Hello everyone Someone are using my server for spam Code: Dec 3 10:20:08 lserv postfix/error[3295]: 2FE7D84E392: to=<[email protected]>, relay=none, delay=27954, delays=27389/564/0/0.79, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[66.196.118.35] while sending RCPT TO) Dec 3 10:20:08 lserv postfix/error[3404]: 246C7852CEF: to=<[email protected]>, relay=none, delay=12364, delays=11799/564/0/1.1, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[66.196.118.35] while sending RCPT TO) Dec 3 10:20:08 lserv postfix/error[3181]: 2FBAD852F76: to=<[email protected]>, relay=none, delay=13768, delays=13203/565/0/0.19, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[66.196.118.35] while sending RCPT TO) Dec 3 10:20:08 lserv postfix/error[3248]: 21FC3855C6F: to=<[email protected]>, relay=none, delay=5764, delays=5200/564/0/0.18, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[66.196.118.35] while sending RCPT TO) Dec 3 10:20:08 lserv postfix/error[3211]: 20F7684CD6E: to=<[email protected]>, relay=none, delay=34590, delays=34025/564/0/0.79, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mta6.am0.yahoodns.net[66.196.118.35] while sending RCPT TO) Dec 3 10:20:08 lserv postfix/master[1948]: terminating on signal 15 Dec 3 10:20:08 lserv postfix/postfix-script[3571]: waiting for the Postfix mail system to terminate Dec 3 10:20:26 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=3587 Dec 3 10:20:29 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=4/244383, del=1/261, size=19775958 Dec 3 10:20:52 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=3597 Dec 3 10:20:54 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=3599 Dec 3 10:20:54 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/260, size=19766879 Dec 3 10:20:55 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=5/221559, del=0/486, size=39570315 Dec 3 10:20:55 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=3601 Dec 3 10:21:00 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=3/450969, del=0/1066, size=31374795 Dec 3 10:23:46 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:23:46 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=3655 Dec 3 10:23:46 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/486, size=39570315 Dec 3 10:23:47 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=3657 Dec 3 10:23:48 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/1066, size=31374795 Dec 3 10:25:01 lserv dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:25:01 lserv dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:25:01 lserv postfix/postqueue[3735]: warning: Mail system is down -- accessing queue directly Dec 3 10:25:59 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:25:59 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=3774 Dec 3 10:25:59 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/260, size=19766879 Dec 3 10:27:31 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:27:31 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=3807 Dec 3 10:28:19 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=5/18676, retr=4/290919, del=0/790, size=48417572 Dec 3 10:30:01 lserv dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:30:01 lserv dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:30:01 lserv postfix/postqueue[3884]: warning: Mail system is down -- accessing queue directly Dec 3 10:30:05 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:30:05 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=151.19.180.227, lip=95.110.231.102, mpid=3891 Dec 3 10:30:08 lserv dovecot: pop3([email protected]): Connection closed top=0/0, retr=0/0, del=0/790, size=48417572 Dec 3 10:35:01 lserv dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:35:01 lserv dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:35:01 lserv postfix/postqueue[3980]: warning: Mail system is down -- accessing queue directly Dec 3 10:35:53 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:35:53 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=3999 Dec 3 10:35:55 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=2/164557, del=0/163, size=13069839 Dec 3 10:35:55 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4001 Dec 3 10:35:57 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=2/444193, del=2/1066, size=31374795 Dec 3 10:36:00 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4003 Dec 3 10:36:07 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=4/142563, del=3/968, size=94612942 Dec 3 10:36:08 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4013 Dec 3 10:36:20 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/965, size=94442858 Dec 3 10:39:02 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:39:02 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4103 Dec 3 10:39:04 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=3/235364, del=3/3, size=235275 Dec 3 10:39:04 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4105 Dec 3 10:39:47 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/790, size=48417572 Dec 3 10:39:49 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4107 Dec 3 10:39:54 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=4/250981, del=0/585, size=43203788 Dec 3 10:40:01 lserv dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:40:01 lserv dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:40:01 lserv postfix/postqueue[4146]: warning: Mail system is down -- accessing queue directly Dec 3 10:41:35 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:41:35 