Code: 2015-02-12 11:30 hosting.swisogroup.ro Debug Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 2015-02-12 11:29 hosting.swisogroup.ro Debug There is already an instance of server.php running. Exiting. As the title says, ISPConfig throws me this error. I tried deleting the .ispconfig_lock file and nothing happened. I believe there are two separate errors and they don't start from the same core but idk, I'm not an ISP specialist and I would really appreciate and need some help. The problem is that I try to send an email via a PHP script (to localhost and/or other email addresses) but it fails to work. Expand: System-Log Feb 12 11:30:03 hosting postfix/qmgr[3815]: 043FD4A1C12: from=<concepcion_downs@repereeconomice.ro>, size=1250, nrcpt=1 (queue active) Feb 12 11:30:03 hosting postfix/error[19307]: 0B4284A760E: to=<alansito78@outlook.com>, relay=none, delay=87377, delays=87376/0.03/0/0.07, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx4.hotmail.com[207.46.8.167] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19318]: 0DC6A4466BB: to=<papergangstah@hotmail.com>, relay=none, delay=41393, delays=41392/0.04/0/0.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.92.184] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19257]: 03D02456766: to=<jayford@hotmail.com>, relay=none, delay=387844, delays=387843/0.03/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.92.184] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19255]: 00BC1447A2E: to=<waraimba@yahoo.com>, relay=none, delay=410812, delays=410811/0.01/0/0.06, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.136.217.203] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19262]: 0104745F5D2: to=<krazzer96@hotmail.com>, relay=none, delay=225118, delays=225117/0.04/0/0.08, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.92.184] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/qmgr[3815]: 0B6DC485E5B: from=<shelley_mcdaniel@repereeconomice.ro>, size=1507, nrcpt=1 (queue active) Feb 12 11:30:03 hosting postfix/error[19308]: 69E6744368B: to=<jaco_j12@hotmail.com>, relay=none, delay=0.16, delays=0.1/0.02/0/0.04, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.92.184] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19306]: 09D1A500CF0: to=<busterroberts@yahoo.com>, relay=none, delay=75263, delays=75262/0.02/0/0.04, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.136.217.203] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/error[19256]: 05CD450160E: to=<uptownteacher30@aol.com>, relay=none, delay=35162, delays=35162/0.02/0/0.06, dsn=4.0.0, status=deferred (delivery temporarily suspended: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) http://postmaster.info.aol.com/errors/554rtrbl.html 554 Connecting IP: 82.79.230.132) Feb 12 11:30:03 hosting postfix/error[19314]: 0C3844A91F0: to=<wolfang.black@hotmail.com>, relay=none, delay=68067, delays=68066/0.03/0/0.06, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx2.hotmail.com[65.55.92.184] while sending RCPT TO) Feb 12 11:30:03 hosting postfix/smtp[13336]: 0FD3C445C8A: host mx00.emig.gmx.net[212.227.15.9] refused to talk to me: 554-gmx.net (mxgmx008) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is black listed. 554 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=82.79.230.132&c=bip Feb 12 11:30:03 hosting pure-ftpd: (?@::1) [INFO] New connection from ::1 Feb 12 11:30:03 hosting pure-ftpd: (?@::1) [INFO] Logout. Feb 12 11:30:03 hosting postfix/smtpd[19369]: warning: hostname localhost does not resolve to address ::1: No address associated with hostname Feb 12 11:30:03 hosting postfix/smtpd[19369]: connect from unknown[::1] Feb 12 11:30:03 hosting postfix/smtpd[19369]: lost connection after CONNECT from unknown[::1] Feb 12 11:30:03 hosting postfix/smtpd[19369]: disconnect from unknown[::1] Feb 12 11:30:03 hosting postfix/qmgr[3815]: 086A35044BA: from=<charlene_watts@repereeconomice.ro>, size=1227, nrcpt=1 (queue active) What is wrong with the server? Afaik, those email addresses look like spam. Any help is greatly appreciated and welcome!
