Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th February 2010, 17:34
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Our mailserver hacked ??? - a lot of SPAM is being send out

Hi,

I hope someone can help us, we really need help with our mailserver. It looks like someone has managed to get in and use our mail server to send out SPAM. We are a school with apprx. 30 email users.

We have been using the ISP's smtp-port. Now they have blocked the smtp port from our school, since a lot of spam was sent out. This means that we can not send mail outside. We have checked everything inside, also turned off everything, all computers, servers the wireless network, just left the mail and webserver on. And through the logs it looks like someone is still trying to send spam.

We want to change our smtp so we use our own, not through the ISP's port, so they don’t block us anymore. And the other thing is that we have not used authentication for our mails.

Please help us!!!!! We don’t have much experience in this, the mailserver with Suse and Postfix was set up by someone else 4 years ago.

We have SUSE LINUX 10.0 (X86-64) OSS (VERSION = 10.0), postfix = 2.2.5, and ISPConfig Version: 2.2.18.

Here is a sample of /var/log:

Code:
/var/log # tail -f warn 
Feb 10 17:25:31 kmail postfix/smtpd[3324]: warning: 94.97.209.201: hostname 94.96.209.201.dynamic.saudi.net.sa verific
ation failed: Name or service not known
Feb 10 17:25:32 kmail postfix/smtpd[3324]: warning: support for restriction "check_relay_domains" will be removed from
 Postfix; use "reject_unauth_destination" instead
Feb 10 17:26:51 kmail postfix/smtpd[3324]: warning: 187.65.33.71: hostname bb412147.virtua.com.br verification failed: Name or service not known
Code:
/var/log # tail -f mail
Feb 10 17:12:24 kmail postfix/qmgr[2160]: 1B24818171: to=<alan@loandirect.com>, relay=none, delay=1832, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found)
Feb 10 17:12:24 kmail postfix/qmgr[2160]: 17C8A1817C: to=<alan@loandirect.com>, relay=none, delay=1822, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found)
Feb 10 17:12:24 kmail postfix/qmgr[2160]: 188031817F: to=<alan@loandirect.com>, relay=none, delay=1818, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found)
Feb 10 17:12:30 kmail postfix/smtpd[2722]: warning: 187.40.200.39: hostname 18740200039.user.veloxzone.com.br verification failed: Name or service not known
Feb 10 17:12:30 kmail postfix/smtpd[2722]: connect from unknown[187.40.200.39]
Feb 10 17:12:31 kmail postfix/smtpd[2722]: setting up TLS connection from unknown[187.40.200.39]
Feb 10 17:12:31 kmail postfix/smtpd[2722]: TLS connection established from unknown[187.40.200.39]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Feb 10 17:12:32 kmail postfix/smtpd[2722]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead

Best regards,
Mazgit
Reply With Quote
Sponsored Links
  #2  
Old 10th February 2010, 18:36
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,450
Thanks: 813
Thanked 5,218 Times in 4,090 Posts
Default

Most spam is send trough vulnerable cms systems or contact forms.

1) Do you host a website on this erver, that is accessible from outside?
2) Have you checked your server with rkhunter and chkrootkit?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 10th February 2010, 19:33
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 147 Times in 128 Posts
Default

This howto might help you find the problem.

http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #4  
Old 10th February 2010, 19:45
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Till,

1) Do you host a website on this erver, that is accessible from outside?
No, this is only a mailserver.

2) Have you checked your server with rkhunter and chkrootkit?
Have checked now with rkhunter and chkrootkit, but are not so familiar with linux, so I'm not sure about the result.

