I'm under hack attack again! Please help me ...

Discussion in 'Installation/Configuration' started by emanuelebruno, May 27, 2014.

  1. emanuelebruno

    emanuelebruno Member

    Hi all,
    I have an ISPConfig installed in Ubuntu 12.04 (I have followed this guide : http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3 )

    In my previuos post (http://www.howtoforge.com/forums/showthread.php?p=307536) I have found this solution for customers websites that spam without their permission (perhaps caused by cms exploit);

    Now I have another problem: even disabling the phpmail function (only in customers websites) somebody has taken the controll of my server and it is spamming using an unknow mail users like these:

    AFE1B728A005 1344 Mon May 26 04:26:00 [email protected]
    (connect to mail.creativelivingfoundation.in[]:25: Connection timed out)
    [email protected]

    849A5361265A 1256 Mon May 26 00:34:37 [email protected]
    (connect to outlok.com[]:25: Connection timed out)
    [email protected]

    I really don't understand why ISPConfig in its default configuration doesn't block "not authenticated users" sending of these emails (there is not any [email protected] or [email protected] account or domain) but I have tryed in these days some tips taken from other forum posts without success...

    Is there somebody how can help me , please?
    Last edited: May 27, 2014
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is a misunderstanding on your side how Linux and mailsystems work, this is not related to ispconfig at all. ISPConfig is blocking non authenticated senders off course, but this applies to external senders only and not to localhost. If localhost would require a authentication, then the internal Linux messaging system would fail as e.g. cron wont be able to send status messages to the root user anymore. So internal messaging over localhost is never blocked on Linux, not on ISPConfig servers and not on any other Linux servers.

    Blocking the php mail() function is useless and makes not muc sense for different reasons as many cms and webites will stop working correctly as use registration systems will fail and by disabling the mail function it is not as easy to chase down the affected website script. So you just cased yourself more problem instead of making something better with disabling that function.

    To solve your problem, check the mail header of the emails in the queue to find out which website has sent them and then search this website for the malicious script. its not that easy as you disabled the mail() function anymore, so now you have to check all scripts in the site.

    So back to your original problem: Check out the mail headers of the emails in your queue with postcat to see which of your
  3. emanuelebruno

    emanuelebruno Member

    Thank you for your reply. The result of the postcat is the following:

    postcat: name_mask: all
    postcat: inet_addr_local: configured 3 IPv4 addresses
    postcat: inet_addr_local: configured 1 IPv6 addresses
    *** ENVELOPE RECORDS deferred/3/33AD73612669 ***
    message_size:            1279             643               1               0                                                                                                    1279
    message_arrival_time: Wed May 28 00:08:45 2014
    create_time: Wed May 28 00:08:45 2014
    named_attribute: log_ident=33AD73612669
    named_attribute: rewrite_context=local
    sender: [email protected]
    named_attribute: encoding=7bit
    named_attribute: log_client_name=localhost
    named_attribute: log_client_address=
    named_attribute: log_client_port=54247
    named_attribute: log_message_origin=localhost[]
    named_attribute: log_helo_name=localhost
    named_attribute: log_protocol_name=ESMTP
    named_attribute: client_name=localhost
    named_attribute: reverse_client_name=localhost
    named_attribute: client_address=
    named_attribute: client_port=54247
    named_attribute: helo_name=localhost
    named_attribute: protocol_name=ESMTP
    named_attribute: client_address_type=2
    named_attribute: dsn_orig_rcpt=rfc822;[email protected]
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE CONTENTS deferred/3/33AD73612669 ***
    regular_text: Received: from localhost (localhost [])
    regular_text:   by server1.italiaserverone.it (Postfix) with ESMTP id 33AD736126                                                                                        69
    regular_text:   for <[email protected]>; Wed, 28 May 2014 00:08:45 +0400 (MSK)
    regular_text: X-Virus-Scanned: Debian amavisd-new at server1.italiaserverone.it
    regular_text: Received: from server1.italiaserverone.it ([])
    regular_text:   by localhost (server1.italiaserverone.it []) (amavisd-n                                                                                        ew, port 10024)
    regular_text:   with ESMTP id RQnAC+Bx5vM2 for <[email protected]>;
    regular_text:   Wed, 28 May 2014 00:08:45 +0400 (MSK)
    regular_text: Received: from blog.dedalomultimedia.it (localhost [])
    regular_text:   by server1.italiaserverone.it (Postfix) with ESMTP id A49EF36126                                                                                        6B
    regular_text:   for <[email protected]>; Wed, 28 May 2014 00:08:40 +0400 (MSK)
    regular_text: Date: Wed, 28 May 2014 0:08:40 +0400
    regular_text: From: "Stacey Ayers" <[email protected]>
    regular_text: Reply-To:"Stacey Ayers" <[email protected]>
    regular_text: Message-ID: <[email protected]>
    regular_text: To: [email protected]
    regular_text: Subject: RE:  Haha
    regular_text: X-Priority: 3 (Normal)
    regular_text: MIME-Version: 1.0
    regular_text: Content-Type: text/html; charset="iso-8859-1"
    regular_text: Content-Transfer-Encoding: 8bit
    regular_text: <div>Haha Big titted horny blonde teen won huge and fat ****  <a h                                                                                        ref="http://catscansband.com/wp-includes/js/thickbox/adk.html">http://catscansba                                                                                        nd.com/wp-includes/js/thickbox/adk.html</a></div>
    *** HEADER EXTRACTED deferred/3/33AD73612669 ***
    named_attribute: encoding=8bit
    *** MESSAGE FILE END deferred/3/33AD73612669 ***
    It says that the user stacey_ayers from the domain blog.dedalomultimedia.it sends this spam...

