My server is sending spam

Discussion in 'Installation/Configuration' started by WaterWave, Jul 9, 2015.

  1. WaterWave

    WaterWave New Member HowtoForge Supporter

    Hi,
    My server recently been temporarily shut down by my ISP because it seem it is sending a lot of spam and I can't find the source.
    The mail.log shows nothing wrong. I have created a script to log the phpmail and there's also nothing wrong. I always keep an ssh "tail -f /var/www/mail.log" open to see the activity and it all looks normal.

    The server was built based on "The Perfect Server - Ubuntu 12.04 LTS (nginx, BIND, Dovecot, ISPConfig 3)" and some customizations for varnish, memcached, spdy and pagespeed.
    • Not an open relay.
    • Mailqueue (postqueue -p) is empty all the time.
    • I'm using SSL and DKIM for clients that have email accounts, don't know if it can help.
    I searched the web a lot and this forum too, but still can't find what is causing this.

    There was A LOT of this in my mail.warn and I blocked this IP yesterday so I'm waiting the current day log on senderbase.org
    Code:
    Jul 8 18:37:47 orion postfix/smtpd[3188]: warning: unknown[185.40.4.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 8 18:38:28 orion postfix/smtpd[3188]: warning: hostname hosted-by.hostgrad.ru does not resolve to address 185.40.4.32: Name or service not known
    PLEASE! I would really appreciate your help on this. Tell me if you need anything else.
    In advance: Thank you for your help and time!

    I'm putting the main.cf , master.cf and postconf -d|grep mynetworks in a follow up because of the 10000 caracters limit.
     
  2. WaterWave

    WaterWave New Member HowtoForge Supporter

    Here is the Postfix main.cf (I changed the domain to domainrewritten.com) :
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    #smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
    #smtpd_tls_key_file = /etc/ssl/private/postfix.pem
    smtpd_tls_cert_file = /etc/nginx/conf/ssl/orion/orion-ssl-bundle.crt
    smtpd_tls_key_file = /etc/nginx/conf/ssl/orion/orion.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = domainrewritten.com
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = domainrewritten.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_rbl_client, zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    
    milter_protocol = 2
    milter_default_action = accept
    smtpd_milters = inet:localhost:12301
    non_smtpd_milters = inet:localhost:12301
    
    import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on
    
    maximal_queue_lifetime = 1h
     
  3. WaterWave

    WaterWave New Member HowtoForge Supporter

    And here is the Postfix master.cf:
    Code:
    #
    # Postfix master process configuration file.  For details on the format
    # of the file, see the master(5) manual page (command: "man 5 master").
    #
    # Do not forget to execute "postfix reload" after editing this file.
    #
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    #628       inet  n       -       -       -       -       qmqpd
    pickup    fifo  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       n       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
    #
    # ====================================================================
    #
    # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
    #
    # Specify in cyrus.conf:
    #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
    #
    # Specify in main.cf one or more of the following:
    #  mailbox_transport = lmtp:inet:localhost
    #  virtual_transport = lmtp:inet:localhost
    #
    # ====================================================================
    #
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
    #
    #cyrus     unix  -       n       n       -       -       pipe
    #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    #
    # ====================================================================
    # Old example of delivery via Cyrus.
    #
    #old-cyrus unix  -       n       n       -       -       pipe
    #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    #
    # ====================================================================
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    dovecot   unix  -       n       n       -       -       pipe
      flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    
     
  4. WaterWave

    WaterWave New Member HowtoForge Supporter

    And finally, here is the "postconf -d|grep mynetworks" result:
    Code:
    mynetworks = 127.0.0.0/8 127.0.0.2/32 192.241.115.194/32 192.241.115.195/32 192.241.115.196/32 192.241.115.197/32 192.241.115.206/32 192.241.115.207/32 [::1]/128
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
    postscreen_access_list = permit_mynetworks
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
     
  5. Nilpo

    Nilpo Member HowtoForge Supporter

    Have you tried a "netstat -ntap" to see if there is anything running that you are unaware of?
     
