Mail Server Hacked

Discussion in 'General' started by Abinash Kumar, Aug 18, 2021.

  1. Abinash Kumar

    Abinash Kumar New Member

    HI,

    It looks my mail server is attempted with a script to send emails, I could see about 17800 emails in the que (postqueue -p) & then I had no choice but to flush it

    Now the mailqueue is Empty

    On checking “ Mail-warn – Log files” I could see IP location pointing to Microsoft & it looks as below; Please advise, What should be next step I should follow.


    Aug 18 07:05:23 server postfix/submission/smtpd[2785]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:05:39 server postfix/submission/smtpd[2792]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: Connection lost to authentication server
    Aug 18 07:05:53 server postfix/submission/smtpd[2785]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:06:04 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
    Aug 18 07:06:10 server postfix/submission/smtpd[2792]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:06:26 serverpostfix/submission/smtpd[2785]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:06:42 server postfix/submission/smtpd[2792]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:06:57 server postfix/submission/smtpd[2792]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:07:53 server dovecot: auth-worker(1048): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directory") - waiting for 1 seconds before retry
    Aug 18 07:07:53 server dovecot: auth-worker(1048): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directory") - waiting for 1 seconds before retry
    Aug 18 07:07:54 server dovecot: auth-worker(1048): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directory") - waiting for 5 seconds before retry
    Aug 18 07:07:54 server dovecot: auth-worker(1048): Error: mysql(localhost): Connect failed to database (dbispconfig): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directory") - waiting for 5 seconds before retry
    Aug 18 07:07:55 server postfix/postfix-script[1223]: warning: symlink leaves directory: /etc/postfix/./smtpd.key
    Aug 18 07:07:55 server postfix/postfix-script[1229]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
    Aug 18 07:08:00 server dovecot: auth: Warning: auth workers: Auth request was queued for 4 seconds, 1 left in queue (see auth_worker_max_count)
    Aug 18 07:08:08 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:08:26 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:08:43 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:08:56 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: Connection lost to authentication server
    Aug 18 07:09:03 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:09:09 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
    Aug 18 07:09:15 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:09:28 server postfix/smtpd[1984]: warning: unknown[37.0.11.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:09:35 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:09:48 server postfix/smtpd[2021]: warning: unknown[45.133.1.127]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:09:50 server postfix/smtpd[1984]: warning: hostname abts-north-dynamic-189.68.233.223.airtelbroadband.in does not resolve to address 223.233.68.189: Name or service not known
    Aug 18 07:09:50 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: Connection lost to authentication server
    Aug 18 07:09:54 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:10:11 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
    Aug 18 07:10:13 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:10:23 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:10:41 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:11:00 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: Connection lost to authentication server
    Aug 18 07:11:08 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
    Aug 18 07:11:10 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:11:22 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:11:36 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:11:52 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: Connection lost to authentication server
    Aug 18 07:12:03 server dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer
    Aug 18 07:12:06 server postfix/submission/smtpd[1580]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Aug 18 07:12:22 server postfix/submission/smtpd[1865]: warning: unknown[104.43.214.35]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

    Fail2ban log is 2021-08-18 07:25:18,053 fail2ban.filter [1080]: INFO [sshd] Found 220.134.113.188
    2021-08-18 07:25:18,057 fail2ban.filter [1080]: INFO [sshd] Found 220.134.113.188
    2021-08-18 07:25:20,225 fail2ban.filter [1080]: INFO [sshd] Found 220.134.113.188
    2021-08-18 07:25:29,351 fail2ban.actions [1080]: NOTICE [sshd] Unban 157.230.122.80
    2021-08-18 07:25:37,399 fail2ban.filter [1080]: INFO [postfix-sasl] Found 104.43.214.35
    2021-08-18 07:25:39,400 fail2ban.filter [1080]: INFO [postfix-sasl] Found 45.133.1.102
    2021-08-18 07:25:53,049 fail2ban.filter [1080]: INFO [postfix-sasl] Found 104.43.214.35
    2021-08-18 07:25:59,290 fail2ban.filter [1080]: INFO [postfix-sasl] Found 45.133.1.130
    2021-08-18 07:26:01,628 fail2ban.actions [1080]: NOTICE [sshd] Unban 128.199.173.208
    2021-08-18 07:26:02,204 fail2ban.filter [1080]: INFO [sshd] Found 157.230.122.80
    2021-08-18 07:26:02,216 fail2ban.filter [1080]: INFO [sshd] Found 157.230.122.80
    2021-08-18 07:26:04,417 fail2ban.filter [1080]: INFO [sshd] Found 157.230.122.80
    2021-08-18 07:26:09,316 fail2ban.filter [1080]: INFO [postfix-sasl] Found 104.43.214.35

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Flushing the queue without investigating the issue first is not optimal as you can't investigate it anymore now, you have to wait until there are new mails in the queue.

    Beside that, it's quite unlikely that your mail server got hacked. The symptoms you describe are common for a hacked website (and not hacked server) or a hacked mail account or mail account with a weak password.
     
    Th0m likes this.
  3. Abinash Kumar

    Abinash Kumar New Member

    Ok

    I will wait & watch, if such scenario happen again, i will revert.

    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If it happens again, you must get an email from the queue and look at the headers to find out how it is send. You can get the email with the command:

    postcat -q ID

    where ID is the mail queue ID of the email
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    With that volume, you could probably figure out what happened from your old logs. Check the mail log to see if those were sent from an authenticated user or from localhost; if from localhost, check website logs for the same time period to see what site/script was being used. It's also possible you setup an open relay, where mail comes in from outside and is relayed to other outside domains, which you would see in your mail logs.
     

Share This Page