Here is the summary of the rkhunter(there were a lot of warnings):
Code:
[19:07:48]     Checking for string 'libproc.so.2.0.7'        [ Not found ]
[19:07:48]     Checking for string '/dev/ida/.inet'          [ Not found ]
[19:07:48] Warning: Checking for possible rootkit strings    [ Warning ]
[19:07:48]          Found string 'hdparm' in file '/etc/init.d/boot.idedma'. Possible rootkit: Xzibit Rootkit
[19:07:48]
[19:07:48] Performing malware checks
[19:07:48] Info: Starting test name 'malware'
[19:07:48]
[19:07:48] Info: Test 'deleted_files' disabled at users request.
[19:07:48] Info: Starting test name 'running_procs'
[19:07:48]   Checking running processes for suspicious files [ None found ]
[19:07:48]
[19:07:48] Info: Test 'hidden_procs' disabled at users request.
[19:07:48]
[19:07:48] Info: Test 'suspscan' disabled at users request.
[19:07:48]
[19:07:48]   Performing check for login backdoors
[19:07:49] Info: Starting test name 'other_malware'
[19:07:49]     Checking for '/bin/.login'                    [ Not found ]
[19:07:49]     Checking for '/sbin/.login'                   [ Not found ]
[19:07:49]   Checking for login backdoors                    [ None found ]
[19:07:49]
[19:07:49]   Performing check for suspicious directories
[19:07:49]     Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[19:07:49]     Checking for directory '/dev/rd/cdb'          [ Not found ]
[19:07:49]   Checking for suspicious directories             [ None found ]
[19:07:49]
[19:07:49]   Checking for software intrusions                [ Skipped ]
[19:07:49] Info: Check skipped - tripwire not installed
[19:07:49]
[19:07:49]   Performing check for sniffer log files
[19:07:49]     Checking for file '/usr/lib/libice.log'       [ Not found ]
[19:07:49]     Checking for file '/dev/prom/sn.l'            [ Not found ]
[19:07:49]     Checking for file '/dev/fd/.88/zxsniff.log'   [ Not found ]
[19:07:49]   Checking for sniffer log files                  [ None found ]
[19:07:49]
[19:07:49] Performing trojan specific checks
[19:07:49] Info: Starting test name 'trojans'
[19:07:49]   Checking for enabled inetd services             [ Skipped ]
[19:07:49] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[19:07:49]
[19:07:49]   Performing check for enabled xinetd services
[19:07:49] Info: Using xinetd configuration file '/etc/xinetd.conf'
[19:07:49]     Checking '/etc/xinetd.conf' for enabled services [ None found ]
[19:07:49]       Found 'includedir /etc/xinetd.d' directive
[19:07:49]     Checking '/etc/xinetd.d/chargen' for enabled services [ None found ]
[19:07:49]     Checking '/etc/xinetd.d/chargen-udp' for enabled services [ None found ]
[19:07:49]     Checking '/etc/xinetd.d/daytime' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/daytime-udp' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/echo' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/echo-udp' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/fam' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/netstat' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/omni' for enabled services [ Warning ]
[19:07:50]     Checking '/etc/xinetd.d/servers' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/services' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/systat' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/time' for enabled services [ None found ]
[19:07:50]     Checking '/etc/xinetd.d/time-udp' for enabled services [ None found ]
[19:07:50]   Checking for enabled xinetd services            [ Warning ]
[19:07:50] Warning: Found enabled xinetd service: /etc/xinetd.d/omni
