Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th January 2012, 11:00
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Server Hacked?

Hi,

In my servers with ISPConfig, i've my postfix sending e-mails every second to unknow e-mail accounts!

What can i do?

Thanks.
Reply With Quote
Sponsored Links
  #2  
Old 17th January 2012, 11:05
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,409
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

Most likely one of yor websites has a bug in a cms system or contact form so that spammers can use that to send spam trough your server. So its likely that the server itself is not hacked and you have just a vulnerable website.

To check if your server itself is hacked, use rkhunter:

rkhunter --update
rkhunter -c
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 17th January 2012, 11:46
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Well, I don't see any "strange thing" with rkhunter...

That's a little weird!

I Start Postix and:

SMTP helo=<mvx-201-76-189-2.mundivox.com>
Jan 17 13:40:25 vp7 postfix/smtpd[21407]: NOQUEUE: reject: RCPT from n: 554 5.7.1 <aogr@kimo.com.tw>: Relay access denied; from=<ideesujmslqf@googlegroups.com> to=<aogr@kimo.com.tw> proto=SMTP helo=
Jan 17 13:40:25 vp7 postfix/smtpd[21396]: NOQUEUE: reject: RCPT from ]: 554 5.7.1 <g6wu0djo6@yahoo.com.tw>: Relay access denied; from=<tuqsg@ms54.hinet.net> to=<g6wu0djo6@yahoo.com.tw> proto=SMTP helo=<187.115.194.22.static.gvt.net.br>

I don't even know what e-mail accounts are these....
!

Last edited by silenceti; 17th January 2012 at 12:00.
Reply With Quote
  #4  
Old 17th January 2012, 12:00
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,409
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

Theseare the email accounts where the spam is send to.

See here for a method to find which of your websites is used to send the spam:

http://www.howtoforge.com/how-to-log...tect-form-spam
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 17th January 2012, 12:03
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi till,
I don't think is a website, because i just have one, and it's a plataform, like interspire with haproxy!
I start haproxy, and mails are going out...

This is really weird!!!!
Reply With Quote
  #6  
Old 17th January 2012, 12:08
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I've:

"Mail sent."

[root@ web]# cat /var/log/mail.form
[root@ web]#

!
Reply With Quote
  #7  
Old 17th January 2012, 12:12
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,409
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

If you use php-fcgi, suphp or php-cgi, then you will have to edit the php.ini file /etc/php5/cgi/php.ini too. If you use custom php.ini settings for that website, you mighta hve to add the modifications in the custom php.ini field in ispconfig.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 17th January 2012, 12:13
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Can't find that file:

php -i | grep php.ini
Configuration File (php.ini) Path => /etc/php.ini


This is the correct one...I guess?
Reply With Quote
  #9  
Old 17th January 2012, 12:23
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,409
Thanks: 834
Thanked 5,496 Times in 4,326 Posts
Default

If you use a centos or fedor system, then that should be the file. For centos or fedor you might have to adjust the sendmail path in the wrapper script.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 17th January 2012, 12:28
silenceti silenceti is offline
Junior Member
 
Join Date: Dec 2011
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

OK, i can't find anything suspecious...but if I start haproxy mails still going out...!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User unknown in relay recipient table Taxick Installation/Configuration 12 9th April 2013 12:31
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
Sending email issue lezelf Installation/Configuration 15 9th August 2011 11:20
Not working emails (DNS and postfix problem?) shekiman Installation/Configuration 9 1st March 2011 16:25
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11


All times are GMT +2. The time now is 14:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.