ISPConfig 3 – spam attack

Discussion in 'Server Operation' started by Mehumaija, Dec 19, 2010.

  1. Mehumaija

    Mehumaija New Member


    I recently set up an ISPConfig 3 box (been running ISPConfig 2 successfully for years). The new box was set up on Ubuntu 10.04.1 LTS using the perfect server instructions (to the best of my abilities).

    However, the new machine is now being used as a spam relay. The attacker has guessed a local username ([email protected]) and is using that successfully as a sender address.

    The server needs to accept incoming mail for the customer domains, but all real clients should authenticate themselves via SMTP auth.

    What would be the usual suspects in the Postfix configuration I should be looking at?

  2. Mehumaija

    Mehumaija New Member

    Found it

    OK, apparently the culprit is a vulnerable PHP application on one of the accounts, so Postfix is not at fault.

    So, a related question: if a SuPHP account was compromised via a script vulnerability, what is the risk that the attacker has gained wider access (beyond just the infected account)?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    It is unlikely that the attacker gained wider access when you install Linux updates regulrily. Also most of these attackes were done by automatic script which are only made to send spam, so they do not even try to attacke the system behind the webspace.

    Nevertehless, you should scan the system with rkhunter.
  4. Mehumaija

    Mehumaija New Member

Share This Page