  6. WaterWave

    WaterWave New Member HowtoForge Supporter

    Here the result of "netstat -ntap" command:
    I've change the IPs of the VPS to 111.111.111.111 - 111.111.111.116 and my IP to 55.55.55.55.
    I'm not sure what to look at in this big list.

    Part 1/3
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:9012          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9013          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1862/pure-ftpd (SER
    tcp        0      0 111.111.111.116:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 111.111.111.115:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 111.111.111.114:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 111.111.111.113:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 111.111.111.112:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 111.111.111.111:53      0.0.0.0:*               LISTEN      800/named
    tcp        0      0 127.0.0.2:53            0.0.0.0:*               LISTEN      800/named
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      800/named
    tcp        0      0 127.0.0.1:9014          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      644/sshd
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      14083/master
    tcp        0      0 127.0.0.1:9017          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      800/named
    tcp        0      0 127.0.0.1:9018          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9019          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      11458/nginx
    tcp        0      0 127.0.0.1:9021          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9022          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      741/dovecot
    tcp        0      0 127.0.0.1:9023          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9024          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9025          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      741/dovecot
    tcp        0      0 127.0.0.1:9026          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      11506/varnishd
    tcp        0      0 127.0.0.1:9027          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      741/dovecot
    tcp        0      0 127.0.0.1:9028          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9029          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9030          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9031          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9032          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:8008            0.0.0.0:*               LISTEN      11458/nginx
    
    ...
     
  7. WaterWave

    WaterWave New Member HowtoForge Supporter

    Part 2/3
    Code:
    tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      941/amavisd (master
    tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      14083/master
    tcp        0      0 127.0.0.1:9033          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9034          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      14083/master
    tcp        0      0 127.0.0.1:9035          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      11586/memcached
    tcp        0      0 127.0.0.1:9036          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9037          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:12301         0.0.0.0:*               LISTEN      1740/opendkim
    tcp        0      0 127.0.0.1:9038          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      741/dovecot
    tcp        0      0 127.0.0.1:9039          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      945/spamd.pid
    tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      741/dovecot
    tcp        0      0 127.0.0.1:9040          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      11507/varnishd
    tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      11458/nginx
    tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      14083/master
    tcp        0      0 127.0.0.1:9041          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9042          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9010          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9043          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 127.0.0.1:9011          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
    tcp        0      0 111.111.111.111:80      55.55.55.55:51890       TIME_WAIT   -
    tcp        0      0 127.0.0.1:40473         127.0.0.1:11211         ESTABLISHED 11666/php-fpm: pool
    tcp        0      0 127.0.0.1:42577         127.0.0.1:11211         ESTABLISHED 11462/nginx: worker
    tcp        0      0 127.0.0.1:34725         127.0.0.1:11211         ESTABLISHED 11662/php-fpm: pool
    tcp        0      0 111.111.111.111:993     55.55.55.55:51112       ESTABLISHED 9180/imap-login
    tcp        0      0 111.111.111.111:80      55.55.55.55:51893       TIME_WAIT   -
    tcp        0      0 127.0.0.1:47501         127.0.0.1:3306          ESTABLISHED 15000/amavisd (ch14
    tcp        0      0 127.0.0.1:11211         127.0.0.1:40473         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:80      55.55.55.55:51892       TIME_WAIT   -
    tcp        0      0 111.111.111.111:993     55.55.55.55:50978       ESTABLISHED 9149/imap-login
    tcp        0      0 127.0.0.1:11211         127.0.0.1:36302         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:34690         127.0.0.1:11211         ESTABLISHED 11659/php-fpm: pool
    tcp        0      0 127.0.0.1:11211         127.0.0.1:54818         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:36302         127.0.0.1:11211         ESTABLISHED 11672/php-fpm: pool
    tcp        0      0 127.0.0.1:11211         127.0.0.1:54442         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:993     55.55.55.55:51010       ESTABLISHED 9170/imap-login
    tcp        0      0 111.111.111.111:993     55.55.55.55:64038       ESTABLISHED 10553/imap-login
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41822         ESTABLISHED 11461/nginx: worker
    tcp        0      0 111.111.111.111:993     55.55.55.55:50974       ESTABLISHED 9147/imap-login
    tcp        0      0 127.0.0.1:35752         127.0.0.1:11211         ESTABLISHED 11667/php-fpm: pool
    tcp        0      0 127.0.0.1:11211         127.0.0.1:46969         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:993     55.55.55.55:51028       ESTABLISHED 9172/imap-login
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41892         ESTABLISHED 11461/nginx: worker
    tcp        0      0 127.0.0.1:35634         127.0.0.1:11211         ESTABLISHED 11669/php-fpm: pool
    tcp        0      0 127.0.0.1:34691         127.0.0.1:11211         ESTABLISHED 11660/php-fpm: pool
    tcp        0   8304 111.111.111.111:22      55.55.55.55:51898       ESTABLISHED 10647/1
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41896         ESTABLISHED 11461/nginx: worker
    tcp        0      0 127.0.0.1:11211         127.0.0.1:38621         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:57383   50.31.164.146:443       TIME_WAIT   -
    tcp        0      0 111.111.111.111:993     142.169.78.168:22499    ESTABLISHED 9088/imap-login
    tcp        0      0 127.0.0.1:39290         127.0.0.1:11211         ESTABLISHED 11664/php-fpm: pool
    tcp        0      0 111.111.111.113:143     174.89.228.175:1406     ESTABLISHED 9381/imap-login
    tcp        0      0 111.111.111.111:80      70.28.30.241:1511       ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:41892         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:43948         127.0.0.1:3306          ESTABLISHED 14691/amavisd (ch16
    tcp        0      0 127.0.0.1:54442         127.0.0.1:11211         ESTABLISHED 11461/nginx: worker
    tcp        0      0 127.0.0.1:34679         127.0.0.1:11211         ESTABLISHED 11658/php-fpm: pool
    ...
     
