Postfix spam attack

Discussion in 'Server Operation' started by fernandoch, Oct 30, 2019.

Tags:
  1. fernandoch

    fernandoch Member HowtoForge Supporter

    Hello,
    My Postfix is sending spam emails so I had to disable it.
    I run mailq and it keeps on filling with requests like this

    4B57E758C 516 Wed Oct 30 05:49:39 www-data
    [email protected]

    BF22C79AA 463 Wed Oct 30 05:53:25 www-data
    [email protected]

    89B1979D0 513 Wed Oct 30 05:53:50 www-data
    [email protected]

    E6FD979CB 497 Wed Oct 30 05:53:47 www-data
    [email protected]

    B3F456958 500 Wed Oct 30 05:47:13 www-data
    [email protected]

    2EF196A2F 472 Wed Oct 30 05:48:20 www-data
    [email protected]

    5E15C6995 457 Wed Oct 30 05:47:19 www-data
    [email protected]

    AFD4169F4 553 Wed Oct 30 05:48:00 www-data
    [email protected]

    633F67960 488 Wed Oct 30 05:52:23 www-data
    [email protected]

    -- 240 Kbytes in 500 Requests.

    How can I stop that?

    Thanks
     
  2. fernandoch

    fernandoch Member HowtoForge Supporter

    From postcat I see this

    root@ns3XX088:/var/log# postcat -vq 7116C69D5
    postcat: name_mask: all
    postcat: inet_addr_local: configured 2 IPv4 addresses
    postcat: inet_addr_local: configured 3 IPv6 addresses
    *** ENVELOPE RECORDS maildrop/7116C69D5 ***
    message_arrival_time: Wed Oct 30 06:56:32 2019
    named_attribute: rewrite_context=local
    sender_fullname: www-data
    sender: www-data
    *** MESSAGE CONTENTS maildrop/7116C69D5 ***
    regular_text: To: [email protected]
    regular_text: Subject: original proposal Soaring
    regular_text: X-PHP-Originating-Script: 33:rjmckmhym.php
    regular_text: From: Fem--a--le Vi--a--gr--a-- 100mg --a--gent Louis-Philippe <[email protected]>
    regular_text: Reply-To: <[email protected]>
    regular_text: X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    regular_text: MIME-Version: 1.0
    regular_text: Content-Type: text/plain; charset=Windows-1251
    regular_text: Content-Transfer-Encoding: 8bit
    regular_text:
    regular_text: http://hoque21products.com/Har.html
    regular_text: What up? Soaring Cloke
    *** HEADER EXTRACTED maildrop/7116C69D5 ***
    recipient: [email protected]
    *** MESSAGE FILE END maildrop/7116C69D5 ***

    What should I do?
    Thanks
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks as if one of your websites got hacked. How is your server setup, is it an ispconfig server? If its not an ispconfig server, in which folder does your websites are stored?
     
  4. fernandoch

    fernandoch Member HowtoForge Supporter

    It is not ispconfig server, it is a regular LAMP on Ubuntu.
    This is the folder /var/www
     
  5. fernandoch

    fernandoch Member HowtoForge Supporter

    Oh, this might be it?

    root@ns3XX088:/var/www# find . -name rjmckmhym.php
    ./woXXX.com/public_html/rjmckmhym.php
    root@ns3XX088:/var/www
     
  6. fernandoch

    fernandoch Member HowtoForge Supporter

    I changed the domain for security reasons.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that seems to be the file that sends the emails. Remove it or move it to a safe place outside of the web root if you want to further investigate this. Take care that you install all available updates of the website cms and plugins if one is used for that site to avoid that it gets infected again. Then you should scan the website for malware to ensure that no other scripts have been placed in that sitde.
     
  8. fernandoch

    fernandoch Member HowtoForge Supporter

    Wow, this postcat command saved me, I thought there was a problem with Postfix.
    This does not look too good though:

