My server is sending spam

Discussion in 'Installation/Configuration' started by WaterWave, Jul 9, 2015.

Page 1 of 2
  1. WaterWave

    WaterWave New Member

    Hi,
    My server recently been temporarily shut down by my ISP because it seem it is sending a lot of spam and I can't find the source.
    The mail.log shows nothing wrong. I have created a script to log the phpmail and there's also nothing wrong. I always keep an ssh "tail -f /var/www/mail.log" open to see the activity and it all looks normal.

    The server was built based on "The Perfect Server - Ubuntu 12.04 LTS (nginx, BIND, Dovecot, ISPConfig 3)" and some customizations for varnish, memcached, spdy and pagespeed.
    • Not an open relay.
    • Mailqueue (postqueue -p) is empty all the time.
    • I'm using SSL and DKIM for clients that have email accounts, don't know if it can help.
    I searched the web a lot and this forum too, but still can't find what is causing this.

    There was A LOT of this in my mail.warn and I blocked this IP yesterday so I'm waiting the current day log on senderbase.org
    Code:
    Jul 8 18:37:47 orion postfix/smtpd[3188]: warning: unknown[185.40.4.32]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jul 8 18:38:28 orion postfix/smtpd[3188]: warning: hostname hosted-by.hostgrad.ru does not resolve to address 185.40.4.32: Name or service not known
    PLEASE! I would really appreciate your help on this. Tell me if you need anything else.
    In advance: Thank you for your help and time!

    I'm putting the main.cf , master.cf and postconf -d|grep mynetworks in a follow up because of the 10000 caracters limit.
     
    WaterWave, Jul 9, 2015
    #1
  2. WaterWave

    WaterWave New Member

    Here is the Postfix main.cf (I changed the domain to domainrewritten.com) :
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
#smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
#smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_cert_file = /etc/nginx/conf/ssl/orion/orion-ssl-bundle.crt
smtpd_tls_key_file = /etc/nginx/conf/ssl/orion/orion.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = domainrewritten.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domainrewritten.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_invalid_hostname, reject_rbl_client, zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301

import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on

maximal_queue_lifetime = 1h
     
    WaterWave, Jul 9, 2015
    #2
  3. WaterWave

    WaterWave New Member

    And here is the Postfix master.cf:
    Code:
    #
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

dovecot   unix  -       n       n       -       -       pipe
  flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
     
    WaterWave, Jul 9, 2015
    #3
  4. WaterWave

    WaterWave New Member

    And finally, here is the "postconf -d|grep mynetworks" result:
    Code:
    mynetworks = 127.0.0.0/8 127.0.0.2/32 192.241.115.194/32 192.241.115.195/32 192.241.115.196/32 192.241.115.197/32 192.241.115.206/32 192.241.115.207/32 [::1]/128
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
     
    WaterWave, Jul 9, 2015
    #4
  5. Nilpo

    Nilpo Member HowtoForge Supporter

    Have you tried a "netstat -ntap" to see if there is anything running that you are unaware of?
     
    Nilpo, Jul 9, 2015
    #5
  6. WaterWave

    WaterWave New Member

    Here the result of "netstat -ntap" command:
    I've change the IPs of the VPS to 111.111.111.111 - 111.111.111.116 and my IP to 55.55.55.55.
    I'm not sure what to look at in this big list.

    Part 1/3
    Code:
    Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9012          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9013          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1862/pure-ftpd (SER
tcp        0      0 111.111.111.116:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 111.111.111.115:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 111.111.111.114:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 111.111.111.113:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 111.111.111.112:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 111.111.111.111:53      0.0.0.0:*               LISTEN      800/named
tcp        0      0 127.0.0.2:53            0.0.0.0:*               LISTEN      800/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      800/named
tcp        0      0 127.0.0.1:9014          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      644/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      14083/master
tcp        0      0 127.0.0.1:9017          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      800/named
tcp        0      0 127.0.0.1:9018          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9019          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      11458/nginx
tcp        0      0 127.0.0.1:9021          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9022          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:4190            0.0.0.0:*               LISTEN      741/dovecot
tcp        0      0 127.0.0.1:9023          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9024          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9025          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      741/dovecot
tcp        0      0 127.0.0.1:9026          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:6082          0.0.0.0:*               LISTEN      11506/varnishd
tcp        0      0 127.0.0.1:9027          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      741/dovecot
tcp        0      0 127.0.0.1:9028          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9029          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9030          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9031          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9032          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:8008            0.0.0.0:*               LISTEN      11458/nginx
    ...
     
