Posts by Koren

    Hi,


    I noticed some of my clients complained about websites, that are not working properly, after the recent upgrade to the version 1.3.9 of I-MSCP.
    We have a number of sites, that use mod_rewrite to modify url patterns on their wordpress based blogs. Some of them doesn't work anymore.


    If we rewrite URLs, that use .php at the end, they don't work anymore and throw an error 404:


    Example:

    Code
    1. <IfModule mod_rewrite.c>
    2. RewriteEngine On
    3. RewriteBase /
    4. RewriteRule ^index\.php$ - [L]
    5. RewriteCond %{REQUEST_FILENAME} !-f
    6. RewriteCond %{REQUEST_FILENAME} !-d
    7. RewriteRule . /index.php [L]
    8. </IfModule>

    Now we have the URL http://www.domain.tld//3-main-tipps.php which throw an error 404. (Previously, using I-MSCP 1.3.0 that website was able to load correctly).
    I assume, it is becasue in the apache configuration the .php extension is now rewritten to the fcgi handler and overrides the .htaccess of the customer.


    Is there a workarround for this ?


    Best regards


    Koren

    It looks to me, like the imscp-sw-mngr still calls the old setup_db_vars function in imscp_common_methods.pl and there it tries to decrypt the database pw using the old blowfish encryption.
    I was successfully able to finish the upgrade by simply skipping the software-manager parts of the i-mscp setzp, but I think there is actually a bug.


    Best regards


    Koren

    Hi!,


    I tried the Upgrade from 1.3.0 to 1.3.9 today and at the end it fails with the error:


    FATAL: Could not to load database parameters at /var/www/imscp/engine/imscp_common_code.pl line 66.


    I saw, it fails during the decrytion of the MySQL database params. The imscp-db-keys in /etc/imscp/ is there and has current time.


    Full Error Message: [ERROR] main::setupDbTasks: FATAL: Could not to load database parameters at /var/www/imscp/engine/imscp_common_code.pl line 66.
    Compilation failed in require at /var/www/imscp/engine/imscp-sw-mngr line 27. at /usr/local/src/imscp-1.3.9/engine/PerlLib/iMSCP/DbTasksProcessor.pm line 330.


    Environment:


    - Debian 8.6
    - Apache 2.4 with php-fpm


    Latest I-MSCP (1.3.9.zip) downloaded today from the official repo.


    Can someone help here ?

    Heres another E-Mail header of an e-mail that is not a mailer-daemon one:


    Code
    1. regular_text: ------------=_57CCA388.6BD51A33regular_text: Content-Type: message/rfc822; x-spam-type=original regular_text: Content-Description: original message before SpamAssassinregular_text: Content-Disposition: attachmentregular_text: Content-Transfer-Encoding: 8bitregular_text:regular_text: X-Envelope-From: <[email protected]>regular_text: X-Envelope-To: <[email protected]>regular_text: Received: from srv08.[our-hostname].de (srv08.[our-hostname].de [our-ipv4-address])regular_text: by srv08.[our-hostname].de(Postfix 2.11.3/8.13.0) with SMTP id unknownregular_text: Mon, 05 Sep 2016 00:43:15 +0200regular_text: (envelope-from <[email protected]>regular_text: Received: from abbeyalimio by srv08.[our-hostname].de with local (Exim 4.22)regular_text: id igx43g-tvBEtz-w1regular_text: for [email protected]; Mon, 05 Sep 2016 10:02:37 +0200 regular_text: To: "isiah1216.lj" <[email protected]>regular_text: Subject: A meeting with a married girl, 717-895-0158 how about that!regular_text: Message-Id: <[email protected][our-hostname].de>regular_text: From: "Bella Ramos" <[email protected]>regular_text: Date: Mon, 05 Sep 2016 10:02:37 +0200regular_text: Mime-Version: 1.0regular_text: Content-Type: text/html; charset=us-ascii regular_text: Content-Transfer-Encoding: quoted-printableregular_text:*** HEADER EXTRACTED deferred/2/223E865D4F7 ***


    It says, the e-mail would be coming from some "exim" on the local machine. But there clearly is no exim installed and/or running. Also checked the machine. There are no exim files. So I guess, that information is fake.
    Also no suspicious processes are running. I can hardly find any viable information on this.


