Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 19th November 2011, 22:26
still_(0)_(0)_awake still_(0)_(0)_awake is offline
Junior Member
 
Join Date: Nov 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Smile Postfix mail - hacked??

Iíve recently noticed several spam emails are being sent using my server. I ran the following command: tail -f/usr/local/psa/var/log/maillog

and this is some of the results that were returned:


Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: warning: 189.7.43.1: hostname bd072b01.virtua.com.br verification failed: Name or service not known
Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: connect from unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: 1BBBBC8400097: client=unknown[189.7.43.1]
Nov 19 13:18:31 121MediaSolutions imapd-ssl: IMAP connect from @ [::ffff:173.58.98.242]INFO: LOGIN, user=emailme@nayeemkhan.com, ip=[::ffff:173.58.98.242], protocol=IMAP
Nov 19 13:18:31 121MediaSolutions postfix/cleanup[7957]: 1BBBBC8400097: message-id=<005a01cca6f0$05caf250$1160d6f0$@org>
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: from=<oildeadline@business-humanrights.org>, size=6010, nrcpt=1 (queue active)
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: postfix-local: from=oildeadline@business-humanrights.org, to=john@directelectricco.com, dirname=/var/qmail/mailnames
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: recipient[3] = 'john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/john@directelectricco.com'
Nov 19 13:18:31 121MediaSolutions postfix/pipe[7960]: 1BBBBC8400097: to=<john@directelectricco.com>, relay=plesk_virtual, delay=0.78, delays=0.76/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: removed
Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: disconnect from unknown[189.7.43.1]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7953]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:38 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:38 121MediaSolutions imapd: 1321737518.69687 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:38 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:40 121MediaSolutions pop3d: Connection, ip=[::ffff:66.87.65.60]
Nov 19 13:18:40 121MediaSolutions pop3d: IMAP connect from @ [::ffff:66.87.65.60]INFO: LOGIN, user=jessica@directelectricco.com, ip=[::ffff:66.87.65.60]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7974]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: connect from unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: 567EDC8400097: client=unknown[184.95.63.89]
Nov 19 13:18:42 121MediaSolutions postfix/cleanup[7957]: 567EDC8400097: message-id=<3565579615788126616@mx89.dashfloor.com>
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: from=<offer@dashfloor.com>, size=11901, nrcpt=1 (queue active)
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: postfix-local: from=offer@dashfloor.com, to=afrah@afrahkhan.com, dirname=/var/qmail/mailnames
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: hook_dir = '/usr/local/psa/handlers/before-local'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: recipient[3] = 'afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/afrah@afrahkhan.com'
Nov 19 13:18:42 121MediaSolutions postfix/pipe[7960]: 567EDC8400097: to=<Afrah@afrahkhan.com>, relay=plesk_virtual, delay=0.3, delays=0.27/0/0/0.03, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: removed
Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: disconnect from unknown[184.95.63.89]
Nov 19 13:18:43 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
Nov 19 13:18:43 121MediaSolutions imapd: 1321737523.72630 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
Nov 19 13:18:43 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
Nov 19 13:18:43 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.

I believe has hacked into my email server and is using it to send out emails from ďapache@mydomain.comĒ among other email accounts. These are not valid ones that I use.

Iím a noobie and really could use some help and direction. Iím very, very new to ssh and so I ask that any advice you provide with ssh for you to be as detailed as possible. Iím really stuck and my hosting company is about to shut down my server if I donít get this fixed!

I really appreciate any advice on getting this issue fixed THEN learn ways to secure the site better. I use a linux server running plesk 10.X.
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
email hack, email security, hack, postfix

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail-Problema jz_ HOWTO-Related Questions 9 14th September 2011 13:31
Email being accepted but not delivered punto Installation/Configuration 8 25th May 2011 00:13
postfix, pop3 uvbnserved Server Operation 22 24th May 2009 21:00
Help configure Postfix to use alt port 465 or 587 BoloMarkIII Installation/Configuration 10 16th March 2009 17:57


All times are GMT +2. The time now is 04:37.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.