search

ShadowsocksR-Live / shadowsocksr-native

翻墙 从容穿越党国敏感日 ShadowsocksR (SSRoT) native implementation for all platforms, GFW terminator
https://github.com/ShadowsocksR-Live/shadowsocksr-native/wiki
GNU General Public License v3.0
2.75k stars 766 forks source link

怀疑代码中有狂发垃圾邮件的代码 #85

Closed yszhangyh closed 4 years ago

yszhangyh commented 5 years ago

搬瓦工vps安装成功后,不超半天就被搬瓦工强制关停vps服务,原因是拼命发送大量垃圾邮件,重新安装系统用源代码编译安装也不行,现在不敢用你这个项目了,下面是搬瓦工给出的原因:

We have detected a large number of outgoing SMTP connections originating from this server. This usually means that the server is sending out spam. Additional information: 1572804167.083988 Cj21dW3aeiZbQ3wvqj 104.225.150.96 51812 74.125.142.109 587 1 wlw3zdy976usq8up5i6am 4utre3@gmail.com wlw3zdy976usq8up5i6am@gmail.com - - - - - - - - - - - 221 2.0.0 closing connection i102sm14588634pje.17 - gsmtp 74.125.142.109,104.225.150.96 - F (empty) F

1572804167.082981 CAjkwM16dO5I42W5c2 104.225.150.96 51832 74.125.142.109 587 1 cj6q9xbe611mmnq7wrqcl4u80c 4utre3@gmail.com cj6q9xbe611mmnq7wrqcl4u80c@gmail.com - - - - - - - - - - - 221 2.0.0 closing connection fh5sm14422198pjb.2 - gsmtp 74.125.142.109,104.225.150.96 - F (empty) F

1572804357.387282 C4tb6U3Ink4QJ9n4Ok 104.225.150.96 58538 84.16.37.138 587 1 iutnk6b49iiu0i8jye0g8pz - - - - - - - - - - - - - 220 2.0.0 Ready to start TLS 84.16.37.138,104.225.150.96 - T (empty) F

1572804392.078652 C23KZj18ebL95Vekn2 104.225.150.96 53402 192.254.189.159 587 1 7mtbyh2eevmbhyc8 - - - - - - - - - - - - - 220 TLS go ahead 192.254.189.159,104.225.150.96 - T (empty) F

1572804464.796511 CxCPr637PDoDu1gNx1 104.225.150.96 43294 103.18.109.72 587 1 89dbso6112uyxhzentgmv8if86o - - - - - - - - - - - - - 220 TLS go ahead 103.18.109.72,104.225.150.96 - T (empty) F

1572804490.939962 CnI7oz2lJ8RMf8i8l8 104.225.150.96 37296 52.96.36.82 587 1 dekrf21x1cm8vi4d5ebdfra7 - - - - - - - - - - - - - 220 2.0.0 SMTP server ready 52.96.36.82,104.225.150.96 - T (empty) F

1572804510.744495 CjQpnX3wcMlHdrhqS3 104.225.150.96 37996 52.96.36.82 587 1 au1xpkzlebz8muvkyqh - - - - - - - - - - - - - 220 2.0.0 SMTP server ready 52.96.36.82,104.225.150.96 - T (empty) F

1572804627.176358 CS3bHd3z2ZMmcCLTJ2 104.225.150.96 45270 206.190.139.156 587 1 lorbroqraa1pt07cqo - - - - - - - - - - - - - 220 TLS go ahead 206.190.139.156,104.225.150.96 - T (empty) F

1572804635.435737 CFebT8BasxzCrEot 104.225.150.96 60896 50.194.31.115 587 1 8u1hs3e07m5ti23mxtgy4 - - - - - - - - - - - - - 220 TLS go ahead 50.194.31.115,104.225.150.96 - T (empty) F

1572804637.240679 CX3Dqq4CuuYy9gOA59 104.225.150.96 42416 52.96.36.82 587 1 trbtgrxw2fj4lembimx8nxg - - - - - - - - - - - - - 220 2.0.0 SMTP server ready 52.96.36.82,104.225.150.96 - T (empty) F

1572804636.882631 Cs2a363XgiGQxQkKN3 104.225.150.96 47322 199.59.91.155 587 1 ppuwtb09qjqzya1nshvj9qmx48 - - - - - - - - - - - - - 220 TLS go ahead 199.59.91.155,104.225.150.96 - T (empty) F

ssrlive commented 5 years ago

報告這種現象的, 你是第一例, 希望還有其他類似報告. 整個工程都是開源的. 不存在任何後門. 我在搬瓦工上的服務運行得很好.

yszhangyh commented 5 years ago

第一次我很怀疑是我的vps账号被盗了,但是我重新安装vps的操作系统并更换登录密码,部署项目后仍然得到同样的问题。 现在我不能再去尝试第三次了,因为我的vps很有可能永久停用。 我不是C开发者,不能帮你分析这个问题,希望有其他用户遇到有类似的问题能在这里反馈。

ssrlive commented 5 years ago

操作系統是什麼? 安裝 SSRoT 服務器之前, 你安裝過什麼軟件? 用命令 lsof -i 查看是哪個進程在收發數據. 檢查你自己的台式機有沒有進程通過代理在偷偷發送大量郵件.

