Attack my server GASTON DIABLO Team

    Hello!


    I don't exactly what happened. My site attack "GASTON DIABLO" team. First I signal I got more "Paypal e-mail" with my domain name. After I try login my server that is very slow. I check my domain I see the attach picture.
    This site run Drupal 7 CMS.


    I would like to ask this attack concerned to IMSCP? Now server is very slow, I check root directory and I see there are all web site dircector in root.


    I check my server HTOP I don't find extreme loads, but Server is slow....


    What do you thinks about? What should be done?


    Kalmi

    Your Drupal installation was probably outdatet. Recover a recent backup and change all your passwords (Drupal, SQL, ...) for that site.


    Did you regularly upgrade your system?

    Hello,


    First upgrade my Debian 7.8 server and delete all domain directory (IMSCP delete customer), but my server is sending SPAM. I think hack my all Debian server and IMSCP and not only Drupal Site.
    If I stop postfix my server don't send more letter, but reboot server is restarted sending...

    You removed your drupal installation and all the over customers ans the server is still sending spam?

    Yes, my server is sending the SPAMs and very slow! Now I try update I-MSCP 1.2.2., but it very slow :(


    mail.log


    ---
    Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: IB
    Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 672182C60C0: message-id=<20150426151823.672182C60C0@fqhn.server.info>
    Apr 26 17:18:23 fqhn postfix/bounce[9127]: EFDB52C5F35: sender non-delivery notification: 672182C60C0
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: from=<>, size=27958, nrcpt=1 (queue active)
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: EFDB52C5F35: removed
    Apr 26 17:18:23 fqhn postfix/smtp[9405]: 672182C60C0: to=<webmaster@server.hu>, relay=none, delay=0.04, delays=0.04/ 0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=server.hu type=A: Host found but no data record of requested type)
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 672182C60C0: removed
    Apr 26 17:18:23 fqhn spamd[10090]: spamd: clean message (2.0/5.0) for anandbhala007@yahoo.co.in:112 in 0.3 seconds, 25654 bytes.
    Apr 26 17:18:23 fqhn spamd[10090]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONL Y,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25654,user=anandbhala007@yahoo.co.in,uid=112,required_score=5.0,rhost=fqhn.matri xcbs-server.info.local,raddr=127.0.0.1,rport=39421,mid=<20150426151823.30EE42C6009@fqhn.server.info>,autolearn=no
    Apr 26 17:18:23 fqhn spamd[4413]: prefork: child states: II
    Apr 26 17:18:23 fqhn postfix/qmgr[4556]: 30EE42C6009: from=<webmaster@server.hu>, size=25497, nrcpt=1 (queue active)
    Apr 26 17:18:23 fqhn postfix/pickup[4555]: 9D5492C5BFE: uid=1017 from=<webmaster@server.hu>
    Apr 26 17:18:23 fqhn postfix/cleanup[9932]: 9D5492C5BFE: message-id=<20150426151823.9D5492C5BFE@fqhn.server.info>
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39422
    Apr 26 17:18:23 fqhn spamd[8519]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: processing message <20150426151823.9D5492C5BFE@fqhn.server.info> for aeruh_dimala nta@yahoo.au:112
    Apr 26 17:18:23 fqhn postfix/smtp[9328]: E41552C4969: to=<ankit_cool_aquarious@yahoo.co.in>, relay=mx-apac.mail.gm0.yahoodns.net[106 .10.166.54]:25, delay=19443, delays=19440/0/3/0.2, dsn=4.7.0, status=deferred (host mx-apac.mail.gm0.yahoodns.net[106.10.166.54] sai d: 421 4.7.0 [TS01] Messages from 213.136.87.179 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yaho o.com/421-ts01.html (in reply to MAIL FROM command))
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: clean message (2.0/5.0) for aeruh_dimalanta@yahoo.au:112 in 0.3 seconds, 25652 bytes.
    Apr 26 17:18:23 fqhn spamd[8519]: spamd: result: . 1 - ALL_TRUSTED,DATE_IN_PAST_03_06,DKIM_ADSP_NXDOMAIN,HTML_MESSAGE,MIME_HTML_ONLY ,URIBL_PH_SURBL,URI_GOOGLE_PROXY scantime=0.3,size=25652,user=aeruh_dimalanta@yahoo.au,uid=112,required_score=5.0,rhost=fqhn.matrixc bs-server.info.local,raddr=127.0.0.1,rport=39422,mid=<20150426151823.9D5492C5BFE@fqhn.server.info>,autolearn=no
    Apr 26 17:18:24 fqhn postfix/qmgr[4556]: 9D5492C5BFE: from=<webmaster@server.hu>, size=25496, nrcpt=1 (queue active)
    Apr 26 17:18:24 fqhn postfix/pickup[4555]: 000692C6000: uid=1017 from=<webmaster@server.hu>
    Apr 26 17:18:24 fqhn postfix/cleanup[9523]: 000692C6000: message-id=<20150426151824.000692C6000@fqhn.server.info>
    Apr 26 17:18:24 fqhn spamd[10090]: spamd: connection from fqhn.server.info.local [127.0.0.1] at port 39423
    Apr 26 17:18:24 fqhn postfix/smtp[9504]: 9D5492C5BFE: to=<aeruh_dimalanta@yahoo.au>, relay=none, delay=19423, delays=19423/0/0/0, ds n=5.4.4, status=bounced (Host or domain name not found. Name service error for name=yahoo.au type=A: Host not found)
    Apr 26 17:18:24 fqhn postfix/cleanup[9932]: 032EC2C60EC: message-id=<20150426151824.032EC2C60EC@fqhn.server.info>
    Apr 26 17:18:24 fqhn spamd[10090]: config: failed to parse line, skipping, in "(no file)": use_dcc 0
    Apr 26 17:18:24 fqhn spamd[10090]: spamd: processing message <20150426151824.000692C6000@fqhn.server.info> for alvinaraza@
    ---

    So:
    1. You had a weak ssh-password
    2. Your system was out-of-date
    3. Your server was missconfigured
    4. They stole the passwords from your computer (local virus)


    I recommend to setup a fresh system..

    1. I don't know... I disabled root access my SSH.
    2. I updated regularly my server.
    3. Maybe... I have denyhost, fail2ban, Clamav and I configured my firewall.... (What should I do? What do you thing? Do you send a check list?)
    4. I didn't experience... I all use complicated password...


    I think, first attacked my Drupal site after attacked I-MSCP server/Debian server, because I deleted the site page and customer. Purge uninstall postfix and update IMSCP, but my server send the SPAM...

    I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
    For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).

    You could check if all those mails were created by some PHP script. Maybe they just hacked the site and filled your postfix queue.


    Code
    1. postqueue -p
    Quote from Ninos

    I don't think they "hacked" imscp itself. So then I think they got a password and than installed a script on your system. Purging postfix will not change anything, because the script is not included in postfix itself.
    For you it's easier to install a fresh system, because may you will not find every scripts or any backdoors (if exists).


    First I think, but I don't believe that had stolen my password from me.
    1. Only one website attacked, more site are correct, I didn't experienced change other sites.
    2. I think someone attacked for my server, because they placed the script through my site. This script continuously sends SPAM. I deleted this site, customer (I-MSCP) all data. Script is working!