  8. WaterWave

    WaterWave New Member HowtoForge Supporter

    Part 3/3
    Code:
    tcp        0      0 111.111.111.113:993     54.200.133.165:47501    ESTABLISHED 1397/imap-login
    tcp        0      0 127.0.0.1:41896         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:41818         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:48026         127.0.0.1:11211         ESTABLISHED 11459/nginx: worker
    tcp        0      0 127.0.0.1:41822         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:34701         127.0.0.1:11211         ESTABLISHED 11661/php-fpm: pool
    tcp        0      0 111.111.111.111:80      55.55.55.55:51891       TIME_WAIT   -
    tcp        0      0 111.111.111.113:993     54.200.133.165:46011    ESTABLISHED 9658/imap-login
    tcp        0      0 111.111.111.111:80      55.55.55.55:51895       TIME_WAIT   -
    tcp        0      0 127.0.0.1:11211         127.0.0.1:35752         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:80      70.28.30.241:1512       ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:11211         127.0.0.1:35634         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:11211         127.0.0.1:34679         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:11211         127.0.0.1:48026         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41894         ESTABLISHED 11461/nginx: worker
    tcp        0      0 111.111.111.111:993     55.55.55.55:64039       ESTABLISHED 10555/imap-login
    tcp        0      0 127.0.0.1:41285         127.0.0.1:8008          TIME_WAIT   -
    tcp        0      0 111.111.111.111:993     55.55.55.55:50977       ESTABLISHED 9148/imap-login
    tcp        0      0 111.111.111.113:143     174.89.228.175:1456     ESTABLISHED 9390/imap-login
    tcp        0      0 127.0.0.1:11211         127.0.0.1:39290         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:80      70.28.30.241:1513       ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:11211         127.0.0.1:39885         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:80      70.28.30.241:1510       ESTABLISHED 11507/varnishd
    tcp        0      0 111.111.111.111:443     46.20.45.18:60836       TIME_WAIT   -
    tcp        0      0 127.0.0.1:11211         127.0.0.1:34725         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:993     55.55.55.55:50975       ESTABLISHED 9151/imap-login
    tcp        0      0 127.0.0.1:41895         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 111.111.111.113:143     174.89.228.175:1458     ESTABLISHED 9394/imap-login
    tcp        0      0 111.111.111.111:993     55.55.55.55:64040       ESTABLISHED 10558/imap-login
    tcp        0      0 127.0.0.1:38621         127.0.0.1:11211         ESTABLISHED 11668/php-fpm: pool
    tcp        0      0 111.111.111.111:80      70.28.30.241:1508       ESTABLISHED 11507/varnishd
    tcp        0      0 111.111.111.113:993     24.200.139.144:45172    ESTABLISHED 10328/imap-login
    tcp        0      0 127.0.0.1:35012         127.0.0.1:11211         ESTABLISHED 11663/php-fpm: pool
    tcp        0      0 127.0.0.1:39885         127.0.0.1:11211         ESTABLISHED 11665/php-fpm: pool
    tcp        0      0 111.111.111.111:993     55.55.55.55:51111       ESTABLISHED 9179/imap-login
    tcp        0      0 111.111.111.111:55801   50.31.164.148:443       TIME_WAIT   -
    tcp        0      0 111.111.111.113:143     174.89.228.175:1457     ESTABLISHED 9392/imap-login
    tcp        0      0 127.0.0.1:38707         127.0.0.1:11211         ESTABLISHED 11670/php-fpm: pool
