postfix/
 
Try looking for these subdirectories and files in a www directory. I believe /usr/home/www/, then somewhere for libexec/postfix/. It could be on a network filesystem.
 
Your screenshot in #15 shows us the /usr/local/… directory - where userland stuff (like postfix) should be. But your other posts point to one level top of that: the /usr dir directly. So that indicates it doesn't come from a port - it is installed in the base system (where it shouldn't be): You don't get this by using a FreeBSD image to install FreeBSD and only packages or ports afterwards. (BTW, there's no "letsencrypt" package available - only "py-certbot"; But I assume that's just a speako…)

So the basic question in my opinion is: What's the origin of your installation? suntzu00 questions are pointing in that direction, too…
 
Call me paranoid but there are a couple of malware bots on the internet that appear to look like regular processes. As this is a common service on Linux machines I'm somewhat suspicious we're dealing with malware here. Especially because these appear to be running on the www account and the indicated file doesn't actually exist.

You may want to comb through your apache logs looking for weirdness.
 
Maybe postfix is written so good (platform-independant & inter-operable), that it's source tar-ball installs on FreeBSD without any hassle. To me it looks that an innocent newbie clicked a button on a website, which installed postfix by some dependency. akshin Please tell us your level of experience with UNIX & FreeBSD. Is this the 1st machine you installed FreeBSD on? Please do the following: file /usr/libexec/postfix and tell us the output. EDIT (Sorry I did not read the whole thread attentive enough) Did you install any Linux compatibility packages for FreeBSD? Do you have a directory /compat/linux? What does pkg info | grep linux tell?
 
It's already been determined that the /usr/libexec/postfix directory doesn't even exist. So this rules out any source installs.

There's a common bot written in perl that uses IRC for its C&C. It also changes its $0 to show commonly used services instead of the actual process name in the process list. This is configurable in the code. They typically assume it's a Linux machine that's being infected so they "mimic" common Linux services.

As the OP has PHP running I'm assuming he got bitten by some code-injection, which caused the bot-script to download and get executed.

You can try looking for odd files in /tmp but if they did it properly the bot gets downloaded to /tmp/, executed and the file in /tmp is then removed. Setting /tmp to noexec does not help (it's not executed directly, it's executed as a perl script).
 
You must log in or register to reply here.
Back
Top