VPS and postfix hacked?

Discussion in 'General' started by adrenalinic, Dec 29, 2013.

  1. adrenalinic

    adrenalinic Member

    Hi.
    from 2 hours my postfix server was started to send thousands of emails around the world.

    Cheking the mail.log I see thousands of this..(i have changed the recipient email for privacy reasons):

    Code:
    0029D1162790 	2013/12/29 22:00 	sender@mydomain.com 	recipent@aol.com 	1.36 kB 	delivery temporarily suspended: host mailin-01.mx.aol.com[205.188.155.110] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html
    	00A2F1162717 	2013/12/29 21:59 	sender2@myadomain.com 	recipient2@yahoo.com 	1.48 kB 	delivery temporarily suspended: host mta6.am0.yahoodns.net[98.136.216.26] refused to talk to me: 421 4.7.0 [TS01] Messages from MYIP temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
    All emails are from users of my domain sender@mydomain.com that is hosted on my ispconfig, but that use a remote google apps mail system and not receive directly the mail for this domain. There are only two domain allowed to send email active and i have deleted it with the 2 only active users, but the email are starting continuously monitoring tail -f /var/log/mail.log

    After I have closed the imaps and smtps ports on ispconfig , the mail the same are continuosly sending....

    Therefore I have performed a scan with rkhunter with this suspicious results:

    Code:
     Performing file properties checks
        Checking for prerequisites                               [ OK ]
        /bin/bash                                                [ Warning ]
        /bin/cat                                                 [ Warning ]
        /bin/chmod                                               [ Warning ]
        /bin/chown                                               [ Warning ]
        /bin/cp                                                  [ Warning ]
        /bin/csh                                                 [ Warning ]
        /bin/date                                                [ Warning ]
        /bin/df                                                  [ Warning ]
        /bin/dmesg                                               [ Warning ]
        /bin/echo                                                [ Warning ]
        /bin/ed                                                  [ Warning ]
        /bin/egrep                                               [ Warning ]
        /bin/fgrep                                               [ Warning ]
        /bin/fuser                                               [ Warning ]
        /bin/grep                                                [ Warning ]
        /bin/ip                                                  [ Warning ]
        /bin/kill                                                [ Warning ]
        /bin/less                                                [ Warning ]
        /bin/login                                               [ Warning ]
        /bin/ls                                                  [ Warning ]
        /bin/lsmod                                               [ Warning ]
        /bin/mktemp                                              [ Warning ]
        /bin/more                                                [ Warning ]
        /bin/mount                                               [ Warning ]
        /bin/mv                                                  [ Warning ]
        /bin/netstat                                             [ Warning ]
        /bin/ps                                                  [ Warning ]
        /bin/pwd                                                 [ Warning ]
        /bin/readlink                                            [ Warning ]
        /bin/sed                                                 [ Warning ]
        /bin/sh                                                  [ Warning ]
        /bin/su                                                  [ Warning ]
        /bin/touch                                               [ Warning ]
        /bin/uname                                               [ Warning ]
        /bin/which                                               [ Warning ]
        /bin/tcsh                                                [ Warning ]
        /usr/bin/awk                                             [ Warning ]
        /usr/bin/basename                                        [ Warning ]
        /usr/bin/chattr                                          [ Warning ]
        /usr/bin/cut                                             [ Warning ]
        /usr/bin/diff                                            [ Warning ]
        /usr/bin/dirname                                         [ Warning ]
        /usr/bin/dpkg                                            [ Warning ]
        /usr/bin/dpkg-query                                      [ Warning ]
        /usr/bin/du                                              [ Warning ]
        /usr/bin/env                                             [ Warning ]
        /usr/bin/file                                            [ Warning ]
        /usr/bin/find                                            [ Warning ]
        /usr/bin/GET                                             [ Warning ]
        /usr/bin/groups                                          [ Warning ]
        /usr/bin/head                                            [ Warning ]
        /usr/bin/id                                              [ Warning ]
        /usr/bin/killall                                         [ Warning ]
        /usr/bin/last                                            [ Warning ]
        /usr/bin/lastlog                                         [ Warning ]
        /usr/bin/ldd                                             [ Warning ]
        /usr/bin/less                                            [ Warning ]
        /usr/bin/locate                                          [ Warning ]
        /usr/bin/logger                                          [ Warning ]
        /usr/bin/lsattr                                          [ Warning ]
        /usr/bin/lsof                                            [ Warning ]
        /usr/bin/lynx                                            [ Warning ]
        /usr/bin/mail                                            [ Warning ]
        /usr/bin/md5sum                                          [ Warning ]
        /usr/bin/mlocate                                         [ Warning ]
        /usr/bin/newgrp                                          [ Warning ]
        /usr/bin/passwd                                          [ Warning ]
        /usr/bin/perl                                            [ Warning ]
        /usr/bin/pgrep                                           [ Warning ]
        /usr/bin/pstree                                          [ Warning ]
        /usr/bin/rkhunter                                        [ Warning ]
        /usr/bin/runcon                                          [ Warning ]
        /usr/bin/sha1sum                                         [ Warning ]
        /usr/bin/sha224sum                                       [ Warning ]
        /usr/bin/sha256sum                                       [ Warning ]
        /usr/bin/sha384sum                                       [ Warning ]
        /usr/bin/sha512sum                                       [ Warning ]
        /usr/bin/size                                            [ Warning ]
        /usr/bin/sort                                            [ Warning ]
        /usr/bin/stat                                            [ Warning ]
        /usr/bin/strings                                         [ Warning ]
        /usr/bin/sudo                                            [ Warning ]
        /usr/bin/tail                                            [ Warning ]
        /usr/bin/test                                            [ Warning ]
        /usr/bin/top                                             [ Warning ]
        /usr/bin/touch                                           [ Warning ]
        /usr/bin/tr                                              [ Warning ]
        /usr/bin/uniq                                            [ Warning ]
        /usr/bin/users                                           [ Warning ]
        /usr/bin/vmstat                                          [ Warning ]
        /usr/bin/w                                               [ Warning ]
        /usr/bin/watch                                           [ Warning ]
        /usr/bin/wc                                              [ Warning ]
        /usr/bin/wget                                            [ Warning ]
        /usr/bin/whatis                                          [ Warning ]
        /usr/bin/whereis                                         [ Warning ]
        /usr/bin/which                                           [ Warning ]
        /usr/bin/who                                             [ Warning ]
        /usr/bin/whoami                                          [ Warning ]
        /usr/bin/tcsh                                            [ Warning ]
        /usr/bin/gawk                                            [ Warning ]
        /usr/bin/lwp-request                                     [ Warning ]
        /usr/bin/lynx.cur                                        [ Warning ]
        /usr/bin/bsd-mailx                                       [ Warning ]
        /usr/bin/w.procps                                        [ Warning ]
        /sbin/depmod                                             [ Warning ]
        /sbin/ifconfig                                           [ Warning ]
        /sbin/ifdown                                             [ Warning ]
        /sbin/ifup                                               [ Warning ]
        /sbin/init                                               [ Warning ]
        /sbin/insmod                                             [ Warning ]
        /sbin/ip                                                 [ Warning ]
        /sbin/lsmod                                              [ Warning ]
        /sbin/modinfo                                            [ Warning ]
        /sbin/modprobe                                           [ Warning ]
        /sbin/rmmod                                              [ Warning ]
        /sbin/runlevel                                           [ Warning ]
        /sbin/sulogin                                            [ Warning ]
        /sbin/sysctl                                             [ Warning ]
        /sbin/syslogd                                            [ Warning ]
        /usr/sbin/adduser                                        [ Warning ]
        /usr/sbin/chroot                                         [ Warning ]
        /usr/sbin/cron                                           [ Warning ]
        /usr/sbin/groupadd                                       [ Warning ]
        /usr/sbin/groupdel                                       [ Warning ]
        /usr/sbin/groupmod                                       [ Warning ]
        /usr/sbin/grpck                                          [ Warning ]
        /usr/sbin/nologin                                        [ Warning ]
        /usr/sbin/pwck                                           [ Warning ]
        /usr/sbin/tcpd                                           [ Warning ]
        /usr/sbin/useradd                                        [ Warning ]
        /usr/sbin/userdel                                        [ Warning ]
        /usr/sbin/usermod                                        [ Warning ]
        /usr/sbin/vipw                                           [ Warning ]
        /usr/sbin/xinetd                                         [ Warning ]
        /usr/sbin/unhide-linux26                                 [ Warning ]
    
    [Press <ENTER> to continue]
    
    Now I have stopped postfix and obviusly the emails sendig is stopped:
    Code:
    Dec 29 23:05:59  postfix/master[32733]: terminating on signal 15
    Dec 29 22:06:00  postfix/postqueue[3647]: warning: Mail system is down -- accessing queue directly
    Dec 29 22:06:31  postfix/postqueue[3923]: warning: Mail system is down -- accessing queue directly
    Dec 29 22:10:01  postfix/postqueue[11975]: warning: Mail system is down -- accessing queue directly
    
    but I see that the number of message on the queque is going the same UP and UP!

    Therefore thinking that can be a mail form used on some webiste hosted on my vps I have turned Off apache2 and from 5 minutes there are not other new mail in the queque turning on apache2 newly...

    Now I'm whaiting to see what appen...

    Regarding the rkhunter check advise what I will think?
    My vps is compromised? My vps run under virtuozzo system.

    Thanks for the attention.
    Regards.
     
