Hello Guru's. Today started with a bunch of email coming from our hosting data-center that one of our IP's received abuse complains First check on rspamd log and saw the below attached image. first thought that it is related to an infected PC then realized it is the web-server itself. The server is the perfect server using Debian 10 buster with Nginx. the email id which is sending spam in not a valid email under that domain so my first question how did it go through since it is an unauthenticated email ans is there a way to limit this. my second thing is o the root web folder the index.php file seems compromised, but whenever we delete it a new index.php is auto generated. same thing for a folder on the root named images containing one jpg file named toggige-arrow.jpg. whenever i delete them. they auto generate. How or from where should i start to identify the initial reason for this. Thanks
It is likely that one of your websites is infected. Websites do not need to authenticate themselves for email on the server they run on; otherwise, the PHP mail() function would not work. So there is nothing wrong with your mail system here. You might want to clean the mailqueue though if there is still spam left that has not been send yet: https://www.faqforge.com/linux/how-to-find-out-who-sent-a-email-in-postfix-mailqueue/ and especially: https://www.faqforge.com/linux/serv...ail-queue-with-postsuper-postqueue-und-mailq/ The appear again as the Malware is still active in that website. You must clean the whole website to get rid of that. You can e.g. scan the site with ISPProtect, the first scan is free: https://ispprotect.com/ If possible, you should consider to temporarily reactive the site in ISPConfig, then kill all processes that still run under the web user of that site, if any. And you should also check that the malware has not created a cronjob. If the website e.g. has the ID 5, then the command to check user web5 is: crontab -l -u web5
The IP address column shows that the sending client is localhost itself. If you host Websites and Mail on the same server, a client that uses the php mail() function for example, does not need to authenticate to send mails from this system, if the system hosts the mailservices it will still pass rspamd for outgoing mails, as we can see in this case. If you can identify which webspace is causing this and the files reappear over and over again, it would be wise to disable/remove or change the password of any SSH/FTP users for this webspace
i did a restart for the server and now unable to access the ispconfig panel. giving me unable to connect error.
yes nginx is not starting showing this error: nginx: [emerg] "client_header_buffer_size" directive is not allowed here in /etc/nginx/sites-enabled/100-domainxxx.com.vhost:133
Edit the file /etc/nginx/sites-enabled/100-domainxxx.com.vhost, comment out that line, and try again.
Thanks @till it showed up a couple of line which i commented and then things worked out. after this i was able to delete the index.php file and the images folder with the file in it and they were not auto generated again. website is a wordpress website so replaced the index.php from the wordpress original files and all is ok now. Client have worddfence installed so a scan from it is running and from my side a have a per scan ispprotect license which will use to check also. @pyte yes that was the first thing done. ssh/FTP/DB/ and admin login were all reset. also asked them to reset email passwords just to be more precautions will get back to your generous support if faced more issues. Thanks a lot
is wordpress fully up-to-date? an older version of wp/theme/plugin with a known vulnerability is a normal way in.. scanning everything is good.. personally. i would export the db and check the whole db file carefully. and copy the /wp-content/uploads folder into /private, along with any customized files (wp-config.php, any changed theme files etc). then wipe out everything.. install a new fresh up-to-date wp, theme and plugins.. thoroughly check everything in the save uploads folder. (i do mean everything.. the buggers regularly hide code as fake image files) then copy the saved uploads folder back to /web/wp-content/ whilst scanning a whole site can work, it's also very easy to miss something the hackers have changed and they're straight back in again.. this method at least ensures that all actual code files are clean, and it also minimises the number of files you do still need to check.
You should not hijack threads not related to your question. You can remove your question now that it has been resolved on the new thread you created.
Sir, Let me clarify, I have no intentions nor I have hijacked any of the threads Definitely, this thread is different than the thread I requested yesterday & got it resolved. The problem was from the Contabo Data Center for almost over 40 hours & it has been resolved too now. I am removing this thread & my sincere applogies for any inconvenience caused. Thank you !