    root@ns3XX088:/var/www/woXXX.com/public_html# ls -lrt
    total 640
    -rw-r--r-- 1 www-data www-data 743 Jan 1 1970 license.php.suspected
    -rw-r--r-- 1 www-data www-data 1985 Nov 29 2018 t4lbajzd.php
    -rw-r--r-- 1 www-data www-data 1865 Feb 5 2019 oym0lyrl.php
    -rw-r--r-- 1 www-data www-data 2000 Feb 12 2019 b6zj7g0y.php
    -rw-rwxr-- 1 www-data www-data 3068 Mar 4 2019 xmlrpc.php
    -rw-rwxr-- 1 www-data www-data 4764 Mar 4 2019 wp-trackback.php
    -rw-rwxr-- 1 www-data www-data 2898 Mar 4 2019 wp-config-sample.php
    -rw-rwxr-- 1 www-data www-data 31085 Mar 4 2019 wp-signup.php
    -rw-rwxr-- 1 www-data www-data 8403 Mar 4 2019 wp-mail.php
    -rw-rwxr-- 1 www-data www-data 2502 Mar 4 2019 wp-links-opml.php
    -rw-rwxr-- 1 www-data www-data 6919 Mar 4 2019 wp-activate.php
    -rw-rwxr-- 1 www-data www-data 3755 Mar 4 2019 wp-comments-post.php
    -rw-rwxr-- 1 www-data www-data 3847 Mar 4 2019 wp-cron.php
    -rw-rwxr-- 1 www-data www-data 369 Mar 4 2019 wp-blog-header.php
    -rw-r--r-- 1 www-data www-data 22311 Apr 3 2019 bestside.php.suspected
    -rw-r--r-- 1 www-data www-data 1940 Apr 3 2019 7gmwd1za.php
    -rw-rwxr-- 1 www-data www-data 19935 May 9 14:48 license.txt
    -rw-rwxr-- 1 www-data www-data 39551 Jun 19 00:36 wp-login.php
    -rw-r--r-- 1 www-data www-data 1915 Jun 20 03:24 kj8annwj.php
    -rw-r--r-- 1 www-data www-data 2045 Jul 9 05:22 q5pebw6t.php
    -rwxr-xr-x 1 www-data www-data 19147 Jul 12 23:02 wp-settings.php
    -rw-rwxr-- 1 www-data www-data 7447 Oct 15 08:14 readme.html
    -rw-rwxrw- 1 www-data www-data 3180 Oct 17 14:36 wp-config.php
    -rw-r--r-- 1 www-data www-data 24236 Oct 23 16:06 tbl_status.php
    -r--r--r-- 1 www-data www-data 29033 Oct 24 10:00 simple.php
    -rw-r--r-- 1 www-data www-data 507 Oct 24 14:53 seo_script.php.suspected
    drwxr-xr-x 3 www-data www-data 4096 Oct 25 14:59 ev581
    drwxrwxr-x 20 www-data www-data 12288 Oct 25 15:02 wp-includes
    drwxr-xr-x 3 www-data www-data 4096 Oct 25 15:27 sm3s
    drwxr-xr-x 3 www-data www-data 4096 Oct 25 16:31 9rtvrnp
    -rw-rwxr-- 1 www-data www-data 3742 Oct 25 17:30 wp-load.php
    drwxr-xr-x 3 www-data www-data 4096 Oct 25 17:51 09gc4el
    drwxr-xr-x 3 www-data www-data 4096 Oct 25 17:59 jco4fn
    -rwxr-xr-x 1 www-data www-data 1555 Oct 25 22:50 vsfmuk.php
    drwxr-xr-x 3 www-data www-data 4096 Oct 26 13:32 frrrq1b
    drwxr-xr-x 3 www-data www-data 4096 Oct 26 13:32 ycelkdx
    drwxr-xr-x 3 www-data www-data 4096 Oct 26 13:32 qi7ezhy
    drwxr-xr-x 3 www-data www-data 4096 Oct 26 13:32 9vc26
    drwxr-xr-x 3 www-data www-data 4096 Oct 26 13:32 0z29
    -rw-r--r-- 1 www-data www-data 13881 Oct 28 22:47 wp-main.php
    -rw-r--r-- 1 www-data www-data 46973 Oct 28 22:47 cy.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 wruqsprvf.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 wlvsydokw.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 weqbsbhei.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 vnybnjyhf.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 tlmruohrr.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 taoiakbuc.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 rwrqjumoq.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 rjmckmhym.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 plaofpjft.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 mrbxjwepd.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 mgnwjiptk.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 lxsfuseiv.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 keumlrmjs.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 ifhtffqji.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 hpienbfba.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 fvewjxwib.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 dcdolaxiq.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 belryjtra.php
    -rw-r--r-- 1 www-data www-data 366 Oct 29 08:59 abgtcvnnk.php
    drwxrwxr-x 9 www-data www-data 4096 Oct 29 10:36 wp-admin
    -rw-r--r-- 1 www-data www-data 42239 Oct 30 04:10 index.php
    -rw-r--r-- 1 www-data www-data 19723 Oct 30 08:45 popn.php
    drwxr-xr-x 2 www-data www-data 77824 Oct 30 08:52 nobv
    drwxrwxrwx 12 www-data oleh 4096 Oct 30 09:13 wp-content
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    That's indeed the case. Update WordPress and its plugins, then clean up the site.
     
  10. fernandoch

    fernandoch Member HowtoForge Supporter

    The thing is wordpress and everything is updated. This is a fresh new install of WP residence, a real estate theme...
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Try installing a security addon like wordfence. And you might find the attack point by comparing the access.log file of your web server with the exact timestamp when the files got created, look for POST requests.
     
  13. fernandoch

    fernandoch Member HowtoForge Supporter

    And I am now blacklisted in gmail, hotmail and many others...
    Is it best to get a new server?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The blacklisting will disappear in a few days after your server stopped sending spam. Of course you can try to get a new server, but in worst case, you get an IP from someone who spammed and this IP is blacklisted too. So better clean up your system, have an eye on your mailqueue the next days to avoid that it happens again and the blacklisting will go away, you can also contact some blacklists and ask for a delisting when the system is clean again.
     
  15. fernandoch

    fernandoch Member HowtoForge Supporter

    ISPProtect only detects? How to clean the files?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

  17. fernandoch

    fernandoch Member HowtoForge Supporter

    Yes but for example if wp-config.php has some code injected and it puts it in quarantine, then wordpress won't work...
    It can't remove the code?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Correct, automatic code removal is not possible as most code that is injected is highly customized so there is not 'that snippet is always used so we can remove it safely' and as the tool does not has a clean backup copy of your file at hand to restore it, it can only tell you which files to check. And the quarantine function has some safety measures builtin to quarantine only files that are hacked code and not just modified ones. But nonetheless, quarantining can always break a website and that's why it is not used by default. I just mentioned that option because you asked for code removal.
     
  19. fernandoch

    fernandoch Member HowtoForge Supporter

    Is there a way to know HOW I got hacked with that tool?
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the tool detects the hacked files. To know how you got hacked, check your access log, seek for uncommon POST requests that match the timestamps of the hacked files.
     

Share This Page