Server Hacked?

Discussion in 'General' started by silenceti, Jan 17, 2012.

  1. silenceti

    silenceti New Member

    Yes, i'm going to do that...I just don't undertsand where are the "bad files"!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Your problem is either phpmyadmin or wordpress according to your logs and both software packages are neither part of ispconfig nor belong to it. So reinstalling ispconfig does not make much sense in my opinion and it wont change anything regarding your problem.

    First you will have to find out which software is causing the problem and my recommendation for that is to protect phpmyadmin with a htaccess password protection and then enable your haproxy again to see if the problem is fixed. The installation directory of phpmyadmin differs for every Linux distribution, for Debian and ubuntu it is e.g. /usr/share/phpmyadmin

    Most likely a full rennstall is not nescessary, your problem looks more like the typical spam bot. So before you try a wipeout the server I would close the access to phpmyadmin and see if its fixed then.
     
  3. silenceti

    silenceti New Member

    Well, now it's really weird!

    I reinstalled the machine...phpmyadmin,php, apache...and interspire and then...postfix..

    I change inet_interfaces...and postfix log starts to sending mails again!!! :confused::confused:

    WTF?:mad:
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to locate the problem by blocking parts of the software. Start ith phpmyadmin as I suggested. If thst not causing the problem, then try to block your website for a short time e.g. with .htaccess to see if sending stops then.
     
  5. silenceti

    silenceti New Member

    Hi,

    I stop httpd and mysql...and still sending mails!
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Did you use different passwords than on the old machine?
     
  7. silenceti

    silenceti New Member

    Yes...absolutely...all passwords have been changed!
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It might be that there were a lot of pending mails in the mailqueue so that postfix had to send them first so that sending has not stopped after you stopped apache even if the actual hole that the attackers used was closed. Please check mailqueue with:

    postqueue -p

    and eventually empty it with:

    postsuper -d ALL

    if it contained spammer messages and then check if sending still goes on / starts after you stopped httpd.
     
  9. silenceti

    silenceti New Member

    [root@master csf]# postqueue -p
    Mail queue is empty

    I've installed a csf and a few IP's were block since yesterday!

    Now there are no e-mails out...i've start Postfix!
     
  10. silenceti

    silenceti New Member

    Hi,

    In postix i can configure to just some ip's send e-mails right?

    Thanks.
     
  11. pititis

    pititis Member

    Hi,

    :confused:

    silenceti you know the difference between sent and rejected? Can you post your mail.log?

    Cheers
     
  12. silenceti

    silenceti New Member

    Yes i Know.

    BTW, With CSF everything is running normally ;)
     
  13. silenceti

    silenceti New Member

    Hi,

    Ok,i've back with some e-mails!

    How can i configure postfix to send e-mails from just some IP's?

    Thanks!
     
  14. falko

    falko Super Moderator ISPConfig Developer

  15. silenceti

    silenceti New Member

    HI,

    I'm thinking to change the port 25 to other one, there is a way to change to other port and block 25 ?

    Thanks.
     
  16. falko

    falko Super Moderator ISPConfig Developer

    If you do that, remote mail servers won't be able to connect to your mail server.
     
  17. silenceti

    silenceti New Member

    HI,

    That's what a need, no one connection to the server..because my own software can change the port.

    I'm gettings nuts with this, tons of logs, trying to connect to my servers.

    Freaking out!
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    If noone needs to connect to the mailserver from external IP's, then close port 25 in the firewall. If you want to change or add a additional listen port, then edit postfix master.cf
     
  19. silenceti

    silenceti New Member

    I've tried to add an additional port and block port 25 in my server.... i can add for example 27 port, but i can't connect to it...

    This problem is getting me mad!

    "from=<[email protected]> to=<[email protected]> proto=SMTP helo=<213-224-29-62.iFiber.telenet-ops.be>

    NOQUEUE: reject: RCPT from unknown[myIP]: 451 4.3.5 <unknown[myIP]>: Client host rejected: Server configuration error; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<static-200-105-212-110.acelerate.net> "

    :eek:
     
  20. silenceti

    silenceti New Member

    I install a tool (tcpdump) and here is the log:


    [root@master ~]# tcpdump -ne dst port 25 and 'tcp[13] & 2 == 2' and dst host MyIP
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    17:25:43.931077 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 78: 121.175.145.168.dict-lookup > myIP.smtp: S 315188453:315188453(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
    17:25:44.326206 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 219.238.181.117.35398 > myIP.smtp: S 2915140590:2915140590(0) win 5840 <mss 1448,sackOK,timestamp 992358201 0,nop,wscale 6>
    17:25:45.055212 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 122.154.97.28.33438 > myIP.smtp: S 1599445130:1599445130(0) win 5840 <mss 1460,sackOK,timestamp 11662252 0,nop,wscale 5>
    17:25:45.868748 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 190.85.37.92.39753 > myIP.smtp: S 1656762183:1656762183(0) win 5840 <mss 1460,sackOK,timestamp 2604329909 0,nop,wscale 7>
    17:25:45.920087 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 187.35.85.107.54625 > myIP.smtp: S 1176030850:1176030850(0) win 5840 <mss 1460,sackOK,timestamp 284097485 0,nop,wscale 7>
    17:25:46.342190 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 174.142.7.203.52911 > myIP.smtp: S 2198223489:2198223489(0) win 5840 <mss 1460,sackOK,timestamp 107704557 0,nop,wscale 2>
    17:25:46.943041 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 81.89.109.53.50366 > myIP.smtp: S 350587823:350587823(0) win 5840 <mss 1460,sackOK,timestamp 2397487033 0,nop,wscale 4>
    17:25:46.969541 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 203.110.203.71.35867 > myIP.smtp: S 3809754771:3809754771(0) win 8880 <mss 2960,sackOK,timestamp 3232387290 0,nop,wscale
    0>

    A lot of ip's connecting...
     

Share This Page