[19:07:50] Info: Apache backdoor check skipped: Apache modules and configuration directories not found.
[19:07:50]
[19:07:50] Performing Linux specific checks
[19:07:50] Info: Starting test name 'os_specific'
[19:07:50]   Checking loaded kernel modules                  [ OK ]
[19:07:50] Info: Using modules pathname of '/lib/modules/2.6.13-15.18-default'
[19:07:50]   Checking kernel module names                    [ OK ]
[19:07:57]
[19:07:57] Checking the network...
[19:07:57] Info: Starting test name 'network'
[19:07:57] Info: Starting test name 'ports'
[19:07:57]
[19:07:57] Performing check for backdoor ports
[19:07:57]   Checking for TCP port 1524                      [ Not found ]
[19:07:57]   Checking for TCP port 1984                      [ Not found ]
[19:07:58]   Checking for UDP port 2001                      [ Not found ]
[19:07:58]   Checking for TCP port 2006                      [ Not found ]
[19:07:58]   Checking for TCP port 2128                      [ Not found ]
[19:07:58]   Checking for TCP port 6666                      [ Not found ]
[19:07:58]   Checking for TCP port 6667                      [ Not found ]
[19:07:58]   Checking for TCP port 6668                      [ Not found ]
[19:07:58]   Checking for TCP port 6669                      [ Not found ]
[19:07:58]   Checking for TCP port 7000                      [ Not found ]
[19:07:58]   Checking for TCP port 13000                     [ Not found ]
[19:07:58]   Checking for TCP port 14856                     [ Not found ]
[19:07:58]   Checking for TCP port 25000                     [ Not found ]
[19:07:59]   Checking for TCP port 29812                     [ Not found ]
[19:07:59]   Checking for TCP port 31337                     [ Not found ]
[19:07:59]   Checking for TCP port 33369                     [ Not found ]
[19:07:59]   Checking for TCP port 47107                     [ Not found ]
[19:07:59]   Checking for TCP port 47018                     [ Not found ]
[19:07:59]   Checking for TCP port 60922                     [ Not found ]
[19:07:59]   Checking for TCP port 62883                     [ Not found ]
[19:07:59]   Checking for TCP port 65535                     [ Not found ]
[19:07:59]
[19:07:59] Performing checks on the network interfaces
[19:07:59] Info: Starting test name 'promisc'
[19:07:59]   Checking for promiscuous interfaces             [ None found ]
[19:07:59]
[19:07:59] Info: Test 'packet_cap_apps' disabled at users request.
[19:08:05]
[19:08:05] Checking the local host...
[19:08:05] Info: Starting test name 'local_host'
[19:08:05]
[19:08:05] Performing system boot checks
[19:08:05] Info: Starting test name 'startup_files'
[19:08:05]   Checking for local host name                    [ Found ]
[19:08:05] Info: Starting test name 'startup_malware'
[19:08:05]   Checking for system startup files               [ Found ]
[19:08:08]   Checking system startup files for malware       [ None found ]
[19:08:08]
[19:08:08] Performing group and account checks
[19:08:08] Info: Starting test name 'group_accounts'
[19:08:08]   Checking for passwd file                        [ Found ]
[19:08:08] Info: Found password file: /etc/passwd
[19:08:08]   Checking for root equivalent (UID 0) accounts   [ None found ]
[19:08:08] Info: Found shadow file: /etc/shadow
[19:08:08]   Checking for passwordless accounts              [ None found ]
[19:08:08] Info: Starting test name 'passwd_changes'
[19:08:08]   Checking for passwd file changes                [ None found ]
[19:08:08] Info: Starting test name 'group_changes'
[19:08:08]   Checking for group file changes                 [ None found ]
