ACK blasted spammer has gotten me blacklisted... how to fix? and fix?

I've been hit by a jerk who is spamming an address that I have an ispconfig3 DNS entry for - but NEVER set up any email boxes...
but the RCPT to field has me in turn spamming yahoo address and I've been blacklisted by them....
from maillog
---snip---
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD8431B1216: from=<[email protected]>, size=1904, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD9071B2BDC: from=<[email protected]>, size=1789, nrcpt=1
and I get 'rate limited' messages in my messages ....
later on:
Jan 3 06:23:32 ns9 postfix/smtp[29668]: CA5471B3948: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=164335, delays=164334/0/0.67/0.3, dsn=4.7.1, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.1 [TS03] All messages from 74.96.241.34 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/errors/421-ts03.html (in reply to MAIL FROM command))
---snip---
and the RCPT to messages are blasting yahoo.

at least for now I turned OFF the DNS for the domain as I dont have a website on it its just a placeholder.

anything I can do to prevent this? surely mail that has NO email box on ispconfig should be rejected out of hand - and its not...


help

 

packicked a bit and already deleted the mail.
I stopped it by deactivating the DNS record for the domain.
there ARE no authenticated users - OR email boxes - and nothing is hosted there.

apparently mail was being sent to [email protected] a zillion times, with RCPT to a yahoo address..
and we apparently were sending the receipts and blasting yahoo!

not seen an attack quite like it

 

from the maillog:
Jan 3 03:48:30 ns9 postfix/qmgr[13812]: C42071AEFB7: from=<[email protected]>, size=1819, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C657D1ABB6C: from=<[email protected]>, size=1917, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C72B61AD3CB: from=<[email protected]>, size=1829, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CD6DB1B29C7: from=<[email protected]>, size=1611, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C59CC1B0AAA: from=<[email protected]>, size=1827, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C73541AF179: from=<[email protected]>, size=1897, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C300C1B17ED: from=<[email protected]>, size=1849, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C524D1B10EE: from=<[email protected]>, size=1840, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CCAA51B07E9: from=<[email protected]>, size=1852, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CA27D1B251F: from=<[email protected]>, size=1915, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C9E571AB04C: from=<[email protected]>, size=1846, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C7BD51ACE5D: from=<[email protected]>, size=1816, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C5F961B3371: from=<[email protected]>, size=1581, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C76751B2BD8: from=<[email protected]>, size=1945, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CC93E1AE2C3: from=<[email protected]>, size=1799, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C771C1B1D2B: from=<[email protected]>, size=1846, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/error[5593]: C42071AEFB7: to=<[email protected]>, relay=none, delay=282134, delays=282134/0.3/0/0.05, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta7.am0.yahoodns.net[98.136.217.202] while sending RCPT TO)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C644F1B24F2: from=<[email protected]>, size=1859, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C1FD91AC40A: from=<[email protected]>, size=1790, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CA8451B1211: from=<[email protected]>, size=1836, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CE9691B4298: from=<[email protected]>, size=1861, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: CF77A1B371A: from=<[email protected]>, size=1750, nrcpt=1 (queue active)
Jan 3 03:48:31 ns9 postfix/qmgr[13812]: C79011B5A17: from=<[email protected]>, size=1910, nrcpt=1 (queue active)

notice that we see a TON of emails all FROM [email protected]
for example C42071AEFB7 from paullette (at the top) then in the moddle goes to [email protected]
but mtanterominerals has NO valid users so why on earth would ANY of these get relayed?

 

and all the emails appear to be FROM a domain that I host. but its managed by ispconfig and has no email boxes.

and how do I get yahoo to talk to me again? says emails are PERMANENTLY deferred!

 

but these lines from maillog:
35, size: 1343, queued_as: 94A841ABC8C, 1121 ms
maillog-20160103ec 27 16:19:25 ns9 postfix/qmgr[3012]: B29061ABC8C: from=<[email protected]>, size=1804, nrcpt=1 (queue active)
maillog-20160103ec 27 16:19:25 ns9 amavis[29668]: (29668-02-10) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: wZkzbnWuD041, Hits: 13.228, size: 1360, queued_as: B29061ABC8C, 1206 ms
maillog-20160103ec 27 16:19:25 ns9 postfix/qmgr[3012]: DB1411AC2F7: from=<[email protected]>, size=1850, nrcpt=1 (queue active)
maillog-20160103ec 27 16:19:25 ns9 amavis[29423]: (29423-04-14) Passed CLEAN {RelayedOpenRelay}, <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: 7nFF9cVqSw2c, Hits: 13.228, size: 1400, queued_as: DB1411AC2F7, 1253 ms

seem to show we ARE relaying them - qmgr reports an email from joann_hawkins (no such user no such mailbox) then amavis reports it passed clean and then off it goes to aol.com!

maldetect has found nothing.
spoke too soon. maldetect infact reported
FILE HIT LIST:
{HEX}gzbase64.inject.unclassed.15 : /var/www/clients/client0/web21/web/HELP/EbayStory/ebs.php
{HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s355
{HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s353
{HEX}php.exe.globals.400 : /var/www/clients/client0/web49/web/installationx/sql/joomla.s354
{HEX}php.cmdshell.unclassed.359 : /var/www/clients/client0/web10/web/htacess.php
{HEX}php.base64.v23au.185 : /var/www/clients/client0/web10/web/libraries/fof/platform/blog58.php
{HEX}gzbase64.inject.unclassed.15 : /var/www/clients/client0/web3/web/apps/mailbase/scripts/mb.php
{HEX}php.base64.v23au.185 : /var/www/clients/client0/web29/tmp/1391ae546edaaa6978dea103ce336d6d.zip
{HEX}php.base64.v23au.185 : /var/www/clients/client0/web29/tmp/e4c8e3fcec8360f246d8f9aab7f8470d.zip

and I suspect the critter is htacess.php. created on 12/29.
any idea how it GOT there?
cdb.