liker5092 commented 5 years ago

想学你的源代。 不过发现在 客户端中,错误的配置项也照常使用。。不明所以了。

ssrlive commented 5 years ago

因为SSRoT目前并没有启用SS加密算法,全是明文。

yszhangyh commented 5 years ago

我的服务端时CentOS7,客户端是ubuntu16.04。

客户端执行lsof -i输出如下: ubuntu@VM-0-4-ubuntu:~$ sudo lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ssr-clien 557 ubuntu 10u IPv4 343221973 0t0 TCP :socks (LISTEN) dhclient 881 root 6u IPv4 14333 0t0 UDP :bootpc mysqld 10787 mysql 14u IPv6 340633624 0t0 TCP :mysql (LISTEN) sshd 14509 root 3u IPv4 340636381 0t0 TCP :ssh (LISTEN) sshd 14509 root 4u IPv6 340636390 0t0 TCP :ssh (LISTEN) nginx 19533 www-data 8u IPv4 1849497 0t0 TCP :http (LISTEN) sshd 30397 root 3u IPv4 343212339 0t0 TCP 172.21.0.4:ssh->122.97.178.56:53618 (ESTABLISHED) sshd 30459 ubuntu 3u IPv4 343212339 0t0 TCP 172.21.0.4:ssh->122.97.178.56:53618 (ESTABLISHED) sshd 30785 root 3u IPv4 343214146 0t0 TCP 172.21.0.4:ssh->122.97.178.56:53619 (ESTABLISHED) sshd 30826 ubuntu 3u IPv4 343214146 0t0 TCP 172.21.0.4:ssh->122.97.178.56:53619 (ESTABLISHED)

服务端执行lsof -i输出如下: [root@104 ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 672 chrony 5u IPv4 15174 0t0 UDP localhost:323 chronyd 672 chrony 6u IPv6 15175 0t0 UDP localhost:323 dhclient 738 root 6u IPv4 16227 0t0 UDP :bootpc php-fpm 970 root 7u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) sshd 975 root 3u IPv4 17400 0t0 TCP :29370 (LISTEN) sshd 975 root 4u IPv6 17409 0t0 TCP :29370 (LISTEN) nginx 1008 root 8u IPv4 17528 0t0 TCP :http (LISTEN) nginx 1008 root 9u IPv6 17529 0t0 TCP :http (LISTEN) nginx 1008 root 10u IPv4 17530 0t0 TCP :https (LISTEN) nginx 1008 root 11u IPv6 17531 0t0 TCP :https (LISTEN) nginx 1010 nginx 3u IPv4 20965 0t0 TCP 104.225.150.96.16clouds.com:https->139.199.129.107:42712 (ESTABLISHED) nginx 1010 nginx 8u IPv4 17528 0t0 TCP :http (LISTEN) nginx 1010 nginx 9u IPv6 17529 0t0 TCP :http (LISTEN) nginx 1010 nginx 10u IPv4 17530 0t0 TCP :https (LISTEN) nginx 1010 nginx 11u IPv6 17531 0t0 TCP :https (LISTEN) nginx 1010 nginx 16u IPv4 20966 0t0 TCP 104.225.150.96.16clouds.com:https->139.199.129.107:42714 (ESTABLISHED) nginx 1010 nginx 17u IPv4 20967 0t0 TCP localhost:53170->localhost:twds (ESTABLISHED) nginx 1010 nginx 18u IPv4 20975 0t0 TCP localhost:53174->localhost:twds (ESTABLISHED) nginx 1010 nginx 19u IPv4 20979 0t0 TCP 104.225.150.96.16clouds.com:https->139.199.129.107:42718 (ESTABLISHED) nginx 1010 nginx 20u IPv4 20980 0t0 TCP localhost:53178->localhost:twds (ESTABLISHED) php-fpm 1028 apache 9u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) php-fpm 1029 apache 9u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) php-fpm 1030 apache 9u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) php-fpm 1031 apache 9u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) php-fpm 1032 apache 9u IPv4 17838 0t0 TCP localhost:cslistener (LISTEN) master 1105 root 13u IPv4 18187 0t0 TCP localhost:smtp (LISTEN) master 1105 root 14u IPv6 18188 0t0 TCP localhost:smtp (LISTEN) sshd 1110 root 3u IPv4 18432 0t0 TCP 104.225.150.96.16clouds.com:29370->122.97.178.56:15937 (ESTABLISHED) ssr-serve 1212 root 10u IPv4 19994 0t0 TCP :twds (LISTEN) ssr-serve 1212 root 11u IPv4 20968 0t0 TCP localhost:twds->localhost:53170 (ESTABLISHED) ssr-serve 1212 root 12u IPv4 20974 0t0 TCP 104.225.150.96.16clouds.com:50604->sfo07s26-in-f10.1e100.net:https (ESTABLISHED) ssr-serve 1212 root 13u IPv4 20976 0t0 TCP localhost:twds->localhost:53174 (ESTABLISHED) ssr-serve 1212 root 14u IPv4 20978 0t0 TCP 104.225.150.96.16clouds.com:50608->sfo07s26-in-f10.1e100.net:https (ESTABLISHED) ssr-serve 1212 root 15u IPv4 20981 0t0 TCP localhost:twds->localhost:53178 (ESTABLISHED) ssr-serve 1212 root 16u IPv4 20983 0t0 TCP 104.225.150.96.16clouds.com:55314->sfo03s18-in-f14.1e100.net:https (ESTABLISHED) sshd 1217 root 3u IPv4 20035 0t0 TCP 104.225.150.96.16clouds.com:29370->122.97.178.56:15951 (ESTABLISHED) dhclient 1307 root 7u IPv4 21024 0t0 UDP *:bootpc

