Hi, In my servers with ISPConfig, i've my postfix sending e-mails every second to unknow e-mail accounts! What can i do? Thanks.
Most likely one of yor websites has a bug in a cms system or contact form so that spammers can use that to send spam trough your server. So its likely that the server itself is not hacked and you have just a vulnerable website. To check if your server itself is hacked, use rkhunter: rkhunter --update rkhunter -c
Well, I don't see any "strange thing" with rkhunter... That's a little weird! I Start Postix and: SMTP helo=<mvx-201-76-189-2.mundivox.com> Jan 17 13:40:25 vp7 postfix/smtpd[21407]: NOQUEUE: reject: RCPT from n: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo= Jan 17 13:40:25 vp7 postfix/smtpd[21396]: NOQUEUE: reject: RCPT from ]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<187.115.194.22.static.gvt.net.br> I don't even know what e-mail accounts are these.... !
Theseare the email accounts where the spam is send to. See here for a method to find which of your websites is used to send the spam: http://www.howtoforge.com/how-to-log-emails-sent-with-phps-mail-function-to-detect-form-spam
Hi till, I don't think is a website, because i just have one, and it's a plataform, like interspire with haproxy! I start haproxy, and mails are going out... This is really weird!!!!
If you use php-fcgi, suphp or php-cgi, then you will have to edit the php.ini file /etc/php5/cgi/php.ini too. If you use custom php.ini settings for that website, you mighta hve to add the modifications in the custom php.ini field in ispconfig.
Can't find that file: php -i | grep php.ini Configuration File (php.ini) Path => /etc/php.ini This is the correct one...I guess?
If you use a centos or fedor system, then that should be the file. For centos or fedor you might have to adjust the sendmail path in the wrapper script.
Hi Again, i've deleted all e-mail accounts from my server and still mails are going out...really strange??!!
The problem is either in a website script or in your proxy configuration as it can be possible to send emails trough a wrong configured proxy. It is unlikely that the problem is related to your mail accounts. You should check the access log of your website to see which url requests are used to send the emails trogh your server and then fix the script or proxy configuration that allows the sending of emails.
If you use a ispconfig 3 server, then the access.log of the website is in the log directory of that website.
HI, i've found something like this: "GET /mysqladmin/scripts/setup.php HTTP/1.1" 200 11079 "http://myserver/mysqladmin/scripts/setup.php" "Opera" Can be the problem? Thanks.
Is your phpmyadmin reachable under the URL /mysqladmin on your server? If yes, then the phpmyadmin installation might be outdated or vulnerable for attacks. Try to close phpmyadmin url e.g. by adding a .htaccess password protection in the phpmyadmin installation directory and check if that stops the problem.
Till thanks for your amazing fast replies!! "GET /wp-content/plugins/wp-phpmyadmin/wp-phpmyadmin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 0 "-" "ZmEu" I've been attacked by someone called ZmEu, so now, i need to change the database password, maybe the database was infected, right? Thanks.!
Maybe it's better to remove ISPconfig instalation and reinstall again? How can i remove ISPconfig (files and database). Thanks.
If so I would completely wipe the whole server and reinstall it, as you may not now, which backdoors the attacker may have left, eventhough you closed the vulnerability he used to compromise the server initially.
