Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th January 2008, 23:55
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default My server got hacked and is being used to SPAM

Guys,
I really need some help with this and I'm very much a noob. I followed the out of the box instructions to get my ISPconfig server up and running. I am getting dozens of bounced spam emails that are either being sent through my server or spoofed through my domain.

How can I stop this? HELP
Reply With Quote
Sponsored Links
  #2  
Old 17th January 2008, 09:22
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,457
Thanks: 813
Thanked 5,236 Times in 4,104 Posts
Default

This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 17th January 2008, 09:32
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 148 Times in 129 Posts
Default

Also make sure that you have a correct SPF record setup for the domain to only use that server for outgoing email.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #4  
Old 17th January 2008, 09:51
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 212
Thanked 648 Times in 294 Posts
Send a message via Skype™ to Hans
Default

Another tip:
Verify your mail.log files and try to find out via which user sends the spam.

Also go to http://www.mxtoolbox.com/blacklists.aspx and check if your server is not blacklisted in te mean time.
To check if you have an open relay, you can use the site http://www.abuse.net/relay.html
If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser.
If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions.
If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.
__________________
Hans

BB-Hosting | Quality Web Hosting since 2005

Last edited by Hans; 17th January 2008 at 10:11.
Reply With Quote
  #5  
Old 17th January 2008, 15:11
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till
This does not generally mean that your server got hacked, as everyone may use your domain as sender address which does not nescessary mean that the emails had been send from your server. Please post an excerpt of your mail log and the content of the file /etc/postfix/main.cf
Yes, but to go from zero to roughly 75 bounced emails in an hour it is an indication that SOMETHING changed and I have become a target. Successful or otherwise.

What's the location of my mail log and I'll post?
Reply With Quote
  #6  
Old 17th January 2008, 15:22
Hans Hans is offline
Moderator
 
Join Date: Dec 2005
Location: Montfoort, The Netherlands
Posts: 2,256
Thanks: 212
Thanked 648 Times in 294 Posts
Send a message via Skype™ to Hans
Default

Please have a look at your directory /var/log/.

You can follow the activities within your log file with the command:

tail -f /var/log/mail.log

ctrl+C to exit your session.
__________________
Hans

BB-Hosting | Quality Web Hosting since 2005
Reply With Quote
  #7  
Old 17th January 2008, 15:25
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default main.cf contents

Here's the /etc/postfix/main.cf content. I have removed my domain references and replaced with xxx. I'm also working on getting the mail log when I figure out where it is.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = isp.xxx.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = isp.xxx.net, localhost.xxx.net, , localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _una$
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names
Reply With Quote
  #8  
Old 17th January 2008, 15:42
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
Default mail log