server IP:104.225.150.96 client IP:139.199.129.107、172.21.0.4 my pc IP: 122.97.178.56

另外,我用iptables禁用了server的25端口,希望明天早上不会收到vps被关停的邮件。

ssrlive commented 5 years ago 
master 1105 root 13u IPv4 18187 0t0 TCP localhost:smtp (LISTEN)
master 1105 root 14u IPv6 18188 0t0 TCP localhost:smtp (LISTEN)

比较可疑. master进程是个什麼東東, 可以殺掉麼?

yszhangyh commented 5 years ago

噩运再次降临,又被强制停机了,我将尝试关闭ssr-server进程,看看搬瓦工是不是还会关停我的vps,如果没问题,我再尝试杀掉master 1105 root 13u IPv4 18187 0t0 TCP localhost:smtp (LISTEN)进程测试。

yszhangyh commented 5 years ago

master 1105 root 13u IPv4 18187 0t0 TCP localhost:smtp (LISTEN)是postfix服务,但我认为并不是它的原因,下面是我做的两个测试:

  1. 开启postfix服务并关闭ssr-server服务,我的vps在24小时内都正常运行。
  2. 关闭postfix服务并打开ssr-server服务,我的vps在6小时后被强制关机。

你是否应该再确认一下你的代码和依赖库的安全性?我的vps已经不能再进行更多的测试了,因为它快要永久禁用了。

ssrlive commented 5 years ago

感谢你的测试, 但我这里无法重现你遇到的情况. 只能存疑了. 按说VPS只用作翻墙不干别的. 是不会出现异常情况的. 而且服务器对 session key 有严格检查, 不相等是直接关闭链接的.

liker5092 commented 5 years ago

胸弟,看来要抓包了。。我的没有postfix。。难道是冲突了?

yszhangyh commented 5 years ago

没弄过抓包,暂时先放弃用这个项目了。

z991238 commented 5 years ago

没弄过抓包,暂时先放弃用这个项目了。

或者你用逗比封禁脚本把垃圾邮件屏蔽发送看看?

shangjiaxuan commented 4 years ago

@yszhangyh 我的VPS并没有出现这个问题(postfix+dovecot,有auth,maillog没有多余的邮件记录)。 会不会是port重用了? 看一下\etc\postfix\main.cf 的东西?dovecot如果可以建议也检查一下端口。 顺便查一下ssr用的端口是不是保留的。smtp端口25,587也有用,imap一般是993和多少(忘记了),别的可以搜一下。

shangjiaxuan commented 4 years ago

在没有调用邮件相关的库的时候还真不知道MAIL FROM: RCPT TO:这些是怎么刚好出现,并发送给其他邮箱的服务器的。而且看起来名称都是乱码,但同时都加上了gmai。

对了,你把postfix和dovecot的debug开起来看看?检查下/var/log/maillog

MicroYY commented 4 years ago

你是不是用的公共WiFi还开了局域网共享

yszhangyh commented 4 years ago

如果大家都没有这样的情况,可能是我自己的原因,有时间我再测试一下,问题我先关闭

xiayus commented 3 years ago

会不会是用了网上搞来的那些一键安装脚本,被人家夹带私货了?

unyielding2013 commented 2 years ago

如果大家都没有这样的情况,可能是我自己的原因,有时间我再测试一下,问题我先关闭

相同问题,你是不是在openwrt上使用了?怀疑是openwrt有蠕虫。 https://glglife.com/index.php/2021/09/25/ban-wa-gong-massmailing-wen-ti-jie-jue/

WangsYi commented 3 months ago

我昨天也这样了,排查了下,最后发现是nps漏洞,我配置没怎么改,然后被人扫了,在里面建了socks5代理,然后通过我内网openwrt上的代理走了代理服务器发垃圾邮件。 估计你这也上上面说的问题,或者类似nps这种漏洞。