Undelivered Mail Returned to Sender

Yesterday I received the following message:

Undelivered Mail Returned to Sender
This is the mail system at host srv.greekservers.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<[email protected]>: host mx.xxx.gr[194.63.239.11] said: 554 5.7.1 Service
unavailable; Client host [62.74.247.2] blocked using zen.spamhaus.org;
https://www.spamhaus.org/sbl/query/SBLCSS /
https://www.spamhaus.org/query/ip/62.74.247.2 (in reply to RCPT TO command)


All emails from my server returned back.
My CPU load increase to 8% from 0-1%
I changed the password but the problem still persists

Here is the latest mail log:

Apr 25 18:45:01 srv dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=::1, lip=::1, secured, session=<00WfASv60wAAAAAAAAAAAAAAAAAAAAAB>
Apr 25 18:45:01 srv dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<pkWfASv6/gAAAAAAAAAAAAAAAAAAAAAB>
Apr 25 18:44:14 srv postfix/smtpd[25308]: disconnect from unknown[141.98.10.132]
Apr 25 18:44:14 srv postfix/smtpd[25308]: warning: unknown[141.98.10.132]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:44:12 srv postfix/smtpd[22387]: disconnect from unknown[141.98.11.84]
Apr 25 18:44:12 srv postfix/smtpd[22387]: warning: unknown[141.98.11.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:44:10 srv postfix/smtpd[25308]: connect from unknown[141.98.10.132]
Apr 25 18:44:09 srv postfix/smtpd[22387]: connect from unknown[141.98.11.84]
Apr 25 18:44:09 srv postfix/smtpd[22387]: warning: hostname icne-punitive.themedestiny.com does not resolve to address 141.98.11.84: Name or service not known
Apr 25 18:43:57 srv postfix/smtpd[22387]: disconnect from unknown[141.98.11.54]
Apr 25 18:43:57 srv postfix/smtpd[22387]: warning: unknown[141.98.11.54]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:43:54 srv postfix/smtpd[22387]: connect from unknown[141.98.11.54]
Apr 25 18:43:54 srv postfix/smtpd[22387]: warning: hostname secua.poppopprision.com does not resolve to address 141.98.11.54: Name or service not known
Apr 25 18:43:46 srv postfix/smtpd[22387]: disconnect from unknown[185.36.81.58]
Apr 25 18:43:46 srv postfix/smtpd[22387]: warning: unknown[185.36.81.58]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:43:43 srv postfix/smtpd[22387]: connect from unknown[185.36.81.58]
Apr 25 18:43:43 srv postfix/smtpd[22387]: warning: hostname surfacebetter.com does not resolve to address 185.36.81.58
Apr 25 18:43:25 srv postfix/smtpd[22387]: disconnect from unknown[141.98.10.112]
Apr 25 18:43:25 srv postfix/smtpd[22387]: warning: unknown[141.98.10.112]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:43:22 srv postfix/smtpd[22387]: connect from unknown[141.98.10.112]
Apr 25 18:43:22 srv postfix/smtpd[22387]: warning: hostname srv-141-98-10-112.serveroffer.net does not resolve to address 141.98.10.112: Name or service not known
Apr 25 18:42:19 srv postfix/smtpd[22387]: disconnect from unknown[45.125.65.37]
Apr 25 18:42:19 srv postfix/smtpd[22387]: warning: unknown[45.125.65.37]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:42:17 srv postfix/smtpd[22387]: connect from unknown[45.125.65.37]
Apr 25 18:41:37 srv postfix/smtpd[24274]: disconnect from unknown[193.56.29.192]
Apr 25 18:41:37 srv postfix/smtpd[24274]: warning: unknown[193.56.29.192]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:41:34 srv postfix/smtpd[24274]: connect from unknown[193.56.29.192]
Apr 25 18:41:32 srv postfix/smtpd[22387]: disconnect from unknown[141.98.10.72]
Apr 25 18:41:32 srv postfix/smtpd[22387]: warning: unknown[141.98.10.72]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:41:29 srv postfix/smtpd[22387]: connect from unknown[141.98.10.72]