Here is a excerpt from mail mail log. I tried to go back to when the problem was at it worst yesterday but appears the log doesn't retain information that long. The number of bounced spam messages has slowed quite a bit in the past 24 hours.
Code:
Jan 17 00:14:59 isp postfix/smtpd[8464]: connect from ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:00 isp postfix/smtpd[8464]: 32EA73E02F1: client=ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:00 isp postfix/cleanup[8469]: 32EA73E02F1: message-id=<2a13201c858d0$c83334a0$4432010a@dbl.local>
Jan 17 00:15:02 isp postfix/qmgr[8170]: 32EA73E02F1: from=<ndebaggis@dbldistributing.com>, size=100369, nrcpt=1 (queue active)
Jan 17 00:15:02 isp postfix/smtpd[8464]: disconnect from ftp.dbldistributing.com[208.51.73.51]
Jan 17 00:15:06 isp postfix/pickup[8169]: 04FC53E033A: uid=10010 from=<web11_>
Jan 17 00:15:06 isp postfix/cleanup[8469]: 04FC53E033A: message-id=<20080117061506.04FC53E033A@isp.thealangroup.net>
Jan 17 00:15:06 isp postfix/qmgr[8170]: 04FC53E033A: from=<web11_@isp.thealangroup.net>, size=386, nrcpt=1 (queue active)
Jan 17 00:15:07 isp postfix/local[8491]: 04FC53E033A: to=<admispconfig@localhost.localdomain>, relay=local, delay=1.1, delays=0.05/0.01/0/1.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:15:07 isp postfix/qmgr[8170]: 04FC53E033A: removed
Jan 17 00:15:17 isp postfix/local[8470]: 32EA73E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=18, delays=2.6/0.01/0/15, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:15:17 isp postfix/qmgr[8170]: 32EA73E02F1: removed
Jan 17 00:15:49 isp postfix/smtpd[8464]: connect from unknown[62.117.127.3]
Jan 17 00:15:49 isp postfix/smtpd[8464]: 6544B3E02F1: client=unknown[62.117.127.3]
Jan 17 00:15:49 isp postfix/cleanup[8469]: 6544B3E02F1: message-id=<000701c858d0$06620afc$d433d496@csblewno>
Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: from=<kyra@surecom.com>, size=880, nrcpt=1 (queue active)
Jan 17 00:15:49 isp postfix/local[8491]: warning: required alias not found: postmaster
Jan 17 00:15:49 isp postfix/local[8491]: 6544B3E02F1: to=<postmaster@green-hornet.com>, relay=local, delay=0.37, delays=0.37/0/0/0, dsn=2.0.0, status=sent (discarded)
Jan 17 00:15:49 isp postfix/qmgr[8170]: 6544B3E02F1: removed
Jan 17 00:15:49 isp postfix/smtpd[8464]: disconnect from unknown[62.117.127.3]
Jan 17 00:17:49 isp postfix/smtpd[8546]: connect from unknown[58.187.120.65]
Jan 17 00:19:13 isp postfix/smtpd[8564]: connect from unknown[123.253.132.236]
Jan 17 00:19:15 isp postfix/smtpd[8564]: 87CD23E02F1: client=unknown[123.253.132.236]
Jan 17 00:19:16 isp postfix/cleanup[8566]: 87CD23E02F1: message-id=<1200547543.0043@sprint.ca>
Jan 17 00:19:16 isp postfix/qmgr[8170]: 87CD23E02F1: from=<lavernebirdvp@sprint.ca>, size=1260, nrcpt=1 (queue active)
Jan 17 00:19:17 isp postfix/smtpd[8564]: disconnect from unknown[123.253.132.236]
Jan 17 00:19:21 isp postfix/local[8569]: 87CD23E02F1: to=<web11_@isp.thealangroup.net>, orig_to=<keith@thealangroup.net>, relay=local, delay=5.9, delays=0.79/0.01/0/5.1, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -f-)
Jan 17 00:19:21 isp postfix/qmgr[8170]: 87CD23E02F1: removed
Jan 17 00:21:35 isp postfix/smtpd[8599]: warning: 201.209.4.30: hostname 201-209-4-30.genericrev.cantv.net verification failed: Name or service not known
Jan 17 00:21:35 isp postfix/smtpd[8599]: connect from unknown[201.209.4.30]
Jan 17 00:21:36 isp postfix/smtpd[8599]: 0F0043E030C: client=unknown[201.209.4.30]
Jan 17 00:21:36 isp postfix/cleanup[8601]: 0F0043E030C: message-id=<5IX530EJXVWDA478@mms-mobilya.com>
Jan 17 00:21:36 isp postfix/qmgr[8170]: 0F0043E030C: from=<Nanyone@allidaho.com>, size=1248, nrcpt=1 (queue active)
Jan 17 00:21:36 isp postfix/smtpd[8599]: disconnect from unknown[201.209.4.30]
Reply With Quote
  #9  
Old 18th January 2008, 18:40
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,724 Times in 2,564 Posts
Default

If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 18th January 2008, 19:25
greenhornet greenhornet is offline
Junior Member
 
Join Date: Jul 2007
Posts: 15
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by falko
If spammers are using your domain in the sender address, then there's nothing you can do about it. Thery can send their spam from other servers, but the bounces go to your server.
Yes but I'm not certain that's all they are doing. Are you? It appeared from the logs that they attained one of the ISPconfig account names (ie: web2_bob) and were sending with that. That is not something that would typically be visible to someone that just tried spoofing an email address (ie: bob@bobsdomain.com).
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 01:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.