The ispconfig issue and the mail problem are very likely not connected to each other. For the ispconfig problem: Comment out the server.sh cronjob in the root crontab, then delete the lock file and then run the ispconfig server.sh script manually as root and post the messages that you get on the screen. For the mail problem: It might be that a website or mail account has been hacked and your server is sending spam now. How much emails do you find in the mailqueue when you run: postqueue -p
I can't even count them, the queues are spammed! Code: E8159507439* 766 Thu Feb 12 08:14:55 yvonne_solis@repereeconomice.ro satiron74@hotmail.com 5ACB9505452* 719 Thu Feb 12 11:57:18 mia_burton@repereeconomice.ro blackdragonofd@hotmail.com 10186508E0C* 787 Thu Feb 12 09:31:34 crystal_hodges@repereeconomice.ro fredfont123@gmail.com EB87C4E632C* 788 Thu Feb 12 08:00:22 lottie_maldonado@repereeconomice.ro kmk695r@aol.com 52BA5508676* 740 Thu Feb 12 10:48:32 nanette_james@repereeconomice.ro wolf181961@yahoo.com C13A3506CCE* 831 Thu Feb 12 09:33:48 cathy_brewer@repereeconomice.ro bb29147@gmail.com A6FE75029AC* 773 Thu Feb 12 11:37:34 angelia_maxwell@repereeconomice.ro shakeshiahagan@yahoo.com 2199244C998* 790 Thu Feb 12 11:58:25 florence_burris@repereeconomice.ro brettellis_97@yahoo.com 20D8344621D* 736 Thu Feb 12 11:14:27 mamie_velez@repereeconomice.ro mchauhan702@gmail.com 4F5ED4C0868* 731 Thu Feb 12 12:04:04 andrea_burch@repereeconomice.ro cyrusfernandez510@gmail.com 2331344E376* 846 Thu Feb 12 10:25:46 gretchen_cooke@repereeconomice.ro b.algy.u.i.p.lk.89.v.c.xsd.f.z.o.ew@gmail.com 277744C4A12* 785 Thu Feb 12 08:27:38 winifred_collier@repereeconomice.ro breebree666@yahoo.com 83D09508EEA* 742 Thu Feb 12 09:32:33 helga_hayden@repereeconomice.ro gistarthur@yahoo.com 2DB2245BBF4* 805 Thu Feb 12 11:26:13 irene_holt@repereeconomice.ro paclauvargas@hotmail.com 96C7444D7D8* 716 Thu Feb 12 09:43:31 noreen_byrd@repereeconomice.ro matthew.lawlis@gmail.com 47990508B69* 743 Thu Feb 12 09:29:43 sarah_padilla@repereeconomice.ro bigdawgtowing73@yahoo.com 4E0D844E54B* 765 Thu Feb 12 11:22:05 gilda_hansen@repereeconomice.ro mudiwababee@yahoo.com 810E0501D8A* 757 Thu Feb 12 09:35:41 aileen_meyers@repereeconomice.ro biggazzer@hotmail.co.uk C5B844C2854* 764 Thu Feb 12 09:36:36 allyson_howell@repereeconomice.ro bfouts83@yahoo.com 423C4445AED* 733 Thu Feb 12 07:48:37 trudy_joseph@repereeconomice.ro davefurt90@hotmail.com E4EFE44C50E* 761 Thu Feb 12 09:43:18 tamara_mcgowan@repereeconomice.ro matthew.lane@rocketmail.com Part of the output ^
Check the mails in the queue with postcat to find out how thy were send: https://www.howtoforge.com/community/threads/mail-queue-identification.56110/#post-273302 If the mail ID has a * at the end, then its in the active queue: postcat /var/spool/postfix/active/C5B844C2854
Code: *** ENVELOPE RECORDS /var/spool/postfix/active/C5B844C2854 *** message_size: 764 212 1 0 764 content_filter: amavis:[127.0.0.1]:10024 message_arrival_time: Thu Feb 12 09:36:36 2015 create_time: Thu Feb 12 09:36:38 2015 named_attribute: rewrite_context=local sender_fullname: sender: allyson_howell@repereeconomice.ro *** MESSAGE CONTENTS /var/spool/postfix/active/C5B844C2854 *** Received: by hosting.swisogroup.ro (Postfix, from userid 5007) id C5B844C2854; Thu, 12 Feb 2015 09:36:36 +0200 (EET) To: bfouts83@yahoo.com Subject: After playing with lad's dick X-PHP-Originating-Script: 5007:start.php From: "Allyson Howell" <allyson_howell@repereeconomice.ro> Reply-To:"Allyson Howell" <allyson_howell@repereeconomice.ro> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message-Id: <20150212073638.C5B844C2854@hosting.swisogroup.ro> Date: Thu, 12 Feb 2015 09:36:36 +0200 (EET) <div> After playing with lad's dick <a href="http://skzevc.ru/wp-includes/js/tinymce/themes/advanced/skins/default/ini.html?YGRtd3ZxOjFCe2NqbW0sYW1v">click here</a> </div> *** HEADER EXTRACTED /var/spool/postfix/active/C5B844C2854 *** named_attribute: encoding=8bit original_recipient: bfouts83@yahoo.com recipient: bfouts83@yahoo.com *** MESSAGE FILE END /var/spool/postfix/active/C5B844C2854 *** I am deeply sorry @till, I'm don't quite understand everything back here but I don't want to stay on your head either with stupid questions. I did remove the FTP user for "repereeconomice.ro" along with the DNS record. What should I do to stop dem spam?
The spam is send by a hacked website, the script that sends it is named start.php: X-PHP-Originating-Script: 5007:start.php and the userid is 5007 So first you have to find out the username to locate the website: grep 5007 /etc/passwd you will get something like web7 or so. The number after the word web is the ID of the website. Then go to that website and find the start.php file. E.g. if the website is named domain.tld: cd /var/www/domain.tld/web find . | grep start.php
Didn't found that file but I deleted the whole directory and still, when I run postqueue -p, there are lots of spamming queues... I. am. lost.
Deleting the directory just stops that new spam is put in the queue, it will not remove any existing spam that is waiting to be send. To remove spam from queue, you can either empty the whole queue with: postsuper -d ALL or you delete mails by sender: http://www.faqforge.com/linux/serve...mailqueue-with-postsuper-postqueue-und-mailq/
Ok, now it states that mail queue is empty. What do you think? Will I encounter mail spam again after I deleted the whole directory and emptied the mail queue? Anyway, thanks for your assistance, I would have never done it without you! What do you think about the other one, the instance thing?