Server Hacked?

Discussion in 'General' started by silenceti, Jan 17, 2012.

  1. silenceti

    silenceti New Member


    In my servers with ISPConfig, i've my postfix sending e-mails every second to unknow e-mail accounts!

    What can i do?

  2. till

    till Super Moderator

    Most likely one of yor websites has a bug in a cms system or contact form so that spammers can use that to send spam trough your server. So its likely that the server itself is not hacked and you have just a vulnerable website.

    To check if your server itself is hacked, use rkhunter:

    rkhunter --update
    rkhunter -c
  3. silenceti

    silenceti New Member

    Well, I don't see any "strange thing" with rkhunter...

    That's a little weird!

    I Start Postix and:

    SMTP helo=<>
    Jan 17 13:40:25 vp7 postfix/smtpd[21407]: NOQUEUE: reject: RCPT from n: 554 5.7.1 <>: Relay access denied; from=<> to=<> proto=SMTP helo=
    Jan 17 13:40:25 vp7 postfix/smtpd[21396]: NOQUEUE: reject: RCPT from ]: 554 5.7.1 <>: Relay access denied; from=<> to=<> proto=SMTP helo=<>

    I don't even know what e-mail accounts are these....
    Last edited: Jan 17, 2012
  4. till

    till Super Moderator

  5. silenceti

    silenceti New Member

    Hi till,
    I don't think is a website, because i just have one, and it's a plataform, like interspire with haproxy!
    I start haproxy, and mails are going out...

    This is really weird!!!!
  6. silenceti

    silenceti New Member


    "Mail sent."

    [root@ web]# cat /var/log/mail.form
    [root@ web]#

  7. till

    till Super Moderator

    If you use php-fcgi, suphp or php-cgi, then you will have to edit the php.ini file /etc/php5/cgi/php.ini too. If you use custom php.ini settings for that website, you mighta hve to add the modifications in the custom php.ini field in ispconfig.
  8. silenceti

    silenceti New Member

    Can't find that file:

    php -i | grep php.ini
    Configuration File (php.ini) Path => /etc/php.ini

    This is the correct one...I guess?
  9. till

    till Super Moderator

    If you use a centos or fedor system, then that should be the file. For centos or fedor you might have to adjust the sendmail path in the wrapper script.
  10. silenceti

    silenceti New Member

    OK, i can't find anything suspecious...but if I start haproxy mails still going out...!
  11. silenceti

    silenceti New Member

    There some possibility from someone sending mails using my server? or my account details?

  12. silenceti

    silenceti New Member

    Hi Again,

    i've deleted all e-mail accounts from my server and still mails are going out...really strange??!!
  13. till

    till Super Moderator

    The problem is either in a website script or in your proxy configuration as it can be possible to send emails trough a wrong configured proxy. It is unlikely that the problem is related to your mail accounts. You should check the access log of your website to see which url requests are used to send the emails trogh your server and then fix the script or proxy configuration that allows the sending of emails.
  14. silenceti

    silenceti New Member


    which is the access log? Is "secure" one ?

  15. till

    till Super Moderator

    If you use a ispconfig 3 server, then the access.log of the website is in the log directory of that website.
  16. silenceti

    silenceti New Member


    i've found something like this:

    "GET /mysqladmin/scripts/setup.php HTTP/1.1" 200 11079 "http://myserver/mysqladmin/scripts/setup.php" "Opera"

    Can be the problem?

  17. till

    till Super Moderator

    Is your phpmyadmin reachable under the URL /mysqladmin on your server? If yes, then the phpmyadmin installation might be outdated or vulnerable for attacks. Try to close phpmyadmin url e.g. by adding a .htaccess password protection in the phpmyadmin installation directory and check if that stops the problem.
  18. silenceti

    silenceti New Member

    Till thanks for your amazing fast replies!!

    "GET /wp-content/plugins/wp-phpmyadmin/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 0 "-" "ZmEu"

    I've been attacked by someone called ZmEu, so now, i need to change the database password, maybe the database was infected, right?

  19. silenceti

    silenceti New Member

    Maybe it's better to remove ISPconfig instalation and reinstall again?

    How can i remove ISPconfig (files and database).

  20. Ben

    Ben HowtoForge Supporter

    If so I would completely wipe the whole server and reinstall it, as you may not now, which backdoors the attacker may have left, eventhough you closed the vulnerability he used to compromise the server initially.

Share This Page