View Single Post
  #1  
Old 19th November 2011, 23:26
still_(0)_(0)_awake still_(0)_(0)_awake is offline
Junior Member
 
Join Date: Nov 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Smile Postfix mail - hacked??

Iíve recently noticed several spam emails are being sent using my server. I ran the following command: tail -f/usr/local/psa/var/log/maillog

and this is some of the results that were returned:


Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: warning: 189.7.43.1: hostname bd072b01.virtua.com.br verification failed: Name or service not known
Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: connect from unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: 1BBBBC8400097: client=unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions imapd-ssl: IMAP connect from @ [::ffff:173.58.98.242]INFO: LOGIN, user=emailme@nayeemkhan.com, ip=[::ffff:173.58.98.242], protocol=IMAP
Nov 19 13:18:31 121MediaSolutions postfix/cleanup[7957]: 1BBBBC8400097: message-id=<005a01cca6f0$05caf250$1160d6f0$@org>
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: from=<oildeadline@business-humanrights.org>, size=6010, nrcpt=1 (queue active)
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: postfix-local: from=oildeadline@business-humanrights.org, to=john@directelectricco.com, dirname=/var/qmail/mailnames
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: recipient[3] = 'john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix/pipe[7960]: 1BBBBC8400097: to=<john@directelectricco.com>, relay=plesk_virtual, delay=0.78, delays=0.76/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: removed
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: disconnect from unknown[189.7.43.1]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7953]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:38 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: 1321737518.69687 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:38 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:40 121MediaSolutions pop3d: Connection, ip=[::ffff:66.87.65.60]
Nov 19 13:18:40 121MediaSolutions pop3d: IMAP connect from @ [::ffff:66.87.65.60]INFO: LOGIN, user=jessica@directelectricco.com, ip=[::ffff:66.87.65.60]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7974]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: connect from unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: 567EDC8400097: client=unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/cleanup[7957]: 567EDC8400097: message-id=<3565579615788126616@mx89.dashfloor.com>
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: from=<offer@dashfloor.com>, size=11901, nrcpt=1 (queue active)
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: postfix-local: from=offer@dashfloor.com, to=afrah@afrahkhan.com, dirname=/var/qmail/mailnames
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: recipient[3] = 'afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix/pipe[7960]: 567EDC8400097: to=<Afrah@afrahkhan.com>, relay=plesk_virtual, delay=0.3, delays=0.27/0/0/0.03, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: removed
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: disconnect from unknown[184.95.63.89]
Nov 19 13:18:43 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: 1321737523.72630 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:43 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:43 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.

I believe has hacked into my email server and is using it to send out emails from ďapache@mydomain.comĒ among other email accounts. These are not valid ones that I use.

Iím a noobie and really could use some help and direction. Iím very, very new to ssh and so I ask that any advice you provide with ssh for you to be as detailed as possible. Iím really stuck and my hosting company is about to shut down my server if I donít get this fixed!

I really appreciate any advice on getting this issue fixed THEN learn ways to secure the site better. I use a linux server running plesk 10.X.
Reply With Quote
Sponsored Links