    WaterWave, Jul 10, 2015
    #6
  7. WaterWave

    WaterWave New Member

    Part 2/3
    Code:
    tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      941/amavisd (master
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      14083/master
tcp        0      0 127.0.0.1:9033          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9034          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      14083/master
tcp        0      0 127.0.0.1:9035          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      11586/memcached
tcp        0      0 127.0.0.1:9036          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9037          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:12301         0.0.0.0:*               LISTEN      1740/opendkim
tcp        0      0 127.0.0.1:9038          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      741/dovecot
tcp        0      0 127.0.0.1:9039          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN      945/spamd.pid
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      741/dovecot
tcp        0      0 127.0.0.1:9040          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      11507/varnishd
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      11458/nginx
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      14083/master
tcp        0      0 127.0.0.1:9041          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9042          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9010          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9043          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 127.0.0.1:9011          0.0.0.0:*               LISTEN      11562/php-fpm.conf)
tcp        0      0 111.111.111.111:80      55.55.55.55:51890       TIME_WAIT   -
tcp        0      0 127.0.0.1:40473         127.0.0.1:11211         ESTABLISHED 11666/php-fpm: pool
tcp        0      0 127.0.0.1:42577         127.0.0.1:11211         ESTABLISHED 11462/nginx: worker
tcp        0      0 127.0.0.1:34725         127.0.0.1:11211         ESTABLISHED 11662/php-fpm: pool
tcp        0      0 111.111.111.111:993     55.55.55.55:51112       ESTABLISHED 9180/imap-login
tcp        0      0 111.111.111.111:80      55.55.55.55:51893       TIME_WAIT   -
tcp        0      0 127.0.0.1:47501         127.0.0.1:3306          ESTABLISHED 15000/amavisd (ch14
tcp        0      0 127.0.0.1:11211         127.0.0.1:40473         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:80      55.55.55.55:51892       TIME_WAIT   -
tcp        0      0 111.111.111.111:993     55.55.55.55:50978       ESTABLISHED 9149/imap-login
tcp        0      0 127.0.0.1:11211         127.0.0.1:36302         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:34690         127.0.0.1:11211         ESTABLISHED 11659/php-fpm: pool
tcp        0      0 127.0.0.1:11211         127.0.0.1:54818         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:36302         127.0.0.1:11211         ESTABLISHED 11672/php-fpm: pool
tcp        0      0 127.0.0.1:11211         127.0.0.1:54442         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:993     55.55.55.55:51010       ESTABLISHED 9170/imap-login
tcp        0      0 111.111.111.111:993     55.55.55.55:64038       ESTABLISHED 10553/imap-login
tcp        0      0 127.0.0.1:8008          127.0.0.1:41822         ESTABLISHED 11461/nginx: worker
tcp        0      0 111.111.111.111:993     55.55.55.55:50974       ESTABLISHED 9147/imap-login
tcp        0      0 127.0.0.1:35752         127.0.0.1:11211         ESTABLISHED 11667/php-fpm: pool
tcp        0      0 127.0.0.1:11211         127.0.0.1:46969         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:993     55.55.55.55:51028       ESTABLISHED 9172/imap-login
tcp        0      0 127.0.0.1:8008          127.0.0.1:41892         ESTABLISHED 11461/nginx: worker
tcp        0      0 127.0.0.1:35634         127.0.0.1:11211         ESTABLISHED 11669/php-fpm: pool
tcp        0      0 127.0.0.1:34691         127.0.0.1:11211         ESTABLISHED 11660/php-fpm: pool
tcp        0   8304 111.111.111.111:22      55.55.55.55:51898       ESTABLISHED 10647/1
tcp        0      0 127.0.0.1:8008          127.0.0.1:41896         ESTABLISHED 11461/nginx: worker
tcp        0      0 127.0.0.1:11211         127.0.0.1:38621         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:57383   50.31.164.146:443       TIME_WAIT   -
tcp        0      0 111.111.111.111:993     142.169.78.168:22499    ESTABLISHED 9088/imap-login
tcp        0      0 127.0.0.1:39290         127.0.0.1:11211         ESTABLISHED 11664/php-fpm: pool
tcp        0      0 111.111.111.113:143     174.89.228.175:1406     ESTABLISHED 9381/imap-login
tcp        0      0 111.111.111.111:80      70.28.30.241:1511       ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:41892         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:43948         127.0.0.1:3306          ESTABLISHED 14691/amavisd (ch16
tcp        0      0 127.0.0.1:54442         127.0.0.1:11211         ESTABLISHED 11461/nginx: worker
tcp        0      0 127.0.0.1:34679         127.0.0.1:11211         ESTABLISHED 11658/php-fpm: pool
    ...
     
