Running a updated CentOS6.9 with ISPConfig 3.0.5.4p8, Apache, Postfix setup (php 5.3.3). # cat /etc/redhat-release CentOS release 6.9 (Final) # php -v PHP 5.3.3 (cli) (built: Mar 22 2017 12:27:09) There is only 1 site on this VPS (an updated WP with captcha on the Contact page). I'm having major spamming issues (outgoing). 1) I put the classic snipet in /etc/php.ini mail.add_x_header = On mail.log = /var/log/phpmail.log Even if I run a smal script to send an email, I don't see anything in /var/log/maillog ? Also tried some sendmail-wrapper solutions with no success? 2) It might be more serious than I think... Would the VPS be compromised? # netstat -anp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 15096/master tcp 0 0 167.114.35.58:25 200.66.43.190:36601 ESTABLISHED 18055/smtpd tcp 0 0 :::25 :::* LISTEN 15096/master tcp 0 1 ::1:45684 2001:558:fe21:2a::6:25 SYN_SENT 18114/smtp tcp 0 1 ::1:54873 2607:f8b0:400d:c08::1a:25 SYN_SENT 18116/smtp tcp 0 1 ::1:43693 2607:f8b0:400d:c08::1b:25 SYN_SENT 18072/smtp tcp 0 1 ::1:43722 2607:f8b0:400d:c08::1b:25 SYN_SENT 18077/smtp I'm not using IPV6 could I completely block IPv6 ? Stopped postfix restarted it and: # service postfix stop Shutting down postfix: [ OK ] [root@host ~]# netstat -anp | grep :25 [root@host ~]# service postfix start Starting postfix: [ OK ] [root@host ~]# netstat -anp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 18341/master tcp 0 0 :::25 :::* LISTEN 18341/master [root@host ~]# netstat -anp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 18341/master tcp 0 0 167.114.35.58:36891 64.12.88.132:25 TIME_WAIT - tcp 0 0 167.114.35.58:36879 64.12.88.132:25 TIME_WAIT - tcp 0 0 167.114.35.58:46091 152.163.0.67:25 TIME_WAIT - tcp 0 0 167.114.35.58:41292 64.12.88.163:25 TIME_WAIT - tcp 0 0 167.114.35.58:41279 64.12.88.163:25 TIME_WAIT - tcp 0 0 167.114.35.58:46077 152.163.0.67:25 TIME_WAIT - tcp 0 0 167.114.35.58:36885 64.12.88.132:25 TIME_WAIT - tcp 0 0 167.114.35.58:46182 64.12.88.131:25 TIME_WAIT - tcp 0 0 167.114.35.58:46076 152.163.0.67:25 TIME_WAIT - tcp 0 0 167.114.35.58:46067 152.163.0.67:25 TIME_WAIT - tcp 0 0 167.114.35.58:60903 152.163.0.99:25 TIME_WAIT - tcp 0 0 167.114.35.58:46064 152.163.0.67:25 TIME_WAIT - tcp 0 0 167.114.35.58:50126 152.163.0.100:25 TIME_WAIT - tcp 0 0 167.114.35.58:36888 64.12.88.132:25 TIME_WAIT - tcp 0 0 167.114.35.58:36886 64.12.88.132:25 TIME_WAIT - tcp 0 0 167.114.35.58:34920 64.12.91.195:25 TIME_WAIT - tcp 0 0 167.114.35.58:41293 64.12.88.163:25 TIME_WAIT - tcp 0 0 167.114.35.58:60922 152.163.0.99:25 TIME_WAIT - tcp 0 0 167.114.35.58:50265 64.12.88.164:25 TIME_WAIT - tcp 0 0 167.114.35.58:41304 64.12.88.163:25 TIME_WAIT - tcp 0 0 167.114.35.58:34919 64.12.91.195:25 TIME_WAIT - tcp 0 0 167.114.35.58:34921 64.12.91.195:25 TIME_WAIT - tcp 0 0 167.114.35.58:50272 64.12.88.164:25 TIME_WAIT - tcp 0 0 167.114.35.58:60905 152.163.0.99:25 TIME_WAIT - tcp 0 0 167.114.35.58:46169 64.12.88.131:25 TIME_WAIT - tcp 0 0 :::25 :::* LISTEN 18341/master Then back to root@host ~]# netstat -anp | grep :25 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 10798/smtpd tcp 0 0 :::25 :::* LISTEN 10798/smtpd I have many of these in /var/log/maillog Jul 26 23:00:06 host postfix/smtpd[18828]: warning: unknown[179.43.144.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 26 23:00:06 host postfix/smtpd[18828]: disconnect from unknown[179.43.144.37] and... Jul 26 23:00:55 host postfix/smtp[27521]: 4134BE6168: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21467, delays=21466/0.07/0.65/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) Jul 26 23:00:55 host postfix/smtp[27542]: F06A4E6151: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21512, delays=21511/0.1/0.66/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) Jul 26 23:00:55 host postfix/smtp[27559]: 2215EE6977: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=12962, delays=12961/0.12/0.64/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) Jul 26 23:00:55 host postfix/smtp[27554]: 7DDDFE612B: to=<[email protected]>, relay=mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25, delay=21579, delays=21578/0.13/0.65/0.09, dsn=4.7.0, status=deferred (host mx-eu.mail.am0.yahoodns.net[188.125.69.79] said: 421 4.7.0 [TSS04] Messages from 167.114.35.58 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)) Jul 26 23:00:55 host postfix/smtp[27563]: 1E775E1E70: host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=167.114.35.58 - A problem occurred. (Ask your postmaster for help or to contact [email protected]-online.de to clarify.) (BL) Jul 26 23:00:55 host postfix/smtp[27563]: 1E775E1E70: to=<[email protected]>, relay=mx03.t-online.de[194.25.134.73]:25, delay=88599, delays=88598/0.11/0.98/0, dsn=4.0.0, status=deferred (host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=167.114.35.58 - A problem occurred. (Ask your postmaster for help or to contact [email protected]-online.de to clarify.) (BL)) Jul 26 23:01:24 host postfix/smtp[27552]: connect to mailin-02.mx.aol.com[152.163.0.99]:25: Connection timed out Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: host mailin-03.mx.aol.com[64.12.91.196] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:01:24 host postfix/smtp[27552]: C9BD3E435F: to=<[email protected]>, relay=mailin-01.mx.aol.com[64.12.88.131]:25, delay=237151, delays=237121/0.12/30/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58) Something is clearly trying to exploit SMTP. IPs change... Doesn't seem like it's compromised. Latest RKhunter: System checks summary ===================== File properties checks... Required commands check failed Files checked: 142 Suspect files: 0 Rootkit checks... Rootkits checked : 477 Possible rootkits: 0 Applications checks... All checks skipped Help, what can I do next? Thanks in advance, JP
Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-04.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11165]: 6A9D0E338D: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11161]: C57D1E338B: host mailin-03.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11164]: CD2B9E3353: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-04.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11166]: A70FDE336E: host mailin-02.mx.aol.com[64.12.91.195] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-04.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11165]: 6A9D0E338D: host mailin-04.mx.aol.com[152.163.0.67] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11161]: C57D1E338B: host mailin-04.mx.aol.com[64.12.88.132] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11159]: CB3B0E6E49: host mailin-02.mx.aol.com[152.163.0.68] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11166]: A70FDE336E: host mailin-01.mx.aol.com[152.163.0.99] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11164]: CD2B9E3353: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:54 host postfix/smtp[11155]: F0DFEE337B: host mailin-02.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11165]: 6A9D0E338D: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11161]: C57D1E338B: host mailin-04.mx.aol.com[152.163.0.100] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11159]: CB3B0E6E49: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11164]: CD2B9E3353: host mailin-03.mx.aol.com[64.12.88.164] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11155]: F0DFEE337B: host mailin-01.mx.aol.com[64.12.88.131] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11167]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Jul 26 23:15:55 host postfix/smtp[11168]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Jul 26 23:15:55 host postfix/smtp[11169]: certificate verification failed for mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Jul 26 23:15:55 host postfix/smtp[11159]: CB3B0E6E49: to=<[email protected]>, relay=mailin-01.mx.aol.com[152.163.0.99]:25, delay=2223, delays=2223/0.05/0.54/0, dsn=4.0.0, status=deferred (host mailin-01.mx.aol.com[152.163.0.99] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58) Jul 26 23:15:55 host postfix/smtp[11161]: C57D1E338B: host mailin-02.mx.aol.com[64.12.91.195] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58 Jul 26 23:15:55 host postfix/smtp[11155]: F0DFEE337B: to=<[email protected]>, relay=mailin-03.mx.aol.com[152.163.0.67]:25, delay=118000, delays=118000/0.05/0.57/0, dsn=4.0.0, status=deferred (host mailin-03.mx.aol.com[152.163.0.67] refused to talk to me: 554- (RTR:BL) https://postmaster.aol.com/error-codes#554rtrbl 554 Connecting IP: 167.114.35.58) MANY MORE... Jul 26 23:17:29 host postfix/smtpd[11205]: connect from unknown[156.67.106.245] Jul 26 23:17:31 host postfix/smtpd[11205]: warning: unknown[156.67.106.245]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 26 23:17:31 host postfix/smtpd[11205]: lost connection after AUTH from unknown[156.67.106.245] Jul 26 23:17:31 host postfix/smtpd[11205]: disconnect from unknown[156.67.106.245]
That's probably just a bot that tres to guess a password and not the spam source. Regarding your spam sending issue, check the spam mails in the queue, you should see in their headers how they get send. Use the postqueue command tolist the mails in the queue, then pick the ID of one of the spam messages and view its content with: postcat -q ID replace ID with the ID of the spam mail. In the header, you should see if the mail has been sent by a php script or an authenticated user. The most common spam sources are hacked websites and email accounts where the spammer was able t get a password for. That the server itself is hacked is uncommon for spam problems.
