HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Server Hacked? (http://www.howtoforge.com/forums/showthread.php?t=55792)

silenceti 17th January 2012 11:00

Server Hacked?
 
Hi,

In my servers with ISPConfig, i've my postfix sending e-mails every second to unknow e-mail accounts!

What can i do?

Thanks.

till 17th January 2012 11:05

Most likely one of yor websites has a bug in a cms system or contact form so that spammers can use that to send spam trough your server. So its likely that the server itself is not hacked and you have just a vulnerable website.

To check if your server itself is hacked, use rkhunter:

rkhunter --update
rkhunter -c

silenceti 17th January 2012 11:46

Well, I don't see any "strange thing" with rkhunter...

That's a little weird!

I Start Postix and:

SMTP helo=<mvx-201-76-189-2.mundivox.com>
Jan 17 13:40:25 vp7 postfix/smtpd[21407]: NOQUEUE: reject: RCPT from n: 554 5.7.1 <aogr@kimo.com.tw>: Relay access denied; from=<ideesujmslqf@googlegroups.com> to=<aogr@kimo.com.tw> proto=SMTP helo=
Jan 17 13:40:25 vp7 postfix/smtpd[21396]: NOQUEUE: reject: RCPT from ]: 554 5.7.1 <g6wu0djo6@yahoo.com.tw>: Relay access denied; from=<tuqsg@ms54.hinet.net> to=<g6wu0djo6@yahoo.com.tw> proto=SMTP helo=<187.115.194.22.static.gvt.net.br>

I don't even know what e-mail accounts are these....
!

till 17th January 2012 12:00

Theseare the email accounts where the spam is send to.

See here for a method to find which of your websites is used to send the spam:

http://www.howtoforge.com/how-to-log...tect-form-spam

silenceti 17th January 2012 12:03

Hi till,
I don't think is a website, because i just have one, and it's a plataform, like interspire with haproxy!
I start haproxy, and mails are going out...

This is really weird!!!!

silenceti 17th January 2012 12:08

I've:

"Mail sent."

[root@ web]# cat /var/log/mail.form
[root@ web]#

!

till 17th January 2012 12:12

If you use php-fcgi, suphp or php-cgi, then you will have to edit the php.ini file /etc/php5/cgi/php.ini too. If you use custom php.ini settings for that website, you mighta hve to add the modifications in the custom php.ini field in ispconfig.

silenceti 17th January 2012 12:13

Can't find that file:

php -i | grep php.ini
Configuration File (php.ini) Path => /etc/php.ini


This is the correct one...I guess?

till 17th January 2012 12:23

If you use a centos or fedor system, then that should be the file. For centos or fedor you might have to adjust the sendmail path in the wrapper script.

silenceti 17th January 2012 12:28

OK, i can't find anything suspecious...but if I start haproxy mails still going out...!


All times are GMT +2. The time now is 09:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.