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4180 Dec 3 10:42:30 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/790, size=48417572 Dec 3 10:42:34 lserv dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:42:50 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4192, secured Dec 3 10:42:50 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=29/405 Dec 3 10:42:51 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4194, secured Dec 3 10:42:51 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=70/523 Dec 3 10:42:51 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4196, secured Dec 3 10:42:51 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4198, secured Dec 3 10:42:52 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=233/844 Dec 3 10:42:52 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=273/24620 Dec 3 10:42:56 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4201, secured Dec 3 10:42:56 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=32/390 Dec 3 10:42:56 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4203, secured Dec 3 10:42:56 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=44/503 Dec 3 10:45:02 lserv dovecot: imap-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:45:02 lserv dovecot: pop3-login: Disconnected (no auth attempts): rip=127.0.0.1, lip=127.0.0.1, secured Dec 3 10:45:02 lserv postfix/postqueue[4261]: warning: Mail system is down -- accessing queue directly Dec 3 10:45:32 lserv dovecot: auth-worker: mysql(localhost): Connected to database dbispconfig Dec 3 10:45:32 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=2.119.24.202, lip=95.110.231.102, mpid=4280 Dec 3 10:45:32 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4282 Dec 3 10:45:35 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=1/79089, del=3/790, size=48417572 Dec 3 10:45:36 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4284 Dec 3 10:45:36 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Dec 3 10:46:07 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4294, secured Dec 3 10:46:07 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=635753/505 Dec 3 10:46:08 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4298, secured Dec 3 10:46:08 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=70/523 Dec 3 10:46:09 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4300, secured Dec 3 10:46:09 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4302, secured Dec 3 10:46:09 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=233/844 Dec 3 10:46:09 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=273/24620 Dec 3 10:46:43 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/790, size=48417572 Dec 3 10:47:04 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4314 Dec 3 10:47:04 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/787, size=48337127 Dec 3 10:47:05 lserv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=95.224.110.192, lip=95.110.231.102, mpid=4316 Dec 3 10:47:05 lserv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0 Dec 3 10:47:09 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4318, secured Dec 3 10:47:09 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=93/817 Dec 3 10:48:09 lserv dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=4580, secured Dec 3 10:48:09 lserv dovecot: imap([email protected]): Disconnected: Logged out bytes=93/817 Dec 3 10:48:27 lserv dovecot: master: Warning: Killed with signal 15 (by pid=4594 uid=0 code=kill) the right account are softwarepoint.org my main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = lserv.softwarepoint.org alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = lserv.softwarepoint.org, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 I think that the problem is an hacked wordpress portal on a virtual site. I disable the site but the problem remain I already restart the server but the problem remain what can i do?
Hi, Check the following possibilities at your end :- 1. Application like Wordpress are third party softwares & are more vulnerable to hacking. 2. Please check rating of themes from such application if you are using if any for your website. Also ask Wordpress itself if they have any suggestion for security & let us know ti see if we can do those for you. 3. Trojan on your local PC and it has stolen your FTP (or cPanel) password to enter into your site(s) to change code or put virus. 4. Weak password (FTP or root). 5. Weak permissions (permissions like 777). 6. Using weak code in your script. 7. Using older version of software/application. 8.Old files are often indexed by search engines. So even if you do not link to those pages anymore, the search engines lists them for Internet users to find and visit. Automated programs to search for these files can find them to exploit them. You need to take care of following things to prevent it in future : 1. Use only those themes of wordpress which have high ratings, so as to reduce the possibility of hacking. 2. Scan your local computer for viruses with updated Antivirus and remove viruses/trojans. 3. Download files of your sites to local PC , scan them, remove viruses and then upload them again. 4. Use strong password and change it regularly (FTP, root or main user). 4. Don't keep full permissions like 777 (the permissions should be 755 for folders and 644 for files). 5. Don't use weak code in your script. 6. Always use updated version of your script/application/software (but before upgrading check bugs or it should be recommended by vendor).
