ACK blasted spammer has gotten me blacklisted... how to fix? and fix?

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Jan 3, 2016.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I've been hit by a jerk who is spamming an address that I have an ispconfig3 DNS entry for - but NEVER set up any email boxes...
    but the RCPT to field has me in turn spamming yahoo address and I've been blacklisted by them....
    from maillog
    ---snip---
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD8431B1216: from=<[email protected]>, size=1904, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD9071B2BDC: from=<[email protected]>, size=1789, nrcpt=1
    and I get 'rate limited' messages in my messages ....
    later on:
    Jan 3 06:23:32 ns9 postfix/smtp[29668]: CA5471B3948: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=164335, delays=164334/0/0.67/0.3, dsn=4.7.1, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.1 [TS03] All messages from 74.96.241.34 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/errors/421-ts03.html (in reply to MAIL FROM command))
    ---snip---
    and the RCPT to messages are blasting yahoo.

    at least for now I turned OFF the DNS for the domain as I dont have a website on it its just a placeholder.

    anything I can do to prevent this? surely mail that has NO email box on ispconfig should be rejected out of hand - and its not...


    help :)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the content of the spam email with the postcat command to find out if the email has been sent by an authenticated account or by a hacked website.

    a) If it has been sent by an authenticated account, then change the password of that account.
    b) If this has been sent trough a hacked website, then you have to clean the website and remove the malware. Close the hole in the website by installing updates.

    Finally remove the spam emails from mailqueue with the postsuper command.
     
  3. craig baker

    craig baker Member HowtoForge Supporter

    packicked a bit and already deleted the mail.
    I stopped it by deactivating the DNS record for the domain.
    there ARE no authenticated users - OR email boxes - and nothing is hosted there.

    apparently mail was being sent to [email protected] a zillion times, with RCPT to a yahoo address..
    and we apparently were sending the receipts and blasting yahoo!

    not seen an attack quite like it
     
  4. craig baker

    craig baker Member HowtoForge Supporter

    from the maillog:
    Jan 3 03:48:30 ns9 postfix/qmgr[13812]: C42071AEFB7: from=<[email protected]>, size=1819, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C657D1ABB6C: from=<[email protected]>, size=1917, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C72B61AD3CB: from=<[email protected]>, size=1829, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD6DB1B29C7: from=<[email protected]>, size=1611, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C59CC1B0AAA: from=<[email protected]>, size=1827, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C73541AF179: from=<[email protected]>, size=1897, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C300C1B17ED: from=<[email protected]>, size=1849, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C524D1B10EE: from=<[email protected]>, size=1840, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CCAA51B07E9: from=<[email protected]>, size=1852, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CA27D1B251F: from=<[email protected]>, size=1915, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C9E571AB04C: from=<[email protected]>, size=1846, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C7BD51ACE5D: from=<[email protected]>, size=1816, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C5F961B3371: from=<[email protected]>, size=1581, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C76751B2BD8: from=<[email protected]>, size=1945, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CC93E1AE2C3: from=<[email protected]>, size=1799, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C771C1B1D2B: from=<[email protected]>, size=1846, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/error[5593]: C42071AEFB7: to=<[email protected]>, relay=none, delay=282134, delays=282134/0.3/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.136.217.202] while sending RCPT TO)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C644F1B24F2: from=<[email protected]>, size=1859, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C1FD91AC40A: from=<[email protected]>, size=1790, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CA8451B1211: from=<[email protected]>, size=1836, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CE9691B4298: from=<[email protected]>, size=1861, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CF77A1B371A: from=<[email protected]>, size=1750, nrcpt=1 (queue active)
    Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C79011B5A17: from=<[email protected]>, size=1910, nrcpt=1 (queue active)

    notice that we see a TON of emails all FROM [email protected]
    for example C42071AEFB7 from paullette (at the top) then in the moddle goes to [email protected]
    but mtanterominerals has NO valid users so why on earth would ANY of these get relayed?
     
  5. craig baker

    craig baker Member HowtoForge Supporter

    and all the emails appear to be FROM a domain that I host. but its managed by ispconfig and has no email boxes.

    and how do I get yahoo to talk to me again? says emails are PERMANENTLY deferred!
     
    Last edited: Jan 4, 2016
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The mail log does not contain the relevant information on which website script was hacked, you have to check that in the mail headers with postcat command.

    The from and to addresses don't matter when the emails were sent ba a hacked website and your server is not relaying these mails, he is the origin sender when a site got hacked. If you deleted the mails from the mail queue then you can try to find the hacked scripts with a malware scanner like maldetect or you use the free trial from ispprotect.com to scan your server.