    tcp        0      0 127.0.0.1:11211         127.0.0.1:34691         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:41894         127.0.0.1:8008          ESTABLISHED 11507/varnishd
    tcp        0      0 111.111.111.113:143     205.151.64.16:61708     ESTABLISHED 9341/imap-login
    tcp        0      0 111.111.111.111:80      141.101.105.31:64866    TIME_WAIT   -
    tcp        0      0 111.111.111.111:22      55.55.55.55:59613       ESTABLISHED 8474/3
    tcp        0      0 127.0.0.1:11211         127.0.0.1:35012         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:11211         127.0.0.1:34690         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:46969         127.0.0.1:11211         ESTABLISHED 11671/php-fpm: pool
    tcp        0      0 127.0.0.1:11211         127.0.0.1:42577         ESTABLISHED 11586/memcached
    tcp        0     69 111.111.111.111:993     55.55.55.55:51121       ESTABLISHED 9181/imap-login
    tcp        0      0 127.0.0.1:11211         127.0.0.1:34701         ESTABLISHED 11586/memcached
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41818         ESTABLISHED 11461/nginx: worker
    tcp        0      0 111.111.111.111:993     55.55.55.55:51591       ESTABLISHED 9948/imap-login
    tcp        0      0 127.0.0.1:54818         127.0.0.1:11211         ESTABLISHED 11460/nginx: worker
    tcp        0      0 111.111.111.111:80      70.28.30.241:1509       ESTABLISHED 11507/varnishd
    tcp        0      0 127.0.0.1:8008          127.0.0.1:41895         ESTABLISHED 11461/nginx: worker
    tcp        0      0 111.111.111.111:80      55.55.55.55:51894       TIME_WAIT   -
    tcp        0      0 111.111.111.113:143     24.200.139.144:34953    ESTABLISHED 10331/imap
    tcp        0      0 127.0.0.1:11211         127.0.0.1:38707         ESTABLISHED 11586/memcached
    tcp        0      0 111.111.111.111:993     55.55.55.55:50976       ESTABLISHED 9150/imap-login
    tcp6       0      0 :::21                   :::*                    LISTEN      1862/pure-ftpd (SER
    tcp6       0      0 :::53                   :::*                    LISTEN      800/named
    tcp6       0      0 :::22                   :::*                    LISTEN      644/sshd
    tcp6       0      0 :::25                   :::*                    LISTEN      14083/master
    tcp6       0      0 ::1:953                 :::*                    LISTEN      800/named
    tcp6       0      0 :::4190                 :::*                    LISTEN      741/dovecot
    tcp6       0      0 :::993                  :::*                    LISTEN      741/dovecot
    tcp6       0      0 ::1:6082                :::*                    LISTEN      11506/varnishd
    tcp6       0      0 :::995                  :::*                    LISTEN      741/dovecot
    tcp6       0      0 :::3306                 :::*                    LISTEN      809/mysqld
    tcp6       0      0 :::587                  :::*                    LISTEN      14083/master
    tcp6       0      0 :::110                  :::*                    LISTEN      741/dovecot
    tcp6       0      0 :::143                  :::*                    LISTEN      741/dovecot
    tcp6       0      0 :::80                   :::*                    LISTEN      11507/varnishd
    tcp6       0      0 :::465                  :::*                    LISTEN      14083/master
    tcp6       0      0 127.0.0.1:3306          127.0.0.1:43948         ESTABLISHED 809/mysqld
    tcp6       0      0 127.0.0.1:3306          127.0.0.1:47501         ESTABLISHED 809/mysqld
     
