HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Postfix mail - hacked?? (http://www.howtoforge.com/forums/showthread.php?t=55012)

still_(0)_(0)_awake 19th November 2011 23:26

Postfix mail - hacked??
 
Iíve recently noticed several spam emails are being sent using my server. I ran the following command: tail -f/usr/local/psa/var/log/maillog

and this is some of the results that were returned:


Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: warning: 189.7.43.1: hostname bd072b01.virtua.com.br verification failed: Name or service not known
Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: connect from unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: 1BBBBC8400097: client=unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions imapd-ssl: IMAP connect from @ [::ffff:173.58.98.242]INFO: LOGIN, user=emailme@nayeemkhan.com, ip=[::ffff:173.58.98.242], protocol=IMAP
Nov 19 13:18:31 121MediaSolutions postfix/cleanup[7957]: 1BBBBC8400097: message-id=<005a01cca6f0$05caf250$1160d6f0$@org>
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: from=<oildeadline@business-humanrights.org>, size=6010, nrcpt=1 (queue active)
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: postfix-local: from=oildeadline@business-humanrights.org, to=john@directelectricco.com, dirname=/var/qmail/mailnames
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: recipient[3] = 'john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix/pipe[7960]: 1BBBBC8400097: to=<john@directelectricco.com>, relay=plesk_virtual, delay=0.78, delays=0.76/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: removed
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: disconnect from unknown[189.7.43.1]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7953]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:38 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: 1321737518.69687 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:38 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:40 121MediaSolutions pop3d: Connection, ip=[::ffff:66.87.65.60]
Nov 19 13:18:40 121MediaSolutions pop3d: IMAP connect from @ [::ffff:66.87.65.60]INFO: LOGIN, user=jessica@directelectricco.com, ip=[::ffff:66.87.65.60]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7974]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: connect from unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: 567EDC8400097: client=unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/cleanup[7957]: 567EDC8400097: message-id=<3565579615788126616@mx89.dashfloor.com>
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: from=<offer@dashfloor.com>, size=11901, nrcpt=1 (queue active)
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: postfix-local: from=offer@dashfloor.com, to=afrah@afrahkhan.com, dirname=/var/qmail/mailnames
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: recipient[3] = 'afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix/pipe[7960]: 567EDC8400097: to=<Afrah@afrahkhan.com>, relay=plesk_virtual, delay=0.3, delays=0.27/0/0/0.03, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: removed
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: disconnect from unknown[184.95.63.89]
Nov 19 13:18:43 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: 1321737523.72630 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:43 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:43 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.

I believe has hacked into my email server and is using it to send out emails from ďapache@mydomain.comĒ among other email accounts. These are not valid ones that I use.

Iím a noobie and really could use some help and direction. Iím very, very new to ssh and so I ask that any advice you provide with ssh for you to be as detailed as possible. Iím really stuck and my hosting company is about to shut down my server if I donít get this fixed!

I really appreciate any advice on getting this issue fixed THEN learn ways to secure the site better. I use a linux server running plesk 10.X.

falko 20th November 2011 16:56

First check if your server is an open relay: http://www.spamhelp.org/shopenrelay/

Quote:

Originally Posted by still_(0)_(0)_awake (Post 267881)
I believe has hacked into my email server and is using it to send out emails from ďapache@mydomain.comĒ among other email accounts. These are not valid ones that I use.

Make sure all your web appplications are up to date. This looks as if someone is using a whole in an app to send emails. Which distribution do you use?


All times are GMT +2. The time now is 20:29.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.