Need Help !!

Discussion in 'Installation/Configuration' started by mode, Nov 25, 2008.

  1. mode

    mode New Member

    Hello Guys,

    I need your help urgently. Have i been hacked/relay?! I need your help urgently in order for me to solve the problem.

    Thanks

    Mode


    Below showing partially of the log file from postfix.


    Nov 24 15:49:02 serv postfix/qmgr[11507]: 6659A65440C: from=<[email protected]>, size=2094, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 60013654423: from=<[email protected]>, size=2093, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 6CC2C654429: from=<[email protected]>, size=2097, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 428BC6543C4: from=<[email protected]>, size=2089, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: D0E1D65443F: from=<[email protected]>, size=2109, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: CA184654427: from=<[email protected]>, size=2105, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 5B82465442B: from=<[email protected]>, size=2087, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 86EC065442A: from=<[email protected]>, size=2104, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 8936A654422: from=<[email protected]>, size=2092, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 82248654421: from=<[email protected]>, size=2086, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/smtp[6481]: 21530654457: to=<[email protected]>, relay=none, delay=563, delays=104/428/31/0, dsn=4.4.1, status=deferred (connect to ukwa111.com[208.67.219.132]:25: Connection timed out)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 8335365442C: from=<[email protected]>, size=2092, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: EB7FF65441D: from=<[email protected]>, size=2099, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/qmgr[11507]: 71E1B65441F: from=<[email protected]>, size=2105, nrcpt=100 (queue active)
    Nov 24 15:49:02 serv postfix/error[6544]: 5B82465442B: to=<[email protected]>, relay=none, delay=734, delays=733/0.01/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to nomail.tpe.yahoo.com[208.67.219.132]:25: Connection timed out)
     
    Last edited: Nov 30, 2008
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    First you should check if your server is a open relay:

    http://www.abuse.net/relay.html

    if thats not the case, then you run most likely a vulnerable cms or shhop system or contact form on your server which was misused to send the spam.
     
  3. mode

    mode New Member

    Hi Till,

    First of all thanks for the reply, after i checked mail relay test using anonymous test, the result return "All tests performed, no relays accepted".

    For the next comment that you quoted, i don't really understand what is "vulnerable cms or shhop system or contact form on your server" (after i try to google). Can you please kindly elaborate more?

    I'm just following the perfect install fedora 9 with ISP ver 2.2.23 installed.

    Truly appreciated your help again.

    Mode
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Vulnerable means that an attacker is able to send spam trogh that script.
     
  5. mode

    mode New Member

    Hi Till,

    Do you mean a local email user's pc infected by virus/script and use the server to send out spam? or outsider is using a script to relay the server to send out emails? or the server is infected by virus and it start sending out spam emails? If above were the case and how should i to protect the server? Is there any solution for it?

    Furthermore, i have been searching high n low in the forum and googling as well but seems like nobody in the forum has been suffer from this kind of issue. I just want to find the root cause and rectify the issue asap before my IP/domain become blacklisted :eek:

    TQ

    Mode
     
  6. falko

    falko Super Moderator ISPConfig Developer

    If you want to go sure, you could change all email passwords on the server. But if the spammers are using a vulnerable web form on one of the web sites on the server, that this does not help.
     
  7. mode

    mode New Member

    Hi Falko,

    I shall try to reset all the emails password in the server first as per your advice cause there are only 2 domains hosted in the server at this moment.

    On the other hand, as per your statement on the "vulnerable web form", i don't think it is much applicable on the issue as i do not host any web sites in the 2 domain. It is purely meant for emails only thus the 2 domain is still on the default page of ISPConfig.

    I shall post back the feed back.

    TQ

    Mode
     

Share This Page