Attack my server GASTON DIABLO Team

Hello!

I don't exactly what happened. My site attack "GASTON DIABLO" team. First I signal I got more "Paypal e-mail" with my domain name. After I try login my server that is very slow. I check my domain I see the attach picture.
This site run Drupal 7 CMS.

I would like to ask this attack concerned to IMSCP? Now server is very slow, I check root directory and I see there are all web site dircector in root.

I check my server HTOP I don't find extreme loads, but Server is slow....

What do you thinks about? What should be done?

Kalmi

Hello,

First upgrade my Debian 7.8 server and delete all domain directory (IMSCP delete customer), but my server is sending SPAM. I think hack my all Debian server and IMSCP and not only Drupal Site.
If I stop postfix my server don't send more letter, but reboot server is restarted sending...

Yes, my server is sending the SPAMs and very slow! Now I try update I-MSCP 1.2.2., but it very slow

mail.log

---
Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: IB
Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 672182C60C0: message-id=<[email protected]>
Apr 26 17:18:23 fqhn postfix/bounce[9127]: EFDB52C5F35: sender non-delivery notification: 672182C60C0
Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: from=<>, size=27958, nrcpt=1 (queue active)
Apr 26 17:18:23 fqhn postfix/qmgr[4556]: EFDB52C5F35: removed
Apr 26 17:18:23 fqhn postfix/smtp[9405]: 672182C60C0: to=<[email protected]>, relay=none, delay=0.04, delays=0.04/ 0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=server.hu type=A: Host found but no data record of requested type)
Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: removed
Apr 26 17:18:23 fqhn spamd[10090]: spamd: clean message (2.0/5.0) for [email protected]:112 in 0.3 seconds, 25654 bytes.
Apr 26 17:18:23 fqhn spamd[10090]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONL Y,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25654,[email protected],uid=112,required_score=5.0,rhost=fqhn.matri xcbs-server.info.local,raddr=127.0.0.1,rport=39421,mid=<[email protected]>,autolearn=no
Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: II
Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 30EE42C6009: from=<[email protected]>, size=25497, nrcpt=1 (queue active)
Apr 26 17:18:23 fqhn postfix/pickup[4555]: 9D5492C5BFE: uid=1017 from=<[email protected]>
Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 9D5492C5BFE: message-id=<[email protected]>
Apr 26 17:18:23 fqhn spamd[8519]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39422
Apr 26 17:18:23 fqhn spamd[8519]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
Apr 26 17:18:23 fqhn spamd[8519]: spamd: processing message <[email protected]> for aeruh_dimala [email protected]:112
Apr 26 17:18:23 fqhn postfix/smtp[9328]: E41552C4969: to=<[email protected]>, relay=mx-apac.mail.gm0.yahoodns.net[106 .10.166.54]:25, delay=19443, delays=19440/0/3/0.2, dsn=4.7.0, status=deferred (host mx-apac.mail.gm0.yahoodns.net[106.10.166.54] sai d: 421 4.7.0 [TS01] Messages from 213.136.87.179 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yaho o.com/421-ts01.html (in reply to MAIL FROM command))
Apr 26 17:18:23 fqhn spamd[8519]: spamd: clean message (2.0/5.0) for [email protected]:112 in 0.3 seconds, 25652 bytes.
Apr 26 17:18:23 fqhn spamd[8519]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONLY ,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25652,[email protected],uid=112,required_score=5.0,rhost=fqhn.matrixc bs-server.info.local,raddr=127.0.0.1,rport=39422,mid=<[email protected]>,autolearn=no
Apr 26 17:18:24 fqhn postfix/qmgr[4556]: 9D5492C5BFE: from=<[email protected]>, size=25496, nrcpt=1 (queue active)
Apr 26 17:18:24 fqhn postfix/pickup[4555]: 000692C6000: uid=1017 from=<[email protected]>
Apr 26 17:18:24 fqhn postfix/cleanup[9523]: 000692C6000: message-id=<[email protected]>
Apr 26 17:18:24 fqhn spamd[10090]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39423
Apr 26 17:18:24 fqhn postfix/smtp[9504]: 9D5492C5BFE: to=<[email protected]>, relay=none, delay=19423, delays=19423/0/0/0, ds n=5.4.4, status=bounced (Host or domain name not found. Name service error for name=yahoo.au type=A: Host not found)
Apr 26 17:18:24 fqhn postfix/cleanup[9932]: 032EC2C60EC: message-id=<[email protected]>
Apr 26 17:18:24 fqhn spamd[10090]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
Apr 26 17:18:24 fqhn spamd[10090]: spamd: processing message <[email protected]> for alvinaraza@
---

1. I don't know... I disabled root access my SSH.
2. I updated regularly my server.
3. Maybe... I have denyhost, fail2ban, Clamav and I configured my firewall.... (What should I do? What do you thing? Do you send a check list?)
4. I didn't experience... I all use complicated password...

I think, first attacked my Drupal site after attacked I-MSCP server/Debian server, because I deleted the site page and customer. Purge uninstall postfix and update IMSCP, but my server send the SPAM...

Quote from Ninos

I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).

First I think, but I don't believe that had stolen my password from me.
1. Only one website attacked, more site are correct, I didn't experienced change other sites.
2. I think someone attacked for my server, because they placed the script through my site. This script continuously sends SPAM. I deleted this site, customer (I-MSCP) all data. Script is working!