Hi my mail server which is also running on the main server seems to have been compromised as i've just received 150 email rejections all sending spam email from within my server and i'm not sure what to do to stop it. every thing has been updated with dist-upgrade it seems to be every 15 mins an extra 50 get sent! thanks for your help in advance
First: Rejection mails does not nescessarily mean that the mail was sent with your server. It can just be that someone misused your email address as sender address and not your server. To find out if the mails are really send with your server, run: postqueue -p and see how many mails are in the queue.
Code: Data from: 2014-12-01 13:55 -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 04CE011805F9 3768 Mon Dec 1 12:32:53 [email protected] (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 03443118187E 3748 Mon Dec 1 12:19:54 [email protected] (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 8B6D411819D3 3753 Mon Dec 1 13:22:44 [email protected] (host mailleb2.mailrooter.com[67.208.158.40] refused to talk to me: 450 4.3.2 try again later) [email protected] 337BA1181AD1 3742 Mon Dec 1 13:50:13 [email protected] (host smtp.remaxescarpment.com[216.185.72.66] said: 420 deferred due to suspect content, please try again later (in reply to end of DATA command)) [email protected] 73A461181A02 3736 Mon Dec 1 13:22:43 [email protected] (Host or domain name not found. Name service error for name=gawab.com type=MX: Host not found, try again) [email protected] 67DF711819A9 3781 Mon Dec 1 13:20:36 [email protected] (host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 6F44711802FC 3747 Mon Dec 1 12:32:50 [email protected] (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 63C6D11819F6 3732 Mon Dec 1 13:22:45 [email protected] (delivery temporarily suspended: host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 69D2611816FE 1516 Mon Dec 1 10:19:20 [email protected] (host mta6.am0.yahoodns.net[98.136.216.26] said: 450 4.2.1 User is receiving mail too quickly (in reply to RCPT TO command)) [email protected] 237631181AED 3765 Mon Dec 1 13:53:05 [email protected] (Host or domain name not found. Name service error for name=cowboy-casino.com type=MX: Host not found, try again) [email protected] 23CB1118182C 3725 Mon Dec 1 12:50:44 [email protected] (Host or domain name not found. Name service error for name=mx1.veriomail.com type=AAAA: Host not found, try again) [email protected] 1175D1181469 3735 Mon Dec 1 12:43:59 [email protected] (connect to ol.com[184.168.221.104]:25: Connection refused) [email protected] 1AEDC1181A84 3735 Mon Dec 1 13:35:06 [email protected] (host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 99A9E11816F2 1501 Mon Dec 1 10:19:23 [email protected] (host mta5.am0.yahoodns.net[98.138.112.35] said: 450 4.2.1 User is receiving mail too quickly (in reply to RCPT TO command)) [email protected] 975551181A8F 3733 Mon Dec 1 13:31:06 [email protected] (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 9AFC71180513 3742 Mon Dec 1 12:32:52 [email protected] (host gateway-f2.isp.att.net[207.115.11.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 90C571181701 1498 Mon Dec 1 10:19:20 [email protected] (host mta7.am0.yahoodns.net[98.138.112.32] said: 421 4.7.0 [GL01] Message from (62.210.211.233) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html (in reply to MAIL FROM command)) [email protected] 57DAF1181AE8 3727 Mon Dec 1 13:50:14 [email protected] (host mta7.am0.yahoodns.net[66.196.118.36] said: 421 4.7.0 [GL01] Message from (62.210.211.233) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html (in reply to MAIL FROM command)) [email protected] 573CB1181A87 3747 Mon Dec 1 13:35:07 [email protected] (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 550-62.210.211.233 blocked by ldap:ou=rblmx,dc=att,dc=net 550 Error - Blocked for abuse. See http://att.net/blocks) [email protected] 55CC311815AC 1480 Sun Nov 30 23:34:43 [email protected] (host mailin-03.mx.aol.com[152.163.0.67] said: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html (in reply to end of DATA command)) [email protected] 4713011816B2 1489 Mon Dec 1 10:19:20 [email protected] (host mailin-02.mx.aol.com[152.163.0.99] said: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html (in reply to end of DATA command)) [email protected] 4FFE811816C6 1501 Mon Dec 1 10:19:21 [email protected] (host mta6.am0.yahoodns.net[98.138.112.34] said: 450 4.2.1 User is receiving mail too quickly (in reply to RCPT TO command)) [email protected] 4543C118107B 3750 Mon Dec 1 12:41:16 [email protected] (connect to offerings.com[72.52.10.14]:25: Connection refused) [email protected] 4FC2811819BD 3779 Mon Dec 1 13:10:33 [email protected] (connect to lakelandshops.com[69.64.147.249]:25: Connection timed out) [email protected] -- 89 Kbytes in 24 Requests. thats what im getting and it matches up with what ispconfig panel shows. Ive also changed the email account password and set it to disable sending and not use either pop or imap i know i could just delete the account but its connected to my ssl cert and also its the webmaster account
Ok, the next thing that you have to find out if the mailw as sent by an authenticated email account or by a php script in a website. With the following command you can check the content of the emails: postcat /var/spool/postfix/deferred/4/4543C118107B Please post all mail headers that you get with this command. Do not delete any accounts. This has no influence on the mail in the queue anyway.