    WaterWave, Jul 10, 2015
    #7
  8. WaterWave

    WaterWave New Member

    Part 3/3
    Code:
    tcp        0      0 111.111.111.113:993     54.200.133.165:47501    ESTABLISHED 1397/imap-login
tcp        0      0 127.0.0.1:41896         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:41818         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:48026         127.0.0.1:11211         ESTABLISHED 11459/nginx: worker
tcp        0      0 127.0.0.1:41822         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:34701         127.0.0.1:11211         ESTABLISHED 11661/php-fpm: pool
tcp        0      0 111.111.111.111:80      55.55.55.55:51891       TIME_WAIT   -
tcp        0      0 111.111.111.113:993     54.200.133.165:46011    ESTABLISHED 9658/imap-login
tcp        0      0 111.111.111.111:80      55.55.55.55:51895       TIME_WAIT   -
tcp        0      0 127.0.0.1:11211         127.0.0.1:35752         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:80      70.28.30.241:1512       ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:11211         127.0.0.1:35634         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:11211         127.0.0.1:34679         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:11211         127.0.0.1:48026         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:8008          127.0.0.1:41894         ESTABLISHED 11461/nginx: worker
tcp        0      0 111.111.111.111:993     55.55.55.55:64039       ESTABLISHED 10555/imap-login
tcp        0      0 127.0.0.1:41285         127.0.0.1:8008          TIME_WAIT   -
tcp        0      0 111.111.111.111:993     55.55.55.55:50977       ESTABLISHED 9148/imap-login
tcp        0      0 111.111.111.113:143     174.89.228.175:1456     ESTABLISHED 9390/imap-login
tcp        0      0 127.0.0.1:11211         127.0.0.1:39290         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:80      70.28.30.241:1513       ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:11211         127.0.0.1:39885         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:80      70.28.30.241:1510       ESTABLISHED 11507/varnishd
tcp        0      0 111.111.111.111:443     46.20.45.18:60836       TIME_WAIT   -
tcp        0      0 127.0.0.1:11211         127.0.0.1:34725         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:993     55.55.55.55:50975       ESTABLISHED 9151/imap-login
tcp        0      0 127.0.0.1:41895         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 111.111.111.113:143     174.89.228.175:1458     ESTABLISHED 9394/imap-login
tcp        0      0 111.111.111.111:993     55.55.55.55:64040       ESTABLISHED 10558/imap-login
tcp        0      0 127.0.0.1:38621         127.0.0.1:11211         ESTABLISHED 11668/php-fpm: pool
tcp        0      0 111.111.111.111:80      70.28.30.241:1508       ESTABLISHED 11507/varnishd
tcp        0      0 111.111.111.113:993     24.200.139.144:45172    ESTABLISHED 10328/imap-login
tcp        0      0 127.0.0.1:35012         127.0.0.1:11211         ESTABLISHED 11663/php-fpm: pool
tcp        0      0 127.0.0.1:39885         127.0.0.1:11211         ESTABLISHED 11665/php-fpm: pool
tcp        0      0 111.111.111.111:993     55.55.55.55:51111       ESTABLISHED 9179/imap-login
tcp        0      0 111.111.111.111:55801   50.31.164.148:443       TIME_WAIT   -
tcp        0      0 111.111.111.113:143     174.89.228.175:1457     ESTABLISHED 9392/imap-login
tcp        0      0 127.0.0.1:38707         127.0.0.1:11211         ESTABLISHED 11670/php-fpm: pool
tcp        0      0 127.0.0.1:11211         127.0.0.1:34691         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:41894         127.0.0.1:8008          ESTABLISHED 11507/varnishd