    blog.dedalomultimedia.it , dedalomultimedia.it and test.dedalomultimedia.it are the same web site...

    test.dedalomultimedia.it is the original domain
    from ovh panel I have a cname dns entry with * prefix for dedalomultimedia.it

    In this moment I have changed from ispconfig panel the Aliasdomain with the following settings (in this way I'll avoid to reach the website using blog.dedalomultimedia.it entry) :

    Aliasdomain: dedalomultimedia.it
    Parent Website: test.dedalomultimedia.it
    Redirect Type: -BLANK-
    Redirect Path: http://test.dedalomultimedia.it
    Auto-Subdomain: www.
    SEO Redirect: www.domain.tld => domain.tld

    In php.ini entry of test.dedalomultimedia.it I have set the following settings:

    output_buffering = Off
    post_max_size = 20M
    upload_max_filesize = 20M
    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,allow_url_fopen,allow_url_include,posix_getpwuid,fsockopen,pfsockopen,socket_connect,mail
    How they can send mail using phpmail or smpt? Moreover, it is a coincidence that taking a look to my /var/log/syslog I have found this entry in wich every time the crontab starts, after 18 seconds send spam?

    May 28 02:01:01 server1 CRON[16733]: (root) CMD (/usr/local/ispconfig/server/server.sh > /dev/null 2>> /var/log/ispconfig/cron.log)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 46246361266C: from=<[email protected]>, size=1283, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 44710361266B: from=<[email protected]>, size=1279, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 34876361266A: from=<[email protected]>, size=1279, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 33AD73612669: from=<[email protected]>, size=1279, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 12E7F3612666: from=<[email protected]>, size=1271, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 11D733612665: from=<[email protected]>, size=1283, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 7BF733612676: from=<[email protected]>, size=7389, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 235BD3612668: from=<[email protected]>, size=1283, nrcpt=1 (queue active)
    May 28 02:01:19 server1 postfix/qmgr[1099]: 2231C3612667: from=<[email protected]>, size=1307, nrcpt=1 (queue active)
    Last, but not least, is it another coincidence that I have found a file named remote_action.inc.php reporting the date 12/May/2014 (it is the first time that the spam activity is started) in /usr/local/ispconfig/server/lib ?

    The content of this file is the following:

    $maxid_remote_action = 16;
    thank you in advance for your reply and help!
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig cronjob runs once a minute, so you will find it near everything in your log as it runs that frequently. So you cant built any relation to other actions on that. and the cronjob normally runs just 1-2 seconds and not 18 seconds.

    The more likely reason is that the affected website has a cronjob and that this cronjob runs once a minute too and that the script executed by that cronjob sends the email.

    Thats not a file from ispconfig, at least not from a current version, see here:


    But it might be from a older version or you installed any patches or other addons for ispconfig. In any case, its content is harmless.
  5. emanuelebruno

    emanuelebruno Member

    Do you mean that cronjob bypass php.ini entries for that website, sending spam even if I have disabled it?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, depending on how the cronjob is run, it can bypass website php.ini settings. Website php.ini settings will only apply to url cronjobs. Shell cronjobs use a different php (php-cli) or even other programming languages.
  7. emanuelebruno

    emanuelebruno Member

    Honestly I do not know what to do. My clients are nervous because they can not send emails from day 12/05. I am willing to pay for help to solve this problem and mainly to block future attacks.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    We can check that by remote login for you, you can reach the ispconfig support here:


    Dealing with these kind of issues is daily business for an ISP as there is no way to prevent such attacks completely without crippling the system in a way that it will not work anymore for your sites. The best prevention is to keep your websites up to date by installing cms updates regularily. If such a problem occurs like now, then track it down to the website, update the cms oof that site and remove the hacked files from that site.

    Like I mentioned in my first post, by disabling the php mail() function you cant prevent this, but its much more complicated to track down the issue now as php mail() adds details in the mail headers which script was used to send the email and these details are mising now.
  9. emanuelebruno

    emanuelebruno Member

    I have created a "Support ticket request" in this moment. Thank you :)

Share This Page