[19:08:08]   Checking root account shell history files       [ OK ]
[19:08:08]
[19:08:08] Performing system configuration file checks
[19:08:08] Info: Starting test name 'system_configs'
[19:08:08]   Checking for SSH configuration file             [ Found ]
[19:08:08] Info: Found SSH configuration file: /etc/ssh/sshd_config
[19:08:08] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[19:08:08] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[19:08:08]   Checking if SSH root access is allowed          [ Not allowed ]
[19:08:08]   Checking if SSH protocol v1 is allowed          [ Warning ]
[19:08:08] Warning: The SSH configuration option 'Protocol' has not been set.
           The default value may be '2,1', to allow the use of protocol version 1.
[19:08:09]   Checking for running syslog daemon              [ Found ]
[19:08:09]   Checking for syslog configuration file          [ Found ]
[19:08:09] Info: Found syslog configuration file: /etc/syslog-ng/syslog-ng.conf
[19:08:09]   Checking if syslog remote logging is allowed    [ Not allowed ]
[19:08:09]
[19:08:09] Performing filesystem checks
[19:08:09] Info: Starting test name 'filesystem'
[19:08:09] Info: SCAN_MODE_DEV set to 'THOROUGH'
[19:08:09]   Checking /dev for suspicious file types         [ None found ]
[19:08:09]   Checking for hidden files and directories       [ Warning ]
[19:08:09] Warning: Hidden directory found: /dev/.udevdb
[19:08:20]
[19:08:20] Checking application versions...
[19:08:20] Info: Starting test name 'apps'
[19:08:22] Info: Application 'exim' not found.
[19:08:22]   Checking version of GnuPG                       [ Warning ]
[19:08:22] Warning: Application 'gpg', version '1.4.2', is out of date, and possibly a security risk.
[19:08:22]   Checking version of Apache                      [ Warning ]
[19:08:22] Warning: Application 'httpd', version '2.0.54', is out of date, and possibly a security risk.
[19:08:22]   Checking version of Bind DNS                    [ Warning ]
[19:08:22] Warning: Application 'named', version '9.3.2', is out of date, and possibly a security risk.
[19:08:22]   Checking version of OpenSSL                     [ Warning ]
[19:08:22] Warning: Application 'openssl', version '0.9.7g', is out of date, and possibly a security risk.
[19:08:22]   Checking version of PHP                         [ OK ]
[19:08:22] Info: Application 'php' version '4.4.0' found.
[19:08:22]   Checking version of Procmail MTA                [ OK ]
[19:08:22] Info: Application 'procmail' version '3.22' found.
[19:08:22]   Checking version of ProFTPd                     [ OK ]
[19:08:22] Info: Application 'proftpd' version '1.2.10' found.
[19:08:22]   Checking version of OpenSSH                     [ Warning ]
[19:08:22] Warning: Application 'sshd', version '4.1p1', is out of date, and possibly a security risk.
[19:08:22] Info: Applications checked: 8 out of 9
[19:08:22]
[19:08:22] System checks summary
[19:08:23] =====================
[19:08:23]
[19:08:23] File properties checks...
[19:08:23] Required commands check failed
[19:08:23] Files checked: 137
[19:08:23] Suspect files: 6
[19:08:23]
[19:08:23] Rootkit checks...
[19:08:23] Rootkits checked : 249
[19:08:23] Possible rootkits: 1
[19:08:23] Rootkit names    : Xzibit Rootkit
[19:08:23]
[19:08:23] Applications checks...
[19:08:23] Applications checked: 8
[19:08:23] Suspect applications: 5
[19:08:23]
[19:08:23] The system checks took: 2 minutes and 13 seconds
[19:08:23]
[19:08:23] Info: End date is Wed Feb 10 19:08:23 CET 2010
Here is part of the output from the chkrootkit:
Code:
/usr/bin/find: head terminated by signal 13

