Server updated, now everything is bogus

Discussion in 'Installation/Configuration' started by ZeroEnna, Apr 5, 2016.

  1. ZeroEnna

    ZeroEnna Member

    Hello everyone,
    THis thread can be closed, everything is fixed now

    Regards

    Zero
     
    Last edited: Apr 5, 2016
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The most likely reason is a hacked website. Check the headers of the emails in the mailqueue with postqueue and postcat commands.
     
  3. ZeroEnna

    ZeroEnna Member

    Did that, the site was identified and exterminated :)
     
  4. DDArt

    DDArt Member HowtoForge Supporter

    How did you go about doing this, I'm sure lots will find the the steps informative and helpful. Did you use maldet? sucuri? maillog, IspProtect and so on.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I explained that in several posts here in the forum in the past:

    1) Run "postqueue -p" to get a list of emails in the queue.
    2) Inspect starnge emails with "postcat -q QUEID" where QUEID is the ID of the email that you got from the postqueue command.

    Emails sent by PHP have a header in most cases that shows the file that has sent the email and which use has sent it, so you can find the website by user as each website in ispconfig runs under a different web user.
     
  6. ZeroEnna

    ZeroEnna Member

    As till has explained:

    I picked one queued mail and dumped it via
    postcat -q QUEUEID | more

    I found the header line "X-PHP-Originating" which pointed to the website ID and a script name. After a "locate script.php", I was able to find and delete that script (a wordpress installation got hacked and was used to inject some code).
     
    DDArt likes this.

Share This Page