Discussion in 'General' started by silenceti, Jan 17, 2012.
Yes, i'm going to do that...I just don't undertsand where are the "bad files"!
Your problem is either phpmyadmin or wordpress according to your logs and both software packages are neither part of ispconfig nor belong to it. So reinstalling ispconfig does not make much sense in my opinion and it wont change anything regarding your problem.
First you will have to find out which software is causing the problem and my recommendation for that is to protect phpmyadmin with a htaccess password protection and then enable your haproxy again to see if the problem is fixed. The installation directory of phpmyadmin differs for every Linux distribution, for Debian and ubuntu it is e.g. /usr/share/phpmyadmin
Most likely a full rennstall is not nescessary, your problem looks more like the typical spam bot. So before you try a wipeout the server I would close the access to phpmyadmin and see if its fixed then.
Well, now it's really weird!
I reinstalled the machine...phpmyadmin,php, apache...and interspire and then...postfix..
I change inet_interfaces...and postfix log starts to sending mails again!!!
Try to locate the problem by blocking parts of the software. Start ith phpmyadmin as I suggested. If thst not causing the problem, then try to block your website for a short time e.g. with .htaccess to see if sending stops then.
I stop httpd and mysql...and still sending mails!
Did you use different passwords than on the old machine?
Yes...absolutely...all passwords have been changed!
It might be that there were a lot of pending mails in the mailqueue so that postfix had to send them first so that sending has not stopped after you stopped apache even if the actual hole that the attackers used was closed. Please check mailqueue with:
and eventually empty it with:
postsuper -d ALL
if it contained spammer messages and then check if sending still goes on / starts after you stopped httpd.
[root@master csf]# postqueue -p
Mail queue is empty
I've installed a csf and a few IP's were block since yesterday!
Now there are no e-mails out...i've start Postfix!
In postix i can configure to just some ip's send e-mails right?
silenceti you know the difference between sent and rejected? Can you post your mail.log?
Yes i Know.
BTW, With CSF everything is running normally
Ok,i've back with some e-mails!
How can i configure postfix to send e-mails from just some IP's?
I'm thinking to change the port 25 to other one, there is a way to change to other port and block 25 ?
If you do that, remote mail servers won't be able to connect to your mail server.
That's what a need, no one connection to the server..because my own software can change the port.
I'm gettings nuts with this, tons of logs, trying to connect to my servers.
If noone needs to connect to the mailserver from external IP's, then close port 25 in the firewall. If you want to change or add a additional listen port, then edit postfix master.cf
I've tried to add an additional port and block port 25 in my server.... i can add for example 27 port, but i can't connect to it...
This problem is getting me mad!
"from=<firstname.lastname@example.org> to=<email@example.com> proto=SMTP helo=<213-224-29-62.iFiber.telenet-ops.be>
NOQUEUE: reject: RCPT from unknown[myIP]: 451 4.3.5 <unknown[myIP]>: Client host rejected: Server configuration error; from=<firstname.lastname@example.org> to=<email@example.com> proto=SMTP helo=<static-200-105-212-110.acelerate.net> "
I install a tool (tcpdump) and here is the log:
[root@master ~]# tcpdump -ne dst port 25 and 'tcp & 2 == 2' and dst host MyIP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:25:43.931077 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 78: 184.108.40.206.dict-lookup > myIP.smtp: S 315188453:315188453(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:25:44.326206 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 220.127.116.11.35398 > myIP.smtp: S 2915140590:2915140590(0) win 5840 <mss 1448,sackOK,timestamp 992358201 0,nop,wscale 6>
17:25:45.055212 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 18.104.22.168.33438 > myIP.smtp: S 1599445130:1599445130(0) win 5840 <mss 1460,sackOK,timestamp 11662252 0,nop,wscale 5>
17:25:45.868748 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 22.214.171.124.39753 > myIP.smtp: S 1656762183:1656762183(0) win 5840 <mss 1460,sackOK,timestamp 2604329909 0,nop,wscale 7>
17:25:45.920087 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 126.96.36.199.54625 > myIP.smtp: S 1176030850:1176030850(0) win 5840 <mss 1460,sackOK,timestamp 284097485 0,nop,wscale 7>
17:25:46.342190 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 188.8.131.52.52911 > myIP.smtp: S 2198223489:2198223489(0) win 5840 <mss 1460,sackOK,timestamp 107704557 0,nop,wscale 2>
17:25:46.943041 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 184.108.40.206.50366 > myIP.smtp: S 350587823:350587823(0) win 5840 <mss 1460,sackOK,timestamp 2397487033 0,nop,wscale 4>
17:25:46.969541 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 220.127.116.11.35867 > myIP.smtp: S 3809754771:3809754771(0) win 8880 <mss 2960,sackOK,timestamp 3232387290 0,nop,wscale
A lot of ip's connecting...
Separate names with a comma.