HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   My server got hacked and is being used to SPAM (http://www.howtoforge.com/forums/showthread.php?t=19538)

greenhornet 16th January 2008 23:55

My server got hacked and is being used to SPAM
 
Guys,
I really need some help with this and I'm very much a noob. I followed the out of the box instructions to get my ISPconfig server up and running. I am getting dozens of bounced spam emails that are either being sent through my server or spoofed through my domain.

How can I stop this? HELP

till 17th January 2008 09:22

This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf

edge 17th January 2008 09:32

Also make sure that you have a correct SPF record setup for the domain to only use that server for outgoing email.

Hans 17th January 2008 09:51

Another tip:
Verify your mail.log files and try to find out via which user sends the spam.

Also go to http://www.mxtoolbox.com/blacklists.aspx and check if your server is not blacklisted in te mean time.
To check if you have an open relay, you can use the site http://www.abuse.net/relay.html
If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser.
If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions.
If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.

greenhornet 17th January 2008 15:11

Quote:

Originally Posted by till
This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf

Yes, but to go from zero to roughly 75 bounced emails in an hour it is an indication that SOMETHING changed and I have become a target. Successful or otherwise.

What's the location of my mail log and I'll post?

Hans 17th January 2008 15:22

Please have a look at your directory /var/log/.

You can follow the activities within your log file with the command:

tail -f /var/log/mail.log

ctrl+C to exit your session.

greenhornet 17th January 2008 15:25

main.cf contents
 
Here's the /etc/postfix/main.cf content. I have removed my domain references and replaced with xxx. I'm also working on getting the mail log when I figure out where it is.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = isp.xxx.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = isp.xxx.net, localhost.xxx.net, , localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _una$
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

greenhornet 17th January 2008 15:42

mail log
 
Here is a excerpt from mail mail log. I tried to go back to when the problem was at it worst yesterday but appears the log doesn't retain information that long. The number of bounced spam messages has slowed quite a bit in the past 24 hours.
Code:

Jan 17 00:14:59 isp postfix/smtpd[8464]: connect from ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:00 isp postfix/smtpd[8464]: 32EA73E02F1: client=ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:00 isp postfix/cleanup[8469]: 32EA73E02F1: message-id=<2a13201c858d0$c83334a0$4432010a@dbl.local>
Jan 17 00:15:02 isp postfix/qmgr[8170]: 32EA73E02F1: from=<ndebaggis@dbldistributing.com>, size=100369, nrcpt=1 (queue active)
Jan 17 00:15:02 isp postfix/smtpd[8464]: disconnect from ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:06 isp postfix/pickup[8169]: 04FC53E033A: uid=10010 from=<web11_>
Jan 17 00:15:06 isp postfix/cleanup[8469]: 04FC53E033A: message-id=<20080117061506.04FC53E033A@isp.thealangroup.net>
Jan 17 00:15:06 isp postfix/qmgr[8170]: 04FC53E033A: from=<web11_@isp.thealangroup.net>, size=386, nrcpt=1 (queue active)
Jan 17 00:15:07 isp postfix/local[8491]: 04FC53E033A: to=<admispconfig@localhost.localdomain>, relay=local, delay=1.1, delays=0.05/0.01/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:15:07 isp postfix/qmgr[8170]: 04FC53E033A: removed
Jan 17 00:15:17 isp postfix/local[8470]: 32EA73E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=18, delays=2.6/0.01/0/15, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:15:17 isp postfix/qmgr[8170]: 32EA73E02F1: removed
Jan 17 00:15:49 isp postfix/smtpd[8464]: connect from unknown[62.117.127.3]
Jan 17 00:15:49 isp postfix/smtpd[8464]: 6544B3E02F1: client=unknown[62.117.127.3]
Jan 17 00:15:49 isp postfix/cleanup[8469]: 6544B3E02F1: message-id=<000701c858d0$06620afc$d433d496@csblewno>
Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: from=<kyra@surecom.com>, size=880, nrcpt=1 (queue active)
Jan 17 00:15:49 isp postfix/local[8491]: warning: required alias not found: postmaster
Jan 17 00:15:49 isp postfix/local[8491]: 6544B3E02F1: to=<postmaster@green-hornet.com>, relay=local, delay=0.37, delays=0.37/0/0/0, dsn=2.0.0, status=sent (discarded)
Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: removed
Jan 17 00:15:49 isp postfix/smtpd[8464]: disconnect from unknown[62.117.127.3]
Jan 17 00:17:49 isp postfix/smtpd[8546]: connect from unknown[58.187.120.65]
Jan 17 00:19:13 isp postfix/smtpd[8564]: connect from unknown[123.253.132.236]
Jan 17 00:19:15 isp postfix/smtpd[8564]: 87CD23E02F1: client=unknown[123.253.132.236]
Jan 17 00:19:16 isp postfix/cleanup[8566]: 87CD23E02F1: message-id=<1200547543.0043@sprint.ca>
Jan 17 00:19:16 isp postfix/qmgr[8170]: 87CD23E02F1: from=<lavernebirdvp@sprint.ca>, size=1260, nrcpt=1 (queue active)
Jan 17 00:19:17 isp postfix/smtpd[8564]: disconnect from unknown[123.253.132.236]
Jan 17 00:19:21 isp postfix/local[8569]: 87CD23E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=5.9, delays=0.79/0.01/0/5.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:19:21 isp postfix/qmgr[8170]: 87CD23E02F1: removed
Jan 17 00:21:35 isp postfix/smtpd[8599]: warning: 201.209.4.30: hostname 201-209-4-30.genericrev.cantv.net verification failed: Name or service not known
Jan 17 00:21:35 isp postfix/smtpd[8599]: connect from unknown[201.209.4.30]
Jan 17 00:21:36 isp postfix/smtpd[8599]: 0F0043E030C: client=unknown[201.209.4.30]
Jan 17 00:21:36 isp postfix/cleanup[8601]: 0F0043E030C: message-id=<5IX530EJXVWDA478@mms-mobilya.com>
Jan 17 00:21:36 isp postfix/qmgr[8170]: 0F0043E030C: from=<Nanyone@allidaho.com>, size=1248, nrcpt=1 (queue active)
Jan 17 00:21:36 isp postfix/smtpd[8599]: disconnect from unknown[201.209.4.30]


falko 18th January 2008 18:40

If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server. :(

greenhornet 18th January 2008 19:25

Quote:

Originally Posted by falko
If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server. :(

Yes but I'm not certain that's all they are doing. Are you? It appeared from the logs that they attained one of the ISPconfig account names (ie: web2_bob) and were sending with that. That is not something that would typically be visible to someone that just tried spoofing an email address (ie: bob@bobsdomain.com).


All times are GMT +2. The time now is 21:08.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.