Mail Server Hacked?

Discussion in 'General' started by Cracklefish, Jul 2, 2015.

  1. Cracklefish

    Cracklefish Member

    The system is debian wheezy, ispc3 V3.0.5.4p5

    The mail system has several domains installed but only one actually in use. All the other domains have their MX records pointing to the ISP's mail server.
    Today the ISP reported that spam was being sent from the server. One of the ~/maildir/new boxes now contains hundreds of Non Delivered Messages with the local address.
    The corresponding mailbox on the ISP's server has hundreds of Non Delivered Messages but with the spam recipient's address.
    I have run Rkhunter but there was nothing unusual.
    I have now disabled all the mail boxes using ispc3.
    I have changed the passwords for root and the only user account
    As the performance was being compromised I have stopped postfix. If I restart it, it commences pumping out the spam.
    I have searched all the websites but I cannot see any mailto or cgi formmail that point to that mail domain or box.

    Any ideas?
     
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

  3. DDArt

    DDArt Member

    You can also enable php.ini logging of all forms being sent out. We always keep tabs on that and easily can find outdated wordpress site that some script is running in the background. Using .htaccess or BulletProof addons and or websecurity will disable most/all scripts running.

    It is almost a must, you can detailed log(s) such as:
    Code:
    [02-Jul-2015 06:18:19 UTC] mail() on [/var/www/clients/client1/webXX/web/wp-includes/class-phpmailer.php:603]: To: [email protected] Headers: Date: Thu, 2 Jul 2015 06:18:19 +0000 Return-Pat
    h: <[email protected]> From: The Client <email@address> Message-ID: <[email protected]> X-Priority: 3 X-Mailer: PHPMailer 5.2.7 (https://github.
    com/PHPMailer/PHPMailer/) MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
    
    Good luck,
     
  4. Cracklefish

    Cracklefish Member

    Looks like they got in through a mail link in a website. While searching through the sites I discovered a mass of permission "inconsistencies" presumably as a result of the change of OS from Suse to Debian. So I have decided to reinstall.

    Not quite the 45 minutes claimed in a post advising somebody else to migrate from Suse but all went reasonably well until I got to pure-ftpd. Can't login using TLS Looks like a Filezilla issue.

    Anyway, I've got the sites working so I'll fix the rest when I get back from holiday.

    Thanks for the help
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    New versions of Filezilla default to using TLS with FTP. You can change that if Filezilla Site Manager to plain FTP.

    To get FTP working with TLS on Your site, set FTP server passive port range and open those ports in ISPConfig firewall.

    I learned this a week ago from this forum when my question was answerd.
     

Share This Page