Apr 25 18:41:02 srv postfix/smtpd[24274]: disconnect from unknown[91.224.92.110]
Apr 25 18:41:02 srv postfix/smtpd[24274]: warning: unknown[91.224.92.110]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:40:58 srv postfix/smtpd[24274]: connect from unknown[91.224.92.110]
Apr 25 18:40:58 srv postfix/smtpd[24274]: warning: hostname 110.getpocket.com does not resolve to address 91.224.92.110: Name or service not known
Apr 25 18:40:27 srv postfix/smtpd[22387]: disconnect from unknown[87.121.221.109]
Apr 25 18:40:27 srv postfix/smtpd[22387]: warning: unknown[87.121.221.109]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:40:25 srv postfix/smtpd[22387]: connect from unknown[87.121.221.109]
Apr 25 18:40:10 srv postfix/smtpd[24274]: disconnect from unknown[45.125.65.159]
Apr 25 18:40:10 srv postfix/smtpd[24274]: warning: unknown[45.125.65.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:40:07 srv postfix/smtpd[24274]: connect from unknown[45.125.65.159]
Apr 25 18:40:07 srv postfix/smtpd[24274]: warning: hostname srv-45-125-65-159.serveroffer.net does not resolve to address 45.125.65.159: Name or service not known
Apr 25 18:40:01 srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<02rC7yr6ZAAAAAAAAAAAAAAAAAAAAAAB>
Apr 25 18:40:01 srv dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<MWrC7yr6jwAAAAAAAAAAAAAAAAAAAAAB>
Apr 25 18:40:01 srv postfix/smtpd[22387]: disconnect from localhost[::1]
Apr 25 18:40:01 srv postfix/smtpd[22387]: lost connection after CONNECT from localhost[::1]
Apr 25 18:40:01 srv postfix/smtpd[22387]: connect from localhost[::1]
Apr 25 18:39:32 srv postfix/smtpd[24274]: disconnect from unknown[141.98.11.67]
Apr 25 18:39:32 srv postfix/smtpd[24274]: warning: unknown[141.98.11.67]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:39:29 srv postfix/anvil[14906]: statistics: max cache size 5 at Apr 25 18:37:16
Apr 25 18:39:29 srv postfix/anvil[14906]: statistics: max connection count 1 for (smtp:141.98.10.109) at Apr 25 18:29:31
Apr 25 18:39:29 srv postfix/anvil[14906]: statistics: max connection rate 1/60s for (smtp:141.98.10.109) at Apr 25 18:29:31
Apr 25 18:39:29 srv postfix/smtpd[24274]: connect from unknown[141.98.11.67]
Apr 25 18:39:29 srv postfix/smtpd[24274]: warning: hostname grieving.medyamol.com does not resolve to address 141.98.11.67
Apr 25 18:39:25 srv postfix/smtpd[22387]: disconnect from unknown[141.98.11.53]
Apr 25 18:39:25 srv postfix/smtpd[22387]: warning: unknown[141.98.11.53]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:39:22 srv postfix/smtpd[22387]: connect from unknown[141.98.11.53]
Apr 25 18:39:22 srv postfix/smtpd[22387]: warning: hostname good41-forme.themedestiny.com does not resolve to address 141.98.11.53: Name or service not known
Apr 25 18:39:17 srv dovecot: pop3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/26492, size=2616782872
Apr 25 18:38:56 srv postfix/smtpd[24274]: disconnect from unknown[141.98.11.65]
Apr 25 18:38:56 srv postfix/smtpd[24274]: warning: unknown[141.98.11.65]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:38:53 srv postfix/smtpd[24274]: connect from unknown[141.98.11.65]
Apr 25 18:38:53 srv postfix/smtpd[24274]: warning: hostname pirate-classify.themedestiny.com does not resolve to address 141.98.11.65: Name or service not known
Apr 25 18:38:41 srv postfix/smtpd[22387]: disconnect from unknown[87.121.221.77]