    Yahoo will remove your ip from the blacklist when your server is not sending spam anymore and you cleaned the website (removed the hacked scripts).
     
  7. craig baker

    craig baker Member HowtoForge Supporter

    but these lines from maillog:
    35, size: 1343, queued_as: 94A841ABC8C, 1121 ms
    maillog-20160103:Dec 27 16:19:25 ns9 postfix/qmgr[3012]: B29061ABC8C: from=<[email protected]>, size=1804, nrcpt=1 (queue active)
    maillog-20160103:Dec 27 16:19:25 ns9 amavis[29668]: (29668-02-10) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: wZkzbnWuD041, Hits: 13.228, size: 1360, queued_as: B29061ABC8C, 1206 ms
    maillog-20160103:Dec 27 16:19:25 ns9 postfix/qmgr[3012]: DB1411AC2F7: from=<[email protected]>, size=1850, nrcpt=1 (queue active)
    maillog-20160103:Dec 27 16:19:25 ns9 amavis[29423]: (29423-04-14) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 7nFF9cVqSw2c, Hits: 13.228, size: 1400, queued_as: DB1411AC2F7, 1253 ms

    seem to show we ARE relaying them - qmgr reports an email from joann_hawkins (no such user no such mailbox) then amavis reports it passed clean and then off it goes to aol.com!

    maldetect has found nothing.
    spoke too soon. maldetect infact reported
    FILE HIT LIST:
    {HEX}gzbase64.inject.unclassed.15 : /var/www/clients/client0/web21/web/HELP/EbayStory/ebs.php
    {HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s355
    {HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s353
    {HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s354
    {HEX}php.cmdshell.unclassed.359 : /var/www/clients/client0/web10/web/htacess.php
    {HEX}php.base64.v23au.185 : /var/www/clients/client0/web10/web/libraries/fof/platform/blog58.php
    {HEX}gzbase64.inject.unclassed.15 : /var/www/clients/client0/web3/web/apps/mailbase/scripts/mb.php
    {HEX}php.base64.v23au.185 : /var/www/clients/client0/web29/tmp/1391ae546edaaa6978dea103ce336d6d.zip
    {HEX}php.base64.v23au.185 : /var/www/clients/client0/web29/tmp/e4c8e3fcec8360f246d8f9aab7f8470d.zip

    and I suspect the critter is htacess.php. created on 12/29.
    any idea how it GOT there?
    cdb.
     
    Last edited: Jan 4, 2016
  8. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Show postcat -q ID from a mail, that was not accepted by yahoo. You can find the ID by running mailq.
     
  9. craig baker

    craig baker Member HowtoForge Supporter

    would not help with the mail that is in my queue now - they seem to be legitimate emails that yahoo is refunsing.
    problem seems to have started 12/29

    maldet has quarantined the items and I've turned the domain back on - we'll see what happens!
     
  10. craig baker

    craig baker Member HowtoForge Supporter

    curiouser and curioiuser.
    I turned on the domain and soon had the bogus mails on my system.
    I copied them off before turning the domain off.
    from the binary:
    --snip--
    872T^Q1451945830 672642A^Vcreate_time=1451945830A^Urewrite_context=localS"[email protected]^Mencoding=7bitA^Wlog_client_name=unknownA^\log_client_address=127.0.0.1A^Ulog_client_port=37774A%log_message_origin=unknown[127.0.0.1]A^Wlog_helo_name=localhostA^Wlog_protocol_name=ESMTPA^Sclient_name=unknownA^[reverse_client_name=unknownA^Xclient_address=127.0.0.1A^Qclient_port=37774A^Shelo_name=localhostA^Sprotocol_name=ESMTPA^Uclient_address_type=2A/dsn_orig_rcpt=rfc822;[email protected]^[email protected]^[email protected][email protected]: from localhost (unknown [127.0.0.1])N: by ns9.cdbsystems.com (Postfix) with ESMTP id A66B11A5B3CNH for <[email protected]>; Mon, 4 Jan 2016 22:17:10 +0000 (UTC)N2X-Virus-Scanned: amavisd-new at ns9.cdbsystems.comN/Received: from ns9.cdbsystems.com ([127.0.0.1])NH by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)N= with ESMTP id EggO2ec6wVh4 for <[email protected]>;N& Mon, 4 Jan 2016 17:17:09 -0500 (EST)N;Received: by ns9.cdbsystems.com (Postfix, from userid 5013)N6 id 03FA61A5883; Mon, 4 Jan 2016 17:17:06 -0500 (EST)N^^To: [email protected]^_Subject: 1 InstaSextMsg [email protected]: 5013:error64.php(1967) : eval()'d codeN$Date: Mon, 4 Ja
    --snip--

    we can tell its generated by a script error64.php which maldect DID NOT FIND the first scan. but upon scanning it again, there it was!
    --snip--
    HOST: ns9.cdbsystems.com
    SCAN ID: 160104-1717.3143
    STARTED: Jan 4 2016 17:17:43 -0500
    COMPLETED: Jan 4 2016 17:17:45 -0500
    ELAPSED: 2s [find: 2s]

