Attack my server GASTON DIABLO Team

  • Hello!


    I don't exactly what happened. My site attack "GASTON DIABLO" team. First I signal I got more "Paypal e-mail" with my domain name. After I try login my server that is very slow. I check my domain I see the attach picture.
    This site run Drupal 7 CMS.


    I would like to ask this attack concerned to IMSCP? Now server is very slow, I check root directory and I see there are all web site dircector in root.


    I check my server HTOP I don't find extreme loads, but Server is slow....


    What do you thinks about? What should be done?


    Kalmi

  • Your Drupal installation was probably outdatet. Recover a recent backup and change all your passwords (Drupal, SQL, ...) for that site.


    Did you regularly upgrade your system?

  • Hello,


    First upgrade my Debian 7.8 server and delete all domain directory (IMSCP delete customer), but my server is sending SPAM. I think hack my all Debian server and IMSCP and not only Drupal Site.
    If I stop postfix my server don't send more letter, but reboot server is restarted sending...

  • You removed your drupal installation and all the over customers ans the server is still sending spam?

  • Yes, my server is sending the SPAMs and very slow! Now I try update I-MSCP 1.2.2., but it very slow :(


    mail.log


    ---
    Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: IB
    Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 672182C60C0: message-id=<[email protected]>
    Apr 26 17:18:23 fqhn postfix/bounce[9127]: EFDB52C5F35: sender non-delivery notification: 672182C60C0
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: from=<>, size=27958, nrcpt=1 (queue active)
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: EFDB52C5F35: removed
    Apr 26 17:18:23 fqhn postfix/smtp[9405]: 672182C60C0: to=<[email protected]>, relay=none, delay=0.04, delays=0.04/ 0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=server.hu type=A: Host found but no data record of requested type)
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: removed
    Apr 26 17:18:23 fqhn spamd[10090]: spamd: clean message (2.0/5.0) for [email protected]:112 in 0.3 seconds, 25654 bytes.
    Apr 26 17:18:23 fqhn spamd[10090]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONL Y,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25654,[email protected],uid=112,required_score=5.0,rhost=fqhn.matri xcbs-server.info.local,raddr=127.0.0.1,rport=39421,mid=<[email protected]>,autolearn=no
    Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: II
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 30EE42C6009: from=<[email protected]>, size=25497, nrcpt=1 (queue active)
    Apr 26 17:18:23 fqhn postfix/pickup[4555]: 9D5492C5BFE: uid=1017 from=<[email protected]>
    Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 9D5492C5BFE: message-id=<[email protected].server.info>
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39422
    Apr 26 17:18:23 fqhn spamd[8519]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: processing message <[email protected]> for aeruh_dimala [email protected]:112
    Apr 26 17:18:23 fqhn postfix/smtp[9328]: E41552C4969: to=<[email protected]>, relay=mx-apac.mail.gm0.yahoodns.net[106 .10.166.54]:25, delay=19443, delays=19440/0/3/0.2, dsn=4.7.0, status=deferred (host mx-apac.mail.gm0.yahoodns.net[106.10.166.54] sai d: 421 4.7.0 [TS01] Messages from 213.136.87.179 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yaho o.com/421-ts01.html (in reply to MAIL FROM command))
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: clean message (2.0/5.0) for [email protected]:112 in 0.3 seconds, 25652 bytes.
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONLY ,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25652,[email protected],uid=112,required_score=5.0,rhost=fqhn.matrixc bs-server.info.local,raddr=127.0.0.1,rport=39422,mid=<[email protected]>,autolearn=no
    Apr 26 17:18:24 fqhn postfix/qmgr[4556]: 9D5492C5BFE: from=<[email protected]>, size=25496, nrcpt=1 (queue active)
    Apr 26 17:18:24 fqhn postfix/pickup[4555]: 000692C6000: uid=1017 from=<[email protected]>
    Apr 26 17:18:24 fqhn postfix/cleanup[9523]: 000692C6000: message-id=<[email protected]>
    Apr 26 17:18:24 fqhn spamd[10090]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39423
    Apr 26 17:18:24 fqhn postfix/smtp[9504]: 9D5492C5BFE: to=<[email protected]>, relay=none, delay=19423, delays=19423/0/0/0, ds n=5.4.4, status=bounced (Host or domain name not found. Name service error for name=yahoo.au type=A: Host not found)
    Apr 26 17:18:24 fqhn postfix/cleanup[9932]: 032EC2C60EC: message-id=<[email protected]>
    Apr 26 17:18:24 fqhn spamd[10090]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
    Apr 26 17:18:24 fqhn spamd[10090]: spamd: processing message <[email protected]> for [email protected]
    ---

  • So:
    1. You had a weak ssh-password
    2. Your system was out-of-date
    3. Your server was missconfigured
    4. They stole the passwords from your computer (local virus)


    I recommend to setup a fresh system..

  • 1. I don't know... I disabled root access my SSH.
    2. I updated regularly my server.
    3. Maybe... I have denyhost, fail2ban, Clamav and I configured my firewall.... (What should I do? What do you thing? Do you send a check list?)
    4. I didn't experience... I all use complicated password...


    I think, first attacked my Drupal site after attacked I-MSCP server/Debian server, because I deleted the site page and customer. Purge uninstall postfix and update IMSCP, but my server send the SPAM...

  • I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
    For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).

  • You could check if all those mails were created by some PHP script. Maybe they just hacked the site and filled your postfix queue.


    Code
    1. postqueue -p
  • I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
    For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).


    First I think, but I don't believe that had stolen my password from me.
    1. Only one website attacked, more site are correct, I didn't experienced change other sites.
    2. I think someone attacked for my server, because they placed the script through my site. This script continuously sends SPAM. I deleted this site, customer (I-MSCP) all data. Script is working!