  9. WaterWave

    WaterWave New Member HowtoForge Supporter

    I runned rkhunter, chkrootkit and maldet on /var/www/ directory and nothing was found. I have to say that i disabled the string length option in maldet because it was putting a lot of wordpress files in quarantine and screw the website.

    After some google research, it seems there were false positive:
    rkhunter = Checking loaded kernel modules [ Warning ]
    chkrootkit = Checking `bindshell'... INFECTED (PORTS: 465) master

    Could a script or web form exploit send a lot of mail without being logged in the php "mail.log = /var/log/phpmail.log" ?
     
  10. elmacus

    elmacus Member HowtoForge Supporter

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats a known false positive, so you can ignore that.

    To find out if your server is sending spam, take a look at the mailqueue with:

    postqueue -p

    any suspicious mails there or a large amount of mails in the queue? If yes, then inspect these mails with the postcat command.
     
  12. WaterWave

    WaterWave New Member HowtoForge Supporter

    Hi,

    First, thank's for the help. It is REALLY appreciated.

    elmacus: Yes, I'm looking at senderbase everyday since the first shut down. Like I said earlier, I was waiting for the new senderbase report since I've made some change on the Postfix config, but today I see that the number of spam sent is just growing.
    2015-07-07 = 2.5
    2015-07-08 = 2.8
    2015-07-09 = 2.9

    Till: I did the postqueue -p a couple of times but it always show empty queue.

    Is it possible that mail is sent without letting any traces in the logs?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, thats possible but it is very rare as this would mean that the mail is not send trough your mailsystem, instead an attacker would have to send the mails directly with its own smtp software from your server. Do you see any unusual activity on your server e.g. a high load or do you see suspicious outgoing connections to port 25 on other servers (check e.g. with netstat command)?
     
  14. WaterWave

    WaterWave New Member HowtoForge Supporter

    The server load is not high. htop shows Load average: 0.05 0.12 0.16
    It sometime goes a little higher but I can replicate the same augmentation when browsing on a hosted wordpress website with a lot of mysql request (online catalog of around 5000 products).

    netstat -pnlt | grep ':25' shows:
    Code:
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1860/master
    tcp6       0      0 :::25                   :::*                    LISTEN      1860/master
    ps -ef | grep 1860 shows:
    Code:
    root      1860     1  0 00:29 ?        00:00:00 /usr/lib/postfix/master
    postfix   1865  1860  0 00:29 ?        00:00:00 qmgr -l -t fifo -u
    postfix   2328  1860  0 00:30 ?        00:00:00 tlsmgr -l -t unix -u -c
    postfix  15721  1860  0 08:49 ?        00:00:00 pickup -l -t fifo -u -c
    postfix  16712  1860  0 09:23 ?        00:00:00 anvil -l -t unix -u -c
    root     16986 15750  0 09:34 pts/0    00:00:00 grep --color=auto 1860
    Not sure if that last command is correct...
    Anything suspicious?
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    No, thats all ok. Is the server behind a router together with other servers, s that maybe another node has sent spam that has the same external IP?
     
