How Do I Stop This MX Hijacking?

Discussion in 'Server Operation' started by giganet, Dec 22, 2008.

  1. giganet

    giganet New Member

    Hello Group...

    I have in the last couple days been notified by my primary bandwidth provider verizonbusiness.com that an IP from my client base is in violation of the VzB AUP policy threatening to shut down the circuit if this problem is not dealt with ASAP.

    I located an exploited "mail.php" application on one of clients hosted site.
    I removed "mail.php" then removed the supporting form from the clients contact page alike.
    After that I renumbered the client site and adjusted the DNS.
    Next I deleted all cases of MX records in the clients space using ISPConfig.
    While editing the client DNS hosted by DNSExit.com I also removed all MX records.

    How can I stop all clients using ISPConfig from not having SMTP capability?
    I have disabled "Create DNS-MX" within ISPConfig on my WWW server.
    It seems I will need to change how PostFix handles relaying I think.

    Could I ask that someone give me a hand stopping this malicious activity from happening any longer.

    UPDATED QUESTION: After submitting this thread I did further searching and located the following, would this be a smart solution to my problem? http://howtoforge.com/virtual_postfix_antispam

    When I run 'netstat' in the CLI a large number of varying servers are connected to this clients IP, please help me stop this :confused:

    Thanking you in advance for your help and time in assisting me in resolving this matter...

    Ubuntu 7.10
    PostFix MTA
    IPConfig
     
    Last edited: Dec 22, 2008
  2. falko

    falko Super Moderator ISPConfig Developer

    That's a first step, but it won't help much if you host vulnerable contact forms on your server...
     

Share This Page