Hello, I recently set up an ISPConfig 3 box (been running ISPConfig 2 successfully for years). The new box was set up on Ubuntu 10.04.1 LTS using the perfect server instructions (to the best of my abilities). However, the new machine is now being used as a spam relay. The attacker has guessed a local username ([email protected]) and is using that successfully as a sender address. The server needs to accept incoming mail for the customer domains, but all real clients should authenticate themselves via SMTP auth. What would be the usual suspects in the Postfix configuration I should be looking at? Thanks!
Found it OK, apparently the culprit is a vulnerable PHP application on one of the accounts, so Postfix is not at fault. So, a related question: if a SuPHP account was compromised via a script vulnerability, what is the risk that the attacker has gained wider access (beyond just the infected account)?
It is unlikely that the attacker gained wider access when you install Linux updates regulrily. Also most of these attackes were done by automatic script which are only made to send spam, so they do not even try to attacke the system behind the webspace. Nevertehless, you should scan the system with rkhunter.
Intrusion method Upon further investigation, it seems that the injection method is the one described here: http://www.ivankristianto.com/hacking/someone-trying-to-inject-ivankristianto-com/1503/ I have modified the offending script with the include vulnerability, and I am currently investigating how to prevent similar injections in the future (beyond reviewing all customer PHP code).