Apr 25 18:38:41 srv postfix/smtpd[22387]: warning: unknown[87.121.221.77]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:38:39 srv dovecot: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=62.38.23.15, lip=192.168.72.2, mpid=24568, session=<+Azj6ir6OwA+JhcP>
Apr 25 18:38:37 srv postfix/smtpd[22387]: connect from unknown[87.121.221.77]
Apr 25 18:37:53 srv postfix/smtpd[24274]: disconnect from unknown[141.98.11.29]
Apr 25 18:37:53 srv postfix/smtpd[24274]: warning: unknown[141.98.11.29]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:37:50 srv postfix/smtpd[24274]: connect from unknown[141.98.11.29]
Apr 25 18:37:50 srv postfix/smtpd[24274]: warning: hostname wftday.poppopprision.com does not resolve to address 141.98.11.29: Name or service not known
Apr 25 18:37:46 srv postfix/smtpd[22387]: disconnect from unknown[141.98.11.14]
Apr 25 18:37:46 srv postfix/smtpd[22387]: warning: unknown[141.98.11.14]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:37:43 srv postfix/smtpd[22387]: connect from unknown[141.98.11.14]
Apr 25 18:37:43 srv postfix/smtpd[22387]: warning: hostname poppopprision.com does not resolve to address 141.98.11.14: Name or service not known
Apr 25 18:37:19 srv postfix/smtpd[24274]: disconnect from unknown[87.121.221.190]
Apr 25 18:37:19 srv postfix/smtpd[24274]: warning: unknown[87.121.221.190]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:37:16 srv postfix/smtpd[24274]: connect from unknown[87.121.221.190]
Apr 25 18:36:43 srv postfix/smtpd[22387]: disconnect from unknown[141.98.10.131]
Apr 25 18:36:43 srv postfix/smtpd[22387]: warning: unknown[141.98.10.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:36:40 srv postfix/smtpd[22387]: connect from unknown[141.98.10.131]
Apr 25 18:36:39 srv postfix/smtpd[24274]: disconnect from unknown[141.98.11.86]
Apr 25 18:36:39 srv postfix/smtpd[24274]: warning: unknown[141.98.11.86]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:36:36 srv postfix/smtpd[24274]: connect from unknown[141.98.11.86]
Apr 25 18:36:36 srv postfix/smtpd[24274]: warning: hostname leunie.poppopprision.com does not resolve to address 141.98.11.86: Name or service not known
Apr 25 18:36:31 srv postfix/smtpd[22387]: disconnect from unknown[141.98.10.26]
Apr 25 18:36:31 srv postfix/smtpd[22387]: warning: unknown[141.98.10.26]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:36:30 srv postfix/smtpd[24274]: disconnect from unknown[141.98.11.111]
Apr 25 18:36:30 srv postfix/smtpd[24274]: warning: unknown[141.98.11.111]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:36:27 srv postfix/smtpd[22387]: connect from unknown[141.98.10.26]
Apr 25 18:36:26 srv postfix/smtpd[24274]: connect from unknown[141.98.11.111]
Apr 25 18:36:26 srv postfix/smtpd[24274]: warning: hostname piett.minchernes.com does not resolve to address 141.98.11.111
Apr 25 18:35:09 srv postfix/smtpd[22387]: disconnect from unknown[141.98.11.52]
Apr 25 18:35:09 srv postfix/smtpd[22387]: warning: unknown[141.98.11.52]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 25 18:35:06 srv postfix/smtpd[24274]: disconnect from localhost[::1]
Apr 25 18:35:06 srv postfix/smtpd[24274]: lost connection after CONNECT from localhost[::1]
Apr 25 18:35:06 srv postfix/smtpd[24274]: connect from localhost[::1]
Apr 25 18:35:06 srv postfix/smtpd[22387]: connect from unknown[141.98.11.52]
Apr 25 18:35:06 srv postfix/smtpd[22387]: warning: hostname livehh.poppopprision.com does not resolve to address 141.98.11.52: Name or service not known
Apr 25 18:35:06 srv dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<hlck3ir68gAAAAAAAAAAAAAAAAAAAAAB>
Apr 25 18:35:06 srv dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<FlUk3ir6HQAAAAAAAAAAAAAAAAAAAAAB>

