thanks BeNe for the process to check the correct owner.
I had a 9 customers (on 70) touched by a hack on a CMS I used in the past.
Thanks to my backups, it's all clean now.
Thanks again and sorry for the wrong forum...
Posts by Phinous
-
-
Here my /etc/postfix/main.cf : http://p.mufff.in/?f3692398a23…xzWb3Zehk1VJ60nYHCRLPDoY=
And my /etc/postfix/master.cf : http://p.mufff.in/?c65c71a398b…Rab07H4vgUMoDKYMrITFzeQI=
~# ps aux | grep nc
Code- root 60 0.0 0.0 0 0 ? S 13:06 0:00 [async/mgr]
- root 232 0.0 0.0 0 0 ? S 13:06 0:00 [sync_supers]
- www-data 16799 0.0 0.0 0 0 ? Z 15:27 0:00 [apache2] <defunct>
- postfix 17438 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
- postfix 17500 0.0 0.1 5528 1808 ? S 15:28 0:00 bounce -z -n defer -t unix -u -c
- postfix 18445 0.0 0.1 5528 1804 ? S 15:29 0:00 bounce -z -n defer -t unix -u -c
- postfix 18570 0.0 0.1 5528 1872 ? S 15:29 0:00 bounce -z -t unix -u -c
- postfix 18589 0.0 0.1 5528 1876 ? S 15:29 0:00 bounce -z -t unix -u -c
- postfix 18628 0.0 0.1 5528 1832 ? S 15:29 0:00 bounce -z -t unix -u -c
- root 18635 0.0 0.0 3036 792 pts/0 S+ 15:29 0:00 grep nc
-
Hi,
On one of my server, I have a spam problem.
Here the /var/log/mail.log file :Code- Aug 8 13:51:27 servername postfix/smtp[5004]: 5FAF9227B5: to=<muffwayne@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.67.27]:25, delay=1, delays=0.03/0.4/0.03/0.56, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.67.27] said: 550-5.7.1 [207.73.100.36 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. lk7si2833406wic.68 - gsmtp (in reply to end of DATA command))Aug 8 13:51:27 servername postfix/cleanup[4788]: 646E32278E: message-id=<20140808115127.646E32278E@servername.oneofmydomain.net>Aug 8 13:51:27 servername postfix/smtp[4974]: 62BCB227AA: to=<deanne_lyons@domaine2.org>, relay=spool.mail.gandi.net[217.70.184.6]:25, conn_use=3, delay=0.01, delays=0/0/0/0, dsn=5.7.1, status=bounced (host spool.mail.gandi.net[217.70.184.6] said: 550 5.7.1 <deanne_lyons@domaine2.org>: Recipient address rejected: bounce limit for domaine2.org (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 62BCB227AA: removedAug 8 13:51:27 servername postfix/bounce[4780]: 5FAF9227B5: sender non-delivery notification: 646E32278EAug 8 13:51:27 servername postfix/qmgr[27088]: 646E32278E: from=<>, size=3388, nrcpt=1 (queue active)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: host mta7.am0.yahoodns.net[98.138.112.37] said: 421 4.7.0 [TS01] Messages from 207.73.100.36 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html (in reply to MAIL FROM command)Aug 8 13:51:27 servername postfix/smtp[5012]: 75DBE6FF17: lost connection with mta7.am0.yahoodns.net[98.138.112.37] while sending RCPT TOAug 8 13:51:27 servername postfix/qmgr[27088]: 5FAF9227B5: removedAug 8 13:51:27 servername postfix/smtp[5006]: 5DA85223A1: to=<ines_lucas@domaine1.fr>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, conn_use=5, delay=0.03, delays=0/0.02/0/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <ines_lucas@domaine1.fr>... User unknown (in reply to RCPT TO command))Aug 8 13:51:27 servername postfix/qmgr[27088]: 5DA85223A1: removedAug 8 13:51:27 servername postfix/smtp[4950]: 62118223B4: to=<ines_lucas@domaine1.fr>, relay=mx.mailbox.orange-business.com[194.2.0.80]:25, delay=0.04, delays=0.01/0.01/0.01/0.01, dsn=5.1.1, status=bounced (host mx.mailbox.orange-business.com[194.2.0.80] said: 550 5.1.1 <ines_lucas@domaine1.fr>... User unknown (in reply to RCPT TO command))
It's