tcp        0      0 111.111.111.113:143     205.151.64.16:61708     ESTABLISHED 9341/imap-login
tcp        0      0 111.111.111.111:80      141.101.105.31:64866    TIME_WAIT   -
tcp        0      0 111.111.111.111:22      55.55.55.55:59613       ESTABLISHED 8474/3
tcp        0      0 127.0.0.1:11211         127.0.0.1:35012         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:11211         127.0.0.1:34690         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:46969         127.0.0.1:11211         ESTABLISHED 11671/php-fpm: pool
tcp        0      0 127.0.0.1:11211         127.0.0.1:42577         ESTABLISHED 11586/memcached
tcp        0     69 111.111.111.111:993     55.55.55.55:51121       ESTABLISHED 9181/imap-login
tcp        0      0 127.0.0.1:11211         127.0.0.1:34701         ESTABLISHED 11586/memcached
tcp        0      0 127.0.0.1:8008          127.0.0.1:41818         ESTABLISHED 11461/nginx: worker
tcp        0      0 111.111.111.111:993     55.55.55.55:51591       ESTABLISHED 9948/imap-login
tcp        0      0 127.0.0.1:54818         127.0.0.1:11211         ESTABLISHED 11460/nginx: worker
tcp        0      0 111.111.111.111:80      70.28.30.241:1509       ESTABLISHED 11507/varnishd
tcp        0      0 127.0.0.1:8008          127.0.0.1:41895         ESTABLISHED 11461/nginx: worker
tcp        0      0 111.111.111.111:80      55.55.55.55:51894       TIME_WAIT   -
tcp        0      0 111.111.111.113:143     24.200.139.144:34953    ESTABLISHED 10331/imap
tcp        0      0 127.0.0.1:11211         127.0.0.1:38707         ESTABLISHED 11586/memcached
tcp        0      0 111.111.111.111:993     55.55.55.55:50976       ESTABLISHED 9150/imap-login
tcp6       0      0 :::21                   :::*                    LISTEN      1862/pure-ftpd (SER
tcp6       0      0 :::53                   :::*                    LISTEN      800/named
tcp6       0      0 :::22                   :::*                    LISTEN      644/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      14083/master
tcp6       0      0 ::1:953                 :::*                    LISTEN      800/named
tcp6       0      0 :::4190                 :::*                    LISTEN      741/dovecot
tcp6       0      0 :::993                  :::*                    LISTEN      741/dovecot
tcp6       0      0 ::1:6082                :::*                    LISTEN      11506/varnishd
tcp6       0      0 :::995                  :::*                    LISTEN      741/dovecot
tcp6       0      0 :::3306                 :::*                    LISTEN      809/mysqld
tcp6       0      0 :::587                  :::*                    LISTEN      14083/master
tcp6       0      0 :::110                  :::*                    LISTEN      741/dovecot
tcp6       0      0 :::143                  :::*                    LISTEN      741/dovecot
tcp6       0      0 :::80                   :::*                    LISTEN      11507/varnishd
tcp6       0      0 :::465                  :::*                    LISTEN      14083/master
tcp6       0      0 127.0.0.1:3306          127.0.0.1:43948         ESTABLISHED 809/mysqld
tcp6       0      0 127.0.0.1:3306          127.0.0.1:47501         ESTABLISHED 809/mysqld
     
    WaterWave, Jul 10, 2015
    #8
  9. WaterWave

    WaterWave New Member

    I runned rkhunter, chkrootkit and maldet on /var/www/ directory and nothing was found. I have to say that i disabled the string length option in maldet because it was putting a lot of wordpress files in quarantine and screw the website.