  16. WaterWave

    WaterWave New Member HowtoForge Supporter

    It's a OpenVZ SSD Cached Linux VPS from ServerMania. But I don't think other nodes got the same IP.
    I have setup an SSL mail server so I highly recommend my users to setup their account through ports 993,995 and 465. Should I completely block port 25 or is it used by phpmail/web forms?
     
  17. WaterWave

    WaterWave New Member HowtoForge Supporter

    I was inspecting old form from an old html only website hosted on the server and I think it's poorly coded. What do you think?
    I chanded the URL to website.com
    Code:
    <FORM METHOD="POST" ACTION="http://scripts.iwebgroup.com/cgi-bin/formmail.pl" ENCTYPE="x-www-form-urlencoded">
        <div align="left">
            <table width="700" border="0" align="center" cellpadding="0" cellspacing="0">
                <tr>
                    <td>
                        <center>
                            <p>&nbsp;</p>
                            <p align="center">
    
                                <input type="hidden" name="recipient" value="[email protected]">
                                <input type="hidden" name="subject" value="Contactez-nous">
                                <input type="hidden" name="redirect" value="http://www.website.com/merci.html">
                                <input type="hidden" name="required" value="Nom,Prenom,Ville,Courriel,Commentaires">
                                <input type="hidden" name="missing_fields_redirect" value="http://www.website.com/erreur.html">
                            </p>
                            <p align="center"><font face="Arial, Times New Roman, Tahoma" size="3">Si
                  vous avez des questions ou des commentaires, n'h&eacute;sitez pas
                  &agrave; nous contacter.</font>
                                <BR>
                                <FONT COLOR="#b9210b" SIZE="-1" FACE="Verdana">Tous les champs accompagn&eacute;s
                  d'une &eacute;toile (*) sont obligatoires</FONT>
                                <FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">.</FONT> </p>
                            <TABLE BORDER="0" CELLSPACING="2" CELLPADDING="2" WIDTH="100%">
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Nom
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Nom" TYPE="text" id="Nom" SIZE="40" MAXLENGTH="40">
                                        <B><FONT
                 COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Pr&eacute;nom
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Prenom" TYPE="text" id="Prenom" SIZE="40" MAXLENGTH="40">
                                        <B><FONT
                 COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Adresse
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Adresse" TYPE="text" id="Adresse" SIZE="40" MAXLENGTH="80">
                                        <B></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Ville
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Ville" TYPE="text" id="Ville" SIZE="40" MAXLENGTH="40">
                                        <B><FONT
                 COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">T&eacute;l&eacute;phone
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Code_regional" TYPE="text" id="Code_regional" SIZE="5" MAXLENGTH="5">
                                        <INPUT NAME="Telephone" TYPE="text" id="Telephone" SIZE="15" MAXLENGTH="15">
                                        <B></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD WIDTH="174">
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Courriel
                      :</FONT>
                                    </TD>
                                    <TD WIDTH="394">
                                        <INPUT NAME="Courriel" TYPE="text" id="Courriel" SIZE="40" MAXLENGTH="40">
                                        <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD COLSPAN="2">
                                        <P>&nbsp;</P>
                                        <P>
                                            <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Vos commentaires
                        ou questions :<B><FONT
                 COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT>
                                            </B>
                                            </FONT>
                                        </P>
                                        <P>
                                            <TEXTAREA NAME="Commentaires" COLS="65" ROWS="8" id="Commentaires"></TEXTAREA>
                                    </TD>
                                </TR>
                                <TR>
                                    <TD COLSPAN="2" ALIGN="CENTER" HEIGHT="81">
                                        <p>
                                            <BR>
                                            <INPUT name="submit" TYPE="submit" id="submit" VALUE="Soumettre">
                                            <INPUT NAME="nom2" TYPE="reset" VALUE="Effacer">
                                        </p>
                                        <p>&nbsp;</p>
                                        <p align="center">&nbsp; </p>
                                        <p align="center">&nbsp;</p>
                                    </TD>
                                </TR>
                            </TABLE>
                        </center>
                    </td>
                </tr>
            </table>
            <!-- fin du code à insérer -->
        </div>
    
    </FORM>
     
  18. WaterWave

    WaterWave New Member HowtoForge Supporter

    I really hope my last post didn't not made you facepalm to death :(
    If it was the problem, I'm really sorry not to have thought about it first, but that old ugly website never came to my mind.