/tmp/root/ispconfig/php/lib/php/build/run-tests.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_procmail.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_system.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_db_mysql.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_string.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_isp_file.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_template.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_bind.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_postfix.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_sendmail.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_file.lib.php
/tmp/root/ispconfig/scripts/lib/classes/ispconfig_log.lib.php
/tmp/root/ispconfig/scripts/lib/config.lib.php
/tmp/root/ispconfig/scripts/lib/config.inc.php
/tmp/root/ispconfig/scripts/lib/server.inc.php
/tmp/root/ispconfig/scripts/shell/quota_msg.php
/tmp/root/ispconfig/scripts/shell/ftp_logs.php
/tmp/root/ispconfig/scripts/shell/traffic.php
/tmp/root/ispconfig/scripts/shell/check_services.php
/tmp/root/ispconfig/scripts/shell/logs.php
/tmp/root/ispconfig/scripts/shell/webalizer.php
/tmp/root/ispconfig/scripts/shell/backup.php
/tmp/root/ispconfig/scripts/shell/firewall.php
/tmp/root/ispconfig/scripts/shell/mail_logs.php
/tmp/root/ispconfig/scripts/shell/cleanup.php
/tmp/root/ispconfig/scripts/writeconf.php
/tmp/horde/imp-h3-4.1.1/lib/Auth/imp.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Client.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Search.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Tree.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Thread.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP/Sort.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/rfc822.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/plain.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/images.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/html.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/notification.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/zip.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/partial.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/tnef.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/related.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/itip.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/multipart.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/alternative.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/pkcs7.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/appledouble.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/pgp.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/status.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Viewer/enriched.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Contents.php
/tmp/horde/imp-h3-4.1.1/lib/MIME/Headers.php
/tmp/horde/imp-h3-4.1.1/lib/Identity/imp.php
/tmp/horde/imp-h3-4.1.1/lib/Mailbox.php
/tmp/horde/imp-h3-4.1.1/lib/Block/summary.php
/tmp/horde/imp-h3-4.1.1/lib/Block/tree_folders.php
/tmp/horde/imp-h3-4.1.1/lib/Crypt/PGP.php
/tmp/horde/imp-h3-4.1.1/lib/Crypt/SMIME.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/cyrus.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/mercury32.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/command.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/logfile.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/courier.php
/tmp/horde/imp-h3-4.1.1/lib/Quota/mdaemon.php
/tmp/horde/imp-h3-4.1.1/lib/IMAP.php
/tmp/horde/imp-h3-4.1.1/lib/prefs.php
/tmp/horde/imp-h3-4.1.1/lib/version.php
/tmp/horde/imp-h3-4.1.1/lib/Session.php
/tmp/horde/imp-h3-4.1.1/lib/Fetchmail/imap.php
/tmp/horde/imp-h3-4.1.1/lib/Filter.php
/tmp/horde/imp-h3-4.1.1/lib/Maillog.php
/tmp/horde/imp-h3-4.1.1/lib/Folder.php
/tmp/horde/imp-h3-4.1.1/lib/Notification/Listener/status.php
/tmp/horde/imp-h3-4.1.1/lib/Search.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/fetchmail_login.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/tos_agreement.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/purge_trash.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/rename_sentmail_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/delete_sentmail_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/Task/delete_attachments_monthly.php
/tmp/horde/imp-h3-4.1.1/lib/Maintenance/imp.php
/tmp/horde/imp-h3-4.1.1/lib/api.php
/tmp/horde/imp-h3-4.1.1/lib/IMP.php
/tmp/horde/imp-h3-4.1.1/lib/Spam.php
/tmp/horde/imp-h3-4.1.1/lib/Fetchmail.php
/tmp/horde/imp-h3-4.1.1/lib/Message.php
/tmp/horde/imp-h3-4.1.1/lib/Compose.php
/tmp/horde/imp-h3-4.1.1/lib/Quota.php
/tmp/horde/imp-h3-4.1.1/lib/base.php
/tmp/horde/imp-h3-4.1.1/folders.php
/tmp/horde/imp-h3-4.1.1/message.php
/tmp/horde/imp-h3-4.1.1/compose.php
/tmp/horde/imp-h3-4.1.1/stationery.php
/tmp/horde/imp-h3-4.1.1/scripts/custom_login.php
/tmp/horde/imp-h3-4.1.1/redirect.php
/tmp/horde/imp-h3-4.1.1/spelling.php
/tmp/horde/imp-h3-4.1.1/test.php
/tmp/horde/imp-h3-4.1.1/login.php
/tmp/horde/imp-h3-4.1.1/mailbox.php
/tmp/horde/imp-h3-4.1.1/fetchmailprefs.php
/tmp/horde/imp-h3-4.1.1/smime.php
/tmp/horde/imp-h3-4.1.1/index.php
/tmp/horde/imp-h3-4.1.1/acl.php
/tmp/horde/imp-h3-4.1.1/fetchmail.php
/tmp/horde/imp-h3-4.1.1/attachment.php
/tmp/horde/imp-h3-4.1.1/search.php
/tmp/horde/imp-h3-4.1.1/expand.php
/tmp/horde/imp-h3-4.1.1/saveimage.php
/tmp/horde/imp-h3-4.1.1/pgp.php
/tmp/horde/imp-h3-4.1.1/filterprefs.php
/tmp/horde/imp-h3-4.1.1/view.php
/tmp/horde/imp-h3-4.1.1/recompose.php
/tmp/horde/imp-h3-4.1.1/thread.php
/tmp/horde/imp-h3-4.1.1/contacts.php
Binary file (standard input) matches
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         6347 tty5   /sbin/mingetty tty5
! root         6532 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Reply With Quote
  #5  
Old 10th February 2010, 20:42
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Edge,