    Last edited: Dec 30, 2013
  2. adrenalinic

    adrenalinic Member

    Previous ossecc logs

    Analyzing some previous ossec notification I see this activity accoured some time previos I discover the problem:

    Code:
    - - [29/Dec/2013:12:02:32 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"

    Code:
    Received From: ->/var/log/apache2/access.log
    Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
    Portion of the log(s):
    
     - [29/Dec/2013:14:49:33 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
    
    
    
     --END OF NOTIFICATION
    
    
    
    OSSEC HIDS Notification.
    2013 Dec 29 14:49:33
    
    Received From: ->/var/log/apache2/access.log
    Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
    Portion of the log(s):
    
     - [29/Dec/2013:14:49:33 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
    
    
    
     --END OF NOTIFICATION
    

    Code:
    29/Dec/2013:09:42:38 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 832 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
    
    Code:
    - [28/Dec/2013:20:54:44 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
    Are here trying to bomb my vps? :confused:
     
    Last edited: Dec 30, 2013
  3. adrenalinic

    adrenalinic Member

    Anyway taking advantage of the night.
    I have started the image vps restore, hoping that will be finished for the morning with the vps up.
     
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The POST requests are trying to use an exploit in php that was published a while ago. There are lots of servers hacked through this but if you have a current php version installed you should not be affected.
    Neither if your default vhost has no cgi enabled.

    You should have analyzed the mails in queue (including headers) to find the spam source before restoring the server. It's always better to know what happened.
     
  5. sjau

    sjau Local Meanie Moderator

    also you can block that ip and maybe add throttle for email sending...
     
  6. adrenalinic

    adrenalinic Member

    Hi. Thanks for your reply.
    Yes, the previous php version, was the latest...

    In the ispconfig the mails and ftp ports are closed, and now I see that are the same open, all this is not normal!

    Code:
    Scanning localhost.localdomain (127.0.0.1) [1000 ports]
    Completed XMAS Scan at 10:49, 1.22s elapsed (1000 total ports)
    Host localhost.localdomain (127.0.0.1) is up (0.000010s latency).
    Interesting ports on localhost.localdomain (127.0.0.1):
    Not shown: 986 closed ports
    PORT      STATE         SERVICE
    21/tcp    open|filtered ftp
    53/tcp    open|filtered domain
    80/tcp    open|filtered http
    110/tcp   open|filtered pop3
    143/tcp   open|filtered imap
    443/tcp   open|filtered https
    783/tcp   open|filtered spamassassin
    993/tcp   open|filtered imaps
    995/tcp   open|filtered pop3s
    3306/tcp  open|filtered mysql
    8080/tcp  open|filtered http-proxy
    8081/tcp  open|filtered blackice-icecap
    
     
  7. adrenalinic

    adrenalinic Member

    Now I'm newly receving the POST bomb:

    Code:
     [30/Dec/2013:10:55:37 +0100] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 500 832 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"
     
  8. adrenalinic

    adrenalinic Member

    Yes I block the ips with ossecc in the hosts.deny automatically but the ip's are chancing continuosly!
     
  9. sjau

    sjau Local Meanie Moderator

    it it just one website or multiple?
     
  10. sjau

    sjau Local Meanie Moderator

    if it's just one website, you could disable PHP or at least mail() on it for a while or even disable the site for the time being.
     
  11. adrenalinic

    adrenalinic Member

    Yes I have disbaled now all possible mail form.

    nmap -v -sX localhost:
    Now I see: 10024/tcp open|filtered unknown
     
  12. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Port 10024 is amavis.
     
  13. sjau

    sjau Local Meanie Moderator

    Until you fix the underlaying issue and if just one site is affected, have a look at this:

    http://www.davelachapelle.ca/2009/08/05/php-mail-abuse/

    That way server should still be fine but php mail() on that domain will be disabled....
     
  14. adrenalinic

    adrenalinic Member

    I think to have discovered the problem

    a joomla form module used on some websites.

    now i'm monitoring.. and seems to be that there are no new attacks...

    probably was a pwebcontact form without captcha
     
  15. adrenalinic

    adrenalinic Member

    Code:
    ->/var/log/apache2/access.log
    Rule: 31122 fired (level 5) -> "Web server 500 error code (Internal Error)."
    Portion of the log(s):
    
    - - [30/Dec/2013:17:00:44 +0100] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 500 822 "-" "-"
     
  16. adrenalinic

    adrenalinic Member

  17. adrenalinic

    adrenalinic Member

  18. adrenalinic

    adrenalinic Member

    To the attention of the Ispconfig staff:

    Seem that this security issue that is being used was fixed in the Ubuntu 10.04 LTS package in May 2012 by the following USN:

    http://www.ubuntu.com/usn/usn-1437-1/

    http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html

     

Share This Page