 

Show postcat -q ID from a mail, that was not accepted by yahoo. You can find the ID by running mailq.

 

would not help with the mail that is in my queue now - they seem to be legitimate emails that yahoo is refunsing.
problem seems to have started 12/29

maldet has quarantined the items and I've turned the domain back on - we'll see what happens!

 

curiouser and curioiuser.
I turned on the domain and soon had the bogus mails on my system.
I copied them off before turning the domain off.
from the binary:
--snip--
872T^Q1451945830 672642A^Vcreate_time=1451945830A^Urewrite_context=localS"[email protected]^Mencoding=7bitA^Wlog_client_name=unknownA^\log_client_address=127.0.0.1A^Ulog_client_port=37774A%log_message_origin=unknown[127.0.0.1]A^Wlog_helo_name=localhostA^Wlog_protocol_name=ESMTPA^Sclient_name=unknownA^[reverse_client_name=unknownA^Xclient_address=127.0.0.1A^Qclient_port=37774A^Shelo_name=localhostA^Sprotocol_name=ESMTPA^Uclient_address_type=2A/dsn_orig_rcpt=rfc822;[email protected]^[email protected]^[email protected]^@N.Received: from localhost (unknown [127.0.0.1])N: by ns9.cdbsystems.com (Postfix) with ESMTP id A66B11A5B3CNH for <[email protected]>; Mon, 4 Jan 2016 22:17:10 +0000 (UTC)N2X-Virus-Scanned: amavisd-new at ns9.cdbsystems.comN/Received: from ns9.cdbsystems.com ([127.0.0.1])NH by localhost (ns9.cdbsystems.com [127.0.0.1]) (amavisd-new, port 10024)N= with ESMTP id EggO2ec6wVh4 for <[email protected]>;N& Mon, 4 Jan 2016 17:17:09 -0500 (EST)N;Received: by ns9.cdbsystems.com (Postfix, from userid 5013)N6 id 03FA61A5883; Mon, 4 Jan 2016 17:17:06 -0500 (EST)N^^To: [email protected]^_Subject: 1 InstaSextMsg WaitingN@X-PHP-Originating-Script: 5013:error64.php(1967) : eval()'d codeN$Date: Mon, 4 Ja
--snip--

we can tell its generated by a script error64.php which maldect DID NOT FIND the first scan. but upon scanning it again, there it was!
--snip--
HOST: ns9.cdbsystems.com
SCAN ID: 160104-1717.3143
STARTED: Jan 4 2016 17:17:43 -0500
COMPLETED: Jan 4 2016 17:17:45 -0500
ELAPSED: 2s [find: 2s]

PATH: /var/www/clients/*/web*/web
RANGE: 1 days
TOTAL FILES: 187
TOTAL HITS: 1
TOTAL CLEANED: 0

FILE HIT LIST:
{HEX}php.base64.v23au.185 : /var/www/clients/client0/web10/web/modules/mod_hg_testimonialbox/tmpl/error64.php => /usr/local/maldetect/quarantine/error64.php.1261713755
===============================================
Linux Malware Detect v1.5 < [email protected] >

--snip--

so this got on my system almost immediately - it was not present earlier today.

now web10 is a DIFFERENT domain - a1electronics.com. but I guess once they get this script on your system they can make make seem to be from any user.

ideas??

 

installed ispprotrect. alas no free trial for me (my laptop rebooted during scan).
but I paid (of course!) and I"m seeing a number of malware detected.
some I'm positive are false positives (in cgi installables from 2003!) - but a number seem legit.
now from what I can tell the malware scanner does not clean, right?
and one of the ones I'm suspicious of has {HEX}r2h.malware.blue.44
what IS that? the php files look ok to the eye. how do I confirm?
and whats cleaning process?
thanks

 

The scanner does not rename / move any detected files. And it´s not a good idea to implement such an option.
Check the php-File. But I don´t think, that {HEX}r2h.malware.blue.44 is a false-positive.
Cleaning process: check and remove the files.

 

Think I'm getting a handle on it - got ispprotect installed. but oddly the plug and version emails are fine but the malware email always gets spammed!
from its headers:
---snip---
X-Spam-Flag: YES
X-Spam-Score: 7.198
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.198 tagged_above=-999 required=3
tests=[BAYES_80=2, NO_RELAYS=-0.001, SPOOF_COM2OTH=2.723,
URIBL_DBL_ABUSE_REDIR=0.001, URI_OBFU_WWW=2.475] autolearn=no

--snip--

why is that particular email getting canned?

I tried added [email protected] to my whitelist but that is not working...
the other emails (plugin, version) are from same address and come through as non-spam.

 

also you keep flagging this file as infected. I'm pretty sure its not has not been changed in many years its a cgi setup program.
but I cant upload it you can get it from
www.technomages.com/asetup.cgx (renamed cgx to cgi so its wont try and run).
download it tell me why its giving a false positive
and what do do about it.

 

I tried to add it to the ispconfig3 whitelist area. put in cdbsystems.com and added ispp_scan@ns9 as the user.
didnt let me add it any other way