Tried to go through the link to find the problem as you suggested,
http://www.howtoforge.com/how-to-log...tect-form-spam

But the problem is that I’m stuck at point 2 Modifying the php.ini. Since we have Suse I am not sure in which php.ini file I should make the changes for the smtp-port.

Code:
mail:/etc # find / -name php.ini
/etc/php5/cli/php.ini
/etc/php5/fastcgi/php.ini
/etc/php.ini
/tmp/root/ispconfig/php/php.ini
find: WARNING: Hard link count is wrong for /sys/devices: this may be a bug in your filesystem driver.  Automatically turning on find's -noleaf option.  Earlier results may have failed to include directories that should have been searched.
/root/ispconfig/php/php.ini
thanks to all who are helping!
Reply With Quote
  #6  
Old 11th February 2010, 14:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Should be /etc/php.ini. If you are unsure, create the following PHP file:
PHP Code:
<?php
phpinfo
();
?>
and call it in a browser - it will tell you which php.ini is being used.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 11th February 2010, 16:06
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 261
Thanked 147 Times in 128 Posts
Default

Also note that the mail.form file is not in /var/log/ as suggested in the howto, but in /tmp/mail_php.log
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #8  
Old 11th February 2010, 20:27
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Falko and Edge,

I did as suggested in the howto, and on the browser I get the message that "Mail sent.", but both mail.form and mail_php.log are empty.

I got the email inside(to a local email address) sent from "Administrator ISPConfig", but not when I changed to send to an address outside, but this is because our smtp-port is blocked from our internetprovider.
But the log's are empty.
Reply With Quote
  #9  
Old 13th February 2010, 17:01
mazgit mazgit is offline
Junior Member
 
Join Date: Jan 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Please help...

Dear HowToForge experts,
I hope you have time to check this out and help us! Would really appreciate it!
Here you will have the results of when we lookup our IP and mailserver, then you have the configurations of our ISPConfig, and at the end the main.cf and master.cf.

As you look below, we use our ISP addresses as nameserver, even if we have declared our own nameservers in ISPConfig. Where and how can we make the changes so we don’t use our Internet providers address to send mail? Now they have blocked our smtp-port for outgoing from our school’s main IP address.
When we check smtp.example.com, that we have been using in our emailusers configurations in Outlook as Outgoing mail server, this address actually is resolved to our ISP’s address (mx1.x.net)

Quote:
We have checked one of our email addresses through MX Record Lookup:
Doing MX lookup on address x@example.com
Success: the SMTP server is: mail.example.com.
________________________________________
Executed command: nslookup -sil -q=MX example.com 2>&1 with response:
Non-authoritative answer:
example.com mail exchanger = 5 mail.example.com.

Authoritative answers can be found from:
example.com nameserver = ns2.x.net. (our Internet providers addresse)
example.com nameserver = ns1.x.net. (our Internet providers addresse)
mail.example.com internet address = 1.1.1.1 (our IP of the server)
ns2.x.net internet address = 2.2.2.2(our Internet providers addresse)
Another lookup:
Quote:
example.com DNS RECORDS (http://www.who.is/dns)

Record Type TTL Priority Content
example.com A 1 day 3.3.3.3 (Apo, AE, US) IP of our webserver
example.com MX 1 day 5 mail.example.com
example.com NS 1 day ns1.x.net (our Internet providers addresse)
example.com NS 1 day ns2.x.net (our Internet providers addresse)
example.com SOA 1 day ns1.x.net. root.x.net. 2010020508 10800 3600 604800 86400
mail.example.com A 1 day 1.1.1.1 (Apo, AE, US) IP of our mailserver
test.example.com CNAME 1 day example.com
www.example.com CNAME 1 day example.com
ISPConfig - Version: 2.2.18
Quote:
In ISP Manager we have:
example.com
webmail.example.com

