Postfix mail - hacked??

Discussion in 'Server Operation' started by still_(0)_(0)_awake, Nov 19, 2011.

  1. still_(0)_(0)_awake

    still_(0)_(0)_awake New Member

    I’ve recently noticed several spam emails are being sent using my server. I ran the following command: tail -f/usr/local/psa/var/log/maillog

    and this is some of the results that were returned:


    Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: warning: 189.7.43.1: hostname bd072b01.virtua.com.br verification failed: Name or service not known
    Nov 19 13:18:30 121MediaSolutions postfix/smtpd[7953]: connect from unknown[189.7.43.1]
    Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: 1BBBBC8400097: client=unknown[189.7.43.1]
    Nov 19 13:18:31 121MediaSolutions imapd-ssl: IMAP connect from @ [::ffff:173.58.98.242]INFO: LOGIN, user=emailme@nayeemkhan.com, ip=[::ffff:173.58.98.242], protocol=IMAP
    Nov 19 13:18:31 121MediaSolutions postfix/cleanup[7957]: 1BBBBC8400097: message-id=<005a01cca6f0$05caf250$1160d6f0$@org>
    Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: from=<oildeadline@business-humanrights.org>, size=6010, nrcpt=1 (queue active)
    Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: postfix-local: from=oildeadline@business-humanrights.org, to=john@directelectricco.com, dirname=/var/qmail/mailnames
    Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: hook_dir = '/usr/local/psa/handlers/before-local'
    Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: recipient[3] = 'john@directelectricco.com'
    Nov 19 13:18:31 121MediaSolutions postfix-local[7961]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/john@directelectricco.com'
    Nov 19 13:18:31 121MediaSolutions postfix/pipe[7960]: 1BBBBC8400097: to=<john@directelectricco.com>, relay=plesk_virtual, delay=0.78, delays=0.76/0.01/0/0.01, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
    Nov 19 13:18:31 121MediaSolutions postfix/qmgr[21681]: 1BBBBC8400097: removed
    Nov 19 13:18:31 121MediaSolutions postfix/smtpd[7953]: disconnect from unknown[189.7.43.1]
    Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7953]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
    Nov 19 13:18:38 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
    Nov 19 13:18:38 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
    Nov 19 13:18:38 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
    Nov 19 13:18:38 121MediaSolutions imapd: 1321737518.69687 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
    Nov 19 13:18:38 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.
    Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:38 121MediaSolutions postfix/smtpd[7974]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:40 121MediaSolutions pop3d: Connection, ip=[::ffff:66.87.65.60]
    Nov 19 13:18:40 121MediaSolutions pop3d: IMAP connect from @ [::ffff:66.87.65.60]INFO: LOGIN, user=jessica@directelectricco.com, ip=[::ffff:66.87.65.60]
    Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7974]: table hash:/var/spool/postfix/plesk/poplock(0,lock|fold_fix) has changed -- restarting
    Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: connect from unknown[184.95.63.89]
    Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: 567EDC8400097: client=unknown[184.95.63.89]
    Nov 19 13:18:42 121MediaSolutions postfix/cleanup[7957]: 567EDC8400097: message-id=<3565579615788126616@mx89.dashfloor.com>
    Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: from=<offer@dashfloor.com>, size=11901, nrcpt=1 (queue active)
    Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: postfix-local: from=offer@dashfloor.com, to=afrah@afrahkhan.com, dirname=/var/qmail/mailnames
    Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: hook_dir = '/usr/local/psa/handlers/before-local'
    Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: recipient[3] = 'afrah@afrahkhan.com'
    Nov 19 13:18:42 121MediaSolutions postfix-local[7979]: handlers dir = '/usr/local/psa/handlers/before-local/recipient/afrah@afrahkhan.com'
    Nov 19 13:18:42 121MediaSolutions postfix/pipe[7960]: 567EDC8400097: to=<Afrah@afrahkhan.com>, relay=plesk_virtual, delay=0.3, delays=0.27/0/0/0.03, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
    Nov 19 13:18:42 121MediaSolutions postfix/qmgr[21681]: 567EDC8400097: removed
    Nov 19 13:18:42 121MediaSolutions postfix/smtpd[7978]: disconnect from unknown[184.95.63.89]
    Nov 19 13:18:43 121MediaSolutions pop3d: Connection, ip=[::ffff:74.208.3.12]
    Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: connect from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: lost connection after CONNECT from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:43 121MediaSolutions postfix/smtpd[7978]: disconnect from hosting62.monitoring.1and1.com[74.208.3.12]
    Nov 19 13:18:43 121MediaSolutions imapd: Connection, ip=[::ffff:74.208.3.12]
    Nov 19 13:18:43 121MediaSolutions imapd: 1321737523.72630 DISCONNECTED, ip=[::ffff:74.208.3.12], headers=0, body=0, rcvd=0, sent=278, maildir=/
    Nov 19 13:18:43 121MediaSolutions imapd-ssl: Unexpected SSL connection shutdown.
    Nov 19 13:18:43 121MediaSolutions pop3d-ssl: Unexpected SSL connection shutdown.

    I believe has hacked into my email server and is using it to send out emails from “apache@mydomain.com” among other email accounts. These are not valid ones that I use.

    I’m a noobie and really could use some help and direction. I’m very, very new to ssh and so I ask that any advice you provide with ssh for you to be as detailed as possible. I’m really stuck and my hosting company is about to shut down my server if I don’t get this fixed!

    I really appreciate any advice on getting this issue fixed THEN learn ways to secure the site better. I use a linux server running plesk 10.X.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    First check if your server is an open relay: http://www.spamhelp.org/shopenrelay/

    Make sure all your web appplications are up to date. This looks as if someone is using a whole in an app to send emails. Which distribution do you use?
     

Share This Page