    mail.log lines of that e-mail:


    Code
    1. Sep 5 00:43:15 srv08 postfix/smtpd[994]: AF55765A6D8: client=srv08.[our-hostname].de[our-ipv4-address]
    2. Sep 5 00:43:15 srv08 postfix/cleanup[465]: AF55765A6D8: message-id=<[email protected][our-hostname].de>
    3. Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: from=<[email protected]>, size=5624, nrcpt=1 (queue active)
    4. Sep 5 00:43:21 srv08 postfix/smtp[1061]: AF55765A6D8: to=<[email protected]>, relay=none, delay=5.3, delays=5.3/0/0/0, dsn=5.4.6, status=bounced (mail for gmail.commail.com l\
    5. oops back to myself)
    6. Sep 5 00:43:21 srv08 postfix/bounce[1038]: AF55765A6D8: sender non-delivery notification: 223E865D4F7
    7. Sep 5 00:43:21 srv08 postfix/qmgr[17569]: AF55765A6D8: removed


    Anyone got an idea based on this ?

    Hi,


    Understood. I try to provide you with all the information possible:


    System:
    - Debian GNU/Linux 8 (Jessie)
    - I-MSCP 1.3.0 (Stable) with PHP5-FPM, ProFTPD, Postfix, Dovecot
    - SpamAssassin Plugin Version 1.1.0 (From: 2016-06-25)


    The Problem is, that the server is sending lots and lots of e-mails, that clearly are spam and we cannot find any cause. There are multiple sites on that server, using php and cgi applications.
    We log any mail, that is sent through the php "mail()" mechanism, but that mails are not appearing there. All mails are seen as coming from the local machine.


    One example out of mailq (that is from the bounce, since that is from the bounce:


    Code
    1. 21A9865EDED 3191 Wed Sep 7 20:00:29 MAILER-DAEMON (connect to mx999.math.arizona.edu[128.196.224.2]:25: Connection timed out) [email protected]


    Log-Lines related to that E-Mail:


    Code
    1. Sep 7 20:00:27 srv08 postfix/smtpd[24039]: 62FAE65B268: client=srv08.[our-hostname].de[our-ipv4-addr]Sep 7 20:00:27 srv08 postfix/cleanup[23382]: 62FAE65B268: message-id=<[email protected][our-hostname].de>Sep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: from=<[email protected]>, size=990, nrcpt=1 (queue active)Sep 7 20:00:29 srv08 postfix/smtp[24620]: 62FAE65B268: to=<[email protected]>, relay=none, delay=1.6, delays=1.6/0/0/0, dsn=5.4.6, status=bounced (mail for hgf.fr loops back to myself)Sep 7 20:00:29 srv08 postfix/bounce[24621]: 62FAE65B268: sender non-delivery notification: 21A9865EDEDSep 7 20:00:29 srv08 postfix/qmgr[19408]: 62FAE65B268: removed


    The recipient address and the target address does not belong to any of our domains/e-mail addresses. The mail headers of the e-mail doesnt contain any information. In the logfiles, we can only see, that it is originating from the local machine and delivered to the postfix daemon via smtp. (Baybe with cgi/php smtp client?)


    Example Mail-Headers:


    Hi Everyone,


    We currently have a larger spam issue on one of our servers. I think, that some customer hosted CMS is compromised and is sending spam e-mails out.
    Unlike any other spam issue, i've ever seen, this time it is NOT sent via php's mail() feature. (I log that and there's nothing there).


    In the postfix log, I can see, the mails are delivered by the server's own ip address (and, of course allowing it, since the local ip is in mynetworks).
    The header's of the spam examples, that got reported to me, gives absolutely no hint on the root cause. (e.g. which customer etc). Envelope data, from fields, recipients
    are all unknown (not from our customers) and seem to be fake.


    Does anyone got an idea, on how to track this further ? Could it be a php script, delivering the mails via localhost:25 by having some smtp client implemented in php ? How would it
    be possible to monitor that ?


    I would be very happy for any hint, that could help me to get more insight and solve that problem.


    Best regards


    C