    I deleted the page were the suspicious form was and the last day senderbase log shows 0. I'll keep an eye on these reports since looking at the history also show some days with 0. I can also say that the load seems to have dropped a little.

    Today, the CPU started to freak out and load went up to around 0.4 - 0.6 so I looked at the logs.

    nginx access.log shows a A LOT of these and similar requests (I'm NOT hosting these domains):
    Code:
    127.0.0.1 - - [11/Jul/2015:18:13:26 -0400] "GET http://img01.taobaocdn.com/bao/uploaded/i1/788371593/T2FVeiXgRbXXXXXXXX_!!788371593.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=16921075269" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
    127.0.0.1 - - [11/Jul/2015:18:13:46 -0400] "GET http://d6.yihaodianimg.com/V00/M01/45/54/CgQDsVSOty-AcZnzAAT0rKLfGCE44800_360x360.jpg HTTP/1.1" 404 31 "http://item.yhd.com/item/42166607" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
    127.0.0.1 - - [11/Jul/2015:18:13:50 -0400] "GET http://gd1.alicdn.com/bao/uploaded/http://gd1.alicdn.com/bao/uploaded/i1/TB1FUbeIXXXXXaYXFXXXXXXXXXX_!!0-item_pic.jpg_400x400.jpg_.webp HTTP/1.1" 302 5 "http://item.taobao.com/item.htm?id=520531436835" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
    127.0.0.1 - - [11/Jul/2015:18:13:28 -0400] "GET http://img04.taobaocdn.com/bao/uploaded/i4/112776785/T2KQa2XnRbXXXXXXXX_!!112776785.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=37875871485" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
    127.0.0.1 - - [11/Jul/2015:18:49:39 -0400] "GET http://www.baidu.com/ HTTP/1.1" 302 5 "www.baidu.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WebSaver; .NET CLR 2.0.50727)"
    
    And this too from a hosted domain:
    Code:
    127.0.0.1 - - [11/Jul/2015:18:14:10 -0400] "GET http://real-hosted-domain.com/wp-signup.php?new=gd1.alicdn.com HTTP/1.1" 200 11463 "http://item.taobao.com/item.htm?id=37645037149" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
    127.0.0.1 - - [11/Jul/2015:18:49:02 -0400] "GET /wp-content/plugins/contact-form-7/includes/js/scripts.js HTTP/1.0" 200 11200 "http://real-hosted-domain.com/wp-signup.php?new=www.baidu.com" "NgxNativeFetcher mod_pagespeed/1.7.30.3-3721"
    
    While "tail -f /var/log/nginx/access.log" I was looking at the fail2ban log and decided to block these IP that were mostly from China and surroundings with "iptables -A INPUT -s IP-ADDRESS -j DROP". The requests started to drop and the CPU calmed down. And me too.

    I didn't find anything about these weird requests. Can you tell me what that is?
    Thank you!
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    did sou set the ip in the log lines, or was it really 127.0.0.1 ?
     
  20. WaterWave

    WaterWave New Member HowtoForge Supporter

    I did not changed the IP. It was really 127.0.0.1.
    I'm using Varnish though and the Nginx build is really basic. No --with-http_realip_module.
    Code:
    [email protected]:~# nginx -V
    nginx version: nginx/1.5.11
    built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
    TLS SNI support enabled
    configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --user=www-data --group=www-data --with-http_ssl_me --with-mail --add-module=/root/ngx_pagespeed-1.7.30.3-beta --add-module=/root/ngx_cache_purge-2.1
    What I can say now is that it's been 2 days senderbase reports 0 and that my New Relic server monitor clearly show a more relax setup.
    [​IMG]
     

Share This Page