Your problem is either phpmyadmin or wordpress according to your logs and both software packages are neither part of ispconfig nor belong to it. So reinstalling ispconfig does not make much sense in my opinion and it wont change anything regarding your problem. First you will have to find out which software is causing the problem and my recommendation for that is to protect phpmyadmin with a htaccess password protection and then enable your haproxy again to see if the problem is fixed. The installation directory of phpmyadmin differs for every Linux distribution, for Debian and ubuntu it is e.g. /usr/share/phpmyadmin Most likely a full rennstall is not nescessary, your problem looks more like the typical spam bot. So before you try a wipeout the server I would close the access to phpmyadmin and see if its fixed then.
Well, now it's really weird! I reinstalled the machine...phpmyadmin,php, apache...and interspire and then...postfix.. I change inet_interfaces...and postfix log starts to sending mails again!!! WTF?
Try to locate the problem by blocking parts of the software. Start ith phpmyadmin as I suggested. If thst not causing the problem, then try to block your website for a short time e.g. with .htaccess to see if sending stops then.
It might be that there were a lot of pending mails in the mailqueue so that postfix had to send them first so that sending has not stopped after you stopped apache even if the actual hole that the attackers used was closed. Please check mailqueue with: postqueue -p and eventually empty it with: postsuper -d ALL if it contained spammer messages and then check if sending still goes on / starts after you stopped httpd.
[root@master csf]# postqueue -p Mail queue is empty I've installed a csf and a few IP's were block since yesterday! Now there are no e-mails out...i've start Postfix!
Hi, Ok,i've back with some e-mails! How can i configure postfix to send e-mails from just some IP's? Thanks!
HI, I'm thinking to change the port 25 to other one, there is a way to change to other port and block 25 ? Thanks.
HI, That's what a need, no one connection to the server..because my own software can change the port. I'm gettings nuts with this, tons of logs, trying to connect to my servers. Freaking out!
If noone needs to connect to the mailserver from external IP's, then close port 25 in the firewall. If you want to change or add a additional listen port, then edit postfix master.cf
I've tried to add an additional port and block port 25 in my server.... i can add for example 27 port, but i can't connect to it... This problem is getting me mad! "from=<[email protected]> to=<[email protected]> proto=SMTP helo=<213-224-29-62.iFiber.telenet-ops.be> NOQUEUE: reject: RCPT from unknown[myIP]: 451 4.3.5 <unknown[myIP]>: Client host rejected: Server configuration error; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<static-200-105-212-110.acelerate.net> "
I install a tool (tcpdump) and here is the log: [root@master ~]# tcpdump -ne dst port 25 and 'tcp[13] & 2 == 2' and dst host MyIP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 17:25:43.931077 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 78: 121.175.145.168.dict-lookup > myIP.smtp: S 315188453:315188453(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 17:25:44.326206 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 219.238.181.117.35398 > myIP.smtp: S 2915140590:2915140590(0) win 5840 <mss 1448,sackOK,timestamp 992358201 0,nop,wscale 6> 17:25:45.055212 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 122.154.97.28.33438 > myIP.smtp: S 1599445130:1599445130(0) win 5840 <mss 1460,sackOK,timestamp 11662252 0,nop,wscale 5> 17:25:45.868748 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 190.85.37.92.39753 > myIP.smtp: S 1656762183:1656762183(0) win 5840 <mss 1460,sackOK,timestamp 2604329909 0,nop,wscale 7> 17:25:45.920087 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 187.35.85.107.54625 > myIP.smtp: S 1176030850:1176030850(0) win 5840 <mss 1460,sackOK,timestamp 284097485 0,nop,wscale 7> 17:25:46.342190 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 174.142.7.203.52911 > myIP.smtp: S 2198223489:2198223489(0) win 5840 <mss 1460,sackOK,timestamp 107704557 0,nop,wscale 2> 17:25:46.943041 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 81.89.109.53.50366 > myIP.smtp: S 350587823:350587823(0) win 5840 <mss 1460,sackOK,timestamp 2397487033 0,nop,wscale 4> 17:25:46.969541 00:04:80:e0:6b:00 > 00:25:90:0d:1e:68, ethertype IPv4 (0x0800), length 74: 203.110.203.71.35867 > myIP.smtp: S 3809754771:3809754771(0) win 8880 <mss 2960,sackOK,timestamp 3232387290 0,nop,wscale 0> A lot of ip's connecting...