In the example.org we have the email users.
Under ISP Site those are the configurations:
Basis:
- Server: xmail
- Hostname: www
- Domain: example.com
- IP Address: 1.1.1.1 (the static IP of the mailserver)
- Those settings are checked: PHP Scripts, FTP Access, MySQL and Mailuser Login
Co-Domains:
- IP 1.1.1.1
- Hostname empty (nothing)
- Domain: example.com
Management:
- Settings
o Server:
 Servername: xmail
 Hostname: xmail
 Domain: example.com
 IP 1.1.1.1
 Netmask: x.x.x.x
 Admin Email: root@localhost
o Email
 MTA Type: Postfix
 Virtuser File: /etc/postfix/virtusertable
 Sendmail CW: /etc/postfix/local-host-names
 Mail Log: /var/log/mail
 Antivirus-Admin: admispconfig@localhost
 Maildir and Spamfilter are checked
o DNS
 BIND USER: named
 BIND Group: named
 Named.conf: /etc/named.conf
 Zonefiles Dir.: /var/lib/named
 Default Ns1: xmail.example.com
 Default Ns2: xmail.example.com

- Server – Services:
o Services:
 All servers are only, only the FIREWALL is OFF
o Monitoring
 Service Port Active Hostname
web 80 yes localhost
mail 25 yes localhost
o Firewall
 Name Port Type Active
 FTP 21 tcp yes
 SSH 22 tcp yes
 SMTP 25 tcp yes
 DNS 53 tcp yes
 DNS 53 udp yes
 WWW 80 tcp yes
 ISPConfig 81 tcp yes
 POP3 110 tcp yes
 SSL (www) 443 tcp yes
 Webmin 10000 tcp yes


- DNS Manager
o Here we have only webmail.example.com
DNS Entry:
 Domain:
• Server: xmail
• Domain (SOA): webmail.example.com
• IP Address: 1.1.1.1
 Options:
• Admin Email: admin@webmail.example.com
• Nameserver 1: xmail.example.com
• Nameserver 2: xmail.example.com
 Records:
• A Record:
o IP-Adresse: 1.1.1.1
o Hostname: www
• MX:
o Mailserver: xmail.example.com
o Hostname: www
Part of main.cf
Code:
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
#virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
mydomain = example.com
myhostname = xmail.$mydomain
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains =
mydestination = $myhostname, $mydomain, localhost.$mydomain
defer_transports =
disable_dns_lookups = no
relayhost = localhost
mailbox_command =
mailbox_transport =
strict_8bitmime = no
disable_mime_output_conversion = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtp_use_tls = yes
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names
Part of master.cf
Code:
/etc/postfix> cat master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#localhost:10025 inet   n       -       n       -       -       smtpd -o content_filter=
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
Another thing:

The mailq has not increased anymore - does this mean that the server is not trying to send more spam ?

Have tried to send mail to outgoing addresses with changing the SMTP in Outlook to mail.example.com, server IP, xmail.example.com, but it returns with "Recipient address rejected: Relay access denied".

Looking forward to your reply on how to solve this problem, or maybe we just have to reinstall the server?
Thanks for your help!
Reply With Quote
  #10  
Old 14th February 2010, 14:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
 
Default

Quote:
Originally Posted by mazgit View Post
Where and how can we make the changes so we don’t use our Internet providers address to send mail? Now they have blocked our smtp-port for outgoing from our school’s main IP address.
In that case you should set up relaying: http://www.howtoforge.com/postfix_re...her_mailserver
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Tags
ispconfig 2, main.cf, postfix, spam

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spamfilter policy - question about spam actions prisfeo Installation/Configuration 4 2nd February 2010 16:17
MailServer + SPAM Filter ChildOTK Server Operation 1 17th June 2009 05:24
My postfix server is beeing used to send large ammounts of spam. bob808 Server Operation 2 27th April 2009 12:37
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 17:37
Virtual users... Ubuntu 8.04 spaceuser HOWTO-Related Questions 12 19th June 2008 08:04


All times are GMT +2. The time now is 11:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.