    After some google research, it seems there were false positive:
    rkhunter = Checking loaded kernel modules [ Warning ]
    chkrootkit = Checking `bindshell'... INFECTED (PORTS: 465) master

    Could a script or web form exploit send a lot of mail without being logged in the php "mail.log = /var/log/phpmail.log" ?
     
    WaterWave, Jul 10, 2015
    #9
  10. elmacus

    elmacus Active Member

    elmacus, Jul 10, 2015
    #10
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats a known false positive, so you can ignore that.

    To find out if your server is sending spam, take a look at the mailqueue with:

    postqueue -p

    any suspicious mails there or a large amount of mails in the queue? If yes, then inspect these mails with the postcat command.
     
    till, Jul 10, 2015
    #11
  12. WaterWave

    WaterWave New Member

    Hi,

    First, thank's for the help. It is REALLY appreciated.

    elmacus: Yes, I'm looking at senderbase everyday since the first shut down. Like I said earlier, I was waiting for the new senderbase report since I've made some change on the Postfix config, but today I see that the number of spam sent is just growing.
    2015-07-07 = 2.5
    2015-07-08 = 2.8
    2015-07-09 = 2.9

    Till: I did the postqueue -p a couple of times but it always show empty queue.

    Is it possible that mail is sent without letting any traces in the logs?
     
    WaterWave, Jul 10, 2015
    #12
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, thats possible but it is very rare as this would mean that the mail is not send trough your mailsystem, instead an attacker would have to send the mails directly with its own smtp software from your server. Do you see any unusual activity on your server e.g. a high load or do you see suspicious outgoing connections to port 25 on other servers (check e.g. with netstat command)?
     
    till, Jul 10, 2015
    #13
  14. WaterWave

    WaterWave New Member

    The server load is not high. htop shows Load average: 0.05 0.12 0.16
    It sometime goes a little higher but I can replicate the same augmentation when browsing on a hosted wordpress website with a lot of mysql request (online catalog of around 5000 products).

    netstat -pnlt | grep ':25' shows:
    Code:
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1860/master
tcp6       0      0 :::25                   :::*                    LISTEN      1860/master
    ps -ef | grep 1860 shows:
    Code:
    root      1860     1  0 00:29 ?        00:00:00 /usr/lib/postfix/master
postfix   1865  1860  0 00:29 ?        00:00:00 qmgr -l -t fifo -u
postfix   2328  1860  0 00:30 ?        00:00:00 tlsmgr -l -t unix -u -c
postfix  15721  1860  0 08:49 ?        00:00:00 pickup -l -t fifo -u -c
postfix  16712  1860  0 09:23 ?        00:00:00 anvil -l -t unix -u -c
root     16986 15750  0 09:34 pts/0    00:00:00 grep --color=auto 1860
    Not sure if that last command is correct...
    Anything suspicious?
     
    WaterWave, Jul 10, 2015
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    No, thats all ok. Is the server behind a router together with other servers, s that maybe another node has sent spam that has the same external IP?
     
    till, Jul 10, 2015
    #15
  16. WaterWave

    WaterWave New Member

    It's a OpenVZ SSD Cached Linux VPS from ServerMania. But I don't think other nodes got the same IP.
    I have setup an SSL mail server so I highly recommend my users to setup their account through ports 993,995 and 465. Should I completely block port 25 or is it used by phpmail/web forms?
     