    PATH: /var/www/clients/*/web*/web
    RANGE: 1 days
    TOTAL FILES: 187
    TOTAL HITS: 1
    TOTAL CLEANED: 0

    FILE HIT LIST:
    {HEX}php.base64.v23au.185 : /var/www/clients/client0/web10/web/modules/mod_hg_testimonialbox/tmpl/error64.php => /usr/local/maldetect/quarantine/error64.php.1261713755
    ===============================================
    Linux Malware Detect v1.5 < [email protected] >

    --snip--

    so this got on my system almost immediately - it was not present earlier today.

    now web10 is a DIFFERENT domain - a1electronics.com. but I guess once they get this script on your system they can make make seem to be from any user.

    ideas??
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you scanned the system with the free ispprotect trial as well? maledetect does not find all malware files, that's why we developed an alternative.

    The domain dies not matter, I wrote that already in post #6. You have to update the cms and all its plugins in this website to fix this permanently.
     
  12. craig baker

    craig baker Member HowtoForge Supporter

    installed ispprotrect. alas no free trial for me (my laptop rebooted during scan).
    but I paid (of course!) and I"m seeing a number of malware detected.
    some I'm positive are false positives (in cgi installables from 2003!) - but a number seem legit.
    now from what I can tell the malware scanner does not clean, right?
    and one of the ones I'm suspicious of has {HEX}r2h.malware.blue.44
    what IS that? the php files look ok to the eye. how do I confirm?
    and whats cleaning process?
    thanks
     
  13. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The scanner does not rename / move any detected files. And it´s not a good idea to implement such an option.
    Check the php-File. But I don´t think, that {HEX}r2h.malware.blue.44 is a false-positive.
    Cleaning process: check and remove the files. ;)
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    As Florian mentioned, automatic cleanup is not a good idea as this will likely break your cms and therefor we did not implement that.

    There are 2 ways a file gets infected:

    a) A hacker inserts a new file that contains only hacked code, in this case you can delete the whole file.

    b) A hacker injects code into an existing file, in this case you have to clean that file (remove only the hacked code part) or replace that file with a known good version (e.g. download the sources of that cms system from its vendor, unpack it and upload a new and clean copy of the hacked file). In most cases, the hacked code is inserted at the beginning or end of a file and you can see that it looks strange when compared to the other parts of the file. But it needs a bit of PHP knowledge to differntiate between good and pad code segments, so using the approach to upload a new clean file might be easier if you have no good php knowledge.
     
  15. craig baker

    craig baker Member HowtoForge Supporter

    Think I'm getting a handle on it - got ispprotect installed. but oddly the plug and version emails are fine but the malware email always gets spammed!
    from its headers:
    ---snip---
    X-Spam-Flag: YES
    X-Spam-Score: 7.198
    X-Spam-Level: *******
    X-Spam-Status: Yes, score=7.198 tagged_above=-999 required=3
    tests=[BAYES_80=2, NO_RELAYS=-0.001, SPOOF_COM2OTH=2.723,
    URIBL_DBL_ABUSE_REDIR=0.001, URI_OBFU_WWW=2.475] autolearn=no

    --snip--

    why is that particular email getting canned?

    I tried added [email protected] to my whitelist but that is not working...
    the other emails (plugin, version) are from same address and come through as non-spam.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you add it to the postfix whitelist or spamfilter whitelist?
     
  17. craig baker

    craig baker Member HowtoForge Supporter

    also you keep flagging this file as infected. I'm pretty sure its not has not been changed in many years its a cgi setup program.
    but I cant upload it you can get it from
    www.technomages.com/asetup.cgx (renamed cgx to cgi so its wont try and run).
    download it tell me why its giving a false positive :)
    and what do do about it.
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    You can't report it with ispp_scan command? Please try:

    ispp_scan --false-positive=/path/to/the/malware/file.php
     
  19. craig baker

    craig baker Member HowtoForge Supporter

    I tried to add it to the ispconfig3 whitelist area. put in cdbsystems.com and added [email protected] as the user.
    didnt let me add it any other way
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig has several email whitelists. To avoid the spam result it has to be whitelisted in the spam filter whitelist, not the postfix whitelist.

    Beside that, try to update your spamassassin rules with:

    sa-update

    command and then restart amavisd.
     

Share This Page