Code: @srv1:~# postcat /var/spool/postfix/deferred/4/4 41EB01181C40 490AD1181B9D 4FFE811816C6 4543C118107B 4CE371181B17 4713011816B2 4FC2811819BD root@srv1:~# postcat /var/spool/postfix/deferred/4/4543C118107B *** ENVELOPE RECORDS /var/spool/postfix/deferred/4/4543C118107B *** message_size: 3750 634 1 0 3750 message_arrival_time: Mon Dec 1 12:41:16 2014 create_time: Mon Dec 1 12:41:16 2014 named_attribute: log_ident=4543C118107B named_attribute: rewrite_context=local sender: [email protected] named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=39665 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=39665 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected]: [email protected] *** MESSAGE CONTENTS /var/spool/postfix/deferred/4/4543C118107B *** Received: from localhost (localhost [127.0.0.1]) by srv1.mdhosting.co.uk (Postfix) with ESMTP id 4543C118107B for <[email protected]>; Mon, 1 Dec 2014 12:41:16 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at srv1.mdhosting.co.uk Received: from srv1.mdhosting.co.uk ([127.0.0.1]) by localhost (srv1.mdhosting.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gPYrwxWTtN3 for <[email protected]>; Mon, 1 Dec 2014 12:41:16 +0100 (CET) Received: by srv1.mdhosting.co.uk (Postfix, from userid 5004) id DCF121180ABB; Mon, 1 Dec 2014 12:41:14 +0100 (CET) To: [email protected] Subject: Acceptance of Order X-PHP-Originating-Script: 5004:.options36.php(235) : eval()'d code From: "Costco" <[email protected]> X-Mailer: Achi-KochiMailLitever1.00 Reply-To: "Costco" <[email protected]>Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------1417434074547C53DAD9C90" Message-Id: <[email protected]> Date: Mon, 1 Dec 2014 12:41:14 +0100 (CET) ------------1417434074547C53DAD9C90 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Costco WHOLESALE Our online store Costco.com received an order and the personal data of the recipient coincide with yours. You may get your order in the nearest Local Store. Attention! Your order can be reserved within 4 days. You may see order details here. Happy Thanksgiving Day! Truly yours, Costco.com 1998 � 2014 Costco Wholesale Corporation All rights reserved ------------1417434074547C53DAD9C90 Content-Type: text/html; charset="ISO-8859-1"; Content-Transfer-Encoding: 7bit <html> <body> <table border="0" width="718" height="296" style="border-collapse: collapse"> <tr> <td bgcolor="#666666" width="716" colspan="3" height="27"> </td> </tr> <tr style="line-height:0.7"> <td bgcolor="#EFEFEF" width="716" colspan="3" height="41"> <span style="letter-spacing: -3px;font-size:24pt;color:#E51937"> <font face="Arial Black"> Costco </font> </span> <font face="Arial Black"> <span style="letter-spacing: -2px"> </span> <span style="letter-spacing: -1px;"><br> <font size="2" color="#0058A9"> WHOLESALE</font> </span> </font> </td> </tr> <tr> <td width="201" bgcolor="#4385BE" height="24"> </td> <td width="315" bgcolor="#3E729F" height="24"> </td> <td width="196" bgcolor="#4385BE" height="24"> </td> </tr> <tr> <td width="716" colspan="3"><br> <div style="position:relative;font-family: Arial,sans-serif;font-size:10pt;left:10px"> Our online store Costco.com received an order and the personal data of the recipient coincide with yours.<br> You may get your order in the nearest Local Store.<br> <br> Attention! Your order can be reserved within 4 days.<br> <br> You may see order details <a href="http://asobit.ir/login.php?c=b5lpahITSPg5T82RTQYg1P68fk7rOzvByFfD5aObqiE=">here</a>.<br> <br> Happy Thanksgiving Day!<br> <br> Truly yours,<br> Costco.com </div> </td> </tr> <tr> <td width="716" colspan="3" bgcolor="#ABABAB" height="41"> <p align="right"><font color="#333333" face="Arial" size="1">1998 � 2014<br> Costco Wholesale Corporation<br> All rights reserved</font></td> </tr> </table> </body> </html> ------------1417434074547C53DAD9C90-- *** HEADER EXTRACTED /var/spool/postfix/deferred/4/4543C118107B *** *** MESSAGE FILE END /var/spool/postfix/deferred/4/4543C118107B *** the message box is now upto 800+ with failed mails :/
The relevant line is this one: X-PHP-Originating-Script: 5004:.options36.php(235) : eval()'d code it shows that the spam is sent trough a hacked website on your server, the file that contains the spam sending code is .options36.php Try to search for it with: find /var/www/ | grep .options36.php
Fixed! Thank you so much for your help! Turns out one of my clients had not updated wordpress in ages and one of the plugins had been compromised they have now fixed it and the file has been removed Thanks till Cham as always