and top running process

CPU load averages: 0.62 (1 mins) , 0.89 (5 mins) , 0.92 (15 mins)
CPU type: Common KVM processor (1999 MHz) , 8 cores

ID Owner CPU ↑ Command
21404 web7 9.7 % /usr/bin/php-cgi -d open_basedir=/var/www/clients/client0/web7/web:/var/www/clie ...
22994 web7 9.4 % /usr/bin/php-cgi -d open_basedir=/var/www/clients/client0/web7/web:/var/www/clie ...
21588 web7 9.2 % /usr/bin/php-cgi -d open_basedir=/var/www/clients/client0/web7/web:/var/www/clie ...
24303 web7 6.4 % /usr/bin/php-cgi -d open_basedir=/var/www/clients/client0/web7/web:/var/www/clie ...

Please help to find and fix the problem.

 

well. looks like your servers got itself blacklisted..

and if those cpu %ages are accurate.. likely web7 has been compromised. it may be sending out spam using it's own mailer, bypassing any local postfix install..

i'd suggest disabling web7 in the ispconfig control panel.. and stopping any processes you still see running for it.. (also check there's no cron jobs for the account that may try to restart something..)

check your mail queues.. probably not much there, but worth checking just in case.. then remove anything from the queue that suspicious.. if anything, probably a load of queued mail from various random *@<domain>.<tld> for a single domain

then scan and clean up the infected site. once your sure it's clean.. re-enable the site. keep an eye out for any new suspicious activity on the server.. and apply to get removed from the blacklists.

 

I disabled all websites and emails and mailserver from ispconfig panel
root@srv:~# postqueue -p
Mail queue is empty
the problem remains

 

Code:

root@srv:~# crontab -l -u web7
# 15 22 * * 5 /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=15 --debug=SO-CV60G-3 #aidonitsas offers
@weekly /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=5 #Moraitis CronJob
@weekly /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=11 #sunlight
15 8 * * 1 /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=15 #aidonitsas offers ends
@weekly /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=24 #ARlight
@weekly /usr/bin/php -q /var/www/clients/client0/web7/web/cli/productimport.php --id=19 #SpotLight
root@srv:~#

all is for xml products import

 

which problem remains? that you're still on a blacklist and can't send emails? or one (or more) websites is still running with significantly higher than normal cpu usage?

disabling a suspected infected website is only the start of the solution.
you need to find and clean out the infection.. and then (and only once your totally sure the server is clean) request removal from the 2 blacklists your server ip is on.

 

Hello again
There is only two site on this server
I disable both of theme (site and mail boxes)
CPU back to 0%
today enable the site again and still 0% but unable to found the infaction
The suspected site is that running on line shop under Joomla
Any idea how to inspected ?

 

Erros Certificate

Code:

root@srv:/# cd tmp
root@srv:/tmp# wget https://www.ispprotect.com/download/ispp_scan.tar.gz
--2023-04-28 19:04:22--  https://www.ispprotect.com/download/ispp_scan.tar.gz
Resolving www.ispprotect.com (www.ispprotect.com)... 78.46.59.59
Connecting to www.ispprotect.com (www.ispprotect.com)|78.46.59.59|:443... connected.
ERROR: The certificate of ‘www.ispprotect.com’ is not trusted.
ERROR: The certificate of ‘www.ispprotect.com’ has expired.