    WaterWave, Jul 10, 2015
    #16
  17. WaterWave

    WaterWave New Member

    I was inspecting old form from an old html only website hosted on the server and I think it's poorly coded. What do you think?
    I chanded the URL to website.com
    Code:
    <FORM METHOD="POST" ACTION="http://scripts.iwebgroup.com/cgi-bin/formmail.pl" ENCTYPE="x-www-form-urlencoded">
    <div align="left">
        <table width="700" border="0" align="center" cellpadding="0" cellspacing="0">
            <tr>
                <td>
                    <center>
                        <p>&nbsp;</p>
                        <p align="center">

                            <input type="hidden" name="recipient" value="[email protected]">
                            <input type="hidden" name="subject" value="Contactez-nous">
                            <input type="hidden" name="redirect" value="http://www.website.com/merci.html">
                            <input type="hidden" name="required" value="Nom,Prenom,Ville,Courriel,Commentaires">
                            <input type="hidden" name="missing_fields_redirect" value="http://www.website.com/erreur.html">
                        </p>
                        <p align="center"><font face="Arial, Times New Roman, Tahoma" size="3">Si
              vous avez des questions ou des commentaires, n'h&eacute;sitez pas
              &agrave; nous contacter.</font>
                            <BR>
                            <FONT COLOR="#b9210b" SIZE="-1" FACE="Verdana">Tous les champs accompagn&eacute;s
              d'une &eacute;toile (*) sont obligatoires</FONT>
                            <FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">.</FONT> </p>
                        <TABLE BORDER="0" CELLSPACING="2" CELLPADDING="2" WIDTH="100%">
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Nom
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Nom" TYPE="text" id="Nom" SIZE="40" MAXLENGTH="40">
                                    <B><FONT
             COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Pr&eacute;nom
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Prenom" TYPE="text" id="Prenom" SIZE="40" MAXLENGTH="40">
                                    <B><FONT
             COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Adresse
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Adresse" TYPE="text" id="Adresse" SIZE="40" MAXLENGTH="80">
                                    <B></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Ville
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Ville" TYPE="text" id="Ville" SIZE="40" MAXLENGTH="40">
                                    <B><FONT
             COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">T&eacute;l&eacute;phone
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Code_regional" TYPE="text" id="Code_regional" SIZE="5" MAXLENGTH="5">
                                    <INPUT NAME="Telephone" TYPE="text" id="Telephone" SIZE="15" MAXLENGTH="15">
                                    <B></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD WIDTH="174">
                                    <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Courriel
                  :</FONT>
                                </TD>
                                <TD WIDTH="394">
                                    <INPUT NAME="Courriel" TYPE="text" id="Courriel" SIZE="40" MAXLENGTH="40">
                                    <B><FONT COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT></B>
                                </TD>
                            </TR>
                            <TR>
                                <TD COLSPAN="2">
                                    <P>&nbsp;</P>
                                    <P>
                                        <FONT COLOR="#21214a" SIZE="-1" FACE="Verdana">Vos commentaires
                    ou questions :<B><FONT
             COLOR="#b9210b" SIZE="-1" FACE="Arial">*</FONT>
                                        </B>
                                        </FONT>
                                    </P>
                                    <P>
                                        <TEXTAREA NAME="Commentaires" COLS="65" ROWS="8" id="Commentaires"></TEXTAREA>
                                </TD>
                            </TR>
                            <TR>
                                <TD COLSPAN="2" ALIGN="CENTER" HEIGHT="81">
                                    <p>
                                        <BR>
                                        <INPUT name="submit" TYPE="submit" id="submit" VALUE="Soumettre">
                                        <INPUT NAME="nom2" TYPE="reset" VALUE="Effacer">
                                    </p>
                                    <p>&nbsp;</p>
                                    <p align="center">&nbsp; </p>
                                    <p align="center">&nbsp;</p>
                                </TD>
                            </TR>
                        </TABLE>
                    </center>
                </td>
            </tr>
        </table>
        <!-- fin du code à insérer -->
    </div>

</FORM>
     
    WaterWave, Jul 10, 2015
    #17
  18. WaterWave

    WaterWave New Member

    I really hope my last post didn't not made you facepalm to death :(
    If it was the problem, I'm really sorry not to have thought about it first, but that old ugly website never came to my mind.

    I deleted the page were the suspicious form was and the last day senderbase log shows 0. I'll keep an eye on these reports since looking at the history also show some days with 0. I can also say that the load seems to have dropped a little.

    Today, the CPU started to freak out and load went up to around 0.4 - 0.6 so I looked at the logs.

    nginx access.log shows a A LOT of these and similar requests (I'm NOT hosting these domains):
    Code:
    127.0.0.1 - - [11/Jul/2015:18:13:26 -0400] "GET http://img01.taobaocdn.com/bao/uploaded/i1/788371593/T2FVeiXgRbXXXXXXXX_!!788371593.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=16921075269" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
127.0.0.1 - - [11/Jul/2015:18:13:46 -0400] "GET http://d6.yihaodianimg.com/V00/M01/45/54/CgQDsVSOty-AcZnzAAT0rKLfGCE44800_360x360.jpg HTTP/1.1" 404 31 "http://item.yhd.com/item/42166607" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
127.0.0.1 - - [11/Jul/2015:18:13:50 -0400] "GET http://gd1.alicdn.com/bao/uploaded/http://gd1.alicdn.com/bao/uploaded/i1/TB1FUbeIXXXXXaYXFXXXXXXXXXX_!!0-item_pic.jpg_400x400.jpg_.webp HTTP/1.1" 302 5 "http://item.taobao.com/item.htm?id=520531436835" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
127.0.0.1 - - [11/Jul/2015:18:13:28 -0400] "GET http://img04.taobaocdn.com/bao/uploaded/i4/112776785/T2KQa2XnRbXXXXXXXX_!!112776785.jpg_460x460.jpg HTTP/1.1" 404 31 "http://item.taobao.com/item.htm?id=37875871485" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
127.0.0.1 - - [11/Jul/2015:18:49:39 -0400] "GET http://www.baidu.com/ HTTP/1.1" 302 5 "www.baidu.com" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WebSaver; .NET CLR 2.0.50727)"
    And this too from a hosted domain:
    Code:
    127.0.0.1 - - [11/Jul/2015:18:14:10 -0400] "GET http://real-hosted-domain.com/wp-signup.php?new=gd1.alicdn.com HTTP/1.1" 200 11463 "http://item.taobao.com/item.htm?id=37645037149" "Internet Explorer 9.0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0"
127.0.0.1 - - [11/Jul/2015:18:49:02 -0400] "GET /wp-content/plugins/contact-form-7/includes/js/scripts.js HTTP/1.0" 200 11200 "http://real-hosted-domain.com/wp-signup.php?new=www.baidu.com" "NgxNativeFetcher mod_pagespeed/1.7.30.3-3721"
    While "tail -f /var/log/nginx/access.log" I was looking at the fail2ban log and decided to block these IP that were mostly from China and surroundings with "iptables -A INPUT -s IP-ADDRESS -j DROP". The requests started to drop and the CPU calmed down. And me too.

    I didn't find anything about these weird requests. Can you tell me what that is?
    Thank you!
     
    WaterWave, Jul 12, 2015
    #18
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    did sou set the ip in the log lines, or was it really 127.0.0.1 ?
     
    till, Jul 12, 2015
    #19
  20. WaterWave

    WaterWave New Member

    I did not changed the IP. It was really 127.0.0.1.
    I'm using Varnish though and the Nginx build is really basic. No --with-http_realip_module.
    Code:
    root@orion:~# nginx -V
nginx version: nginx/1.5.11
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --user=www-data --group=www-data --with-http_ssl_me --with-mail --add-module=/root/ngx_pagespeed-1.7.30.3-beta --add-module=/root/ngx_cache_purge-2.1
    What I can say now is that it's been 2 days senderbase reports 0 and that my New Relic server monitor clearly show a more relax setup.
    [​IMG]
     
    WaterWave, Jul 12, 2015
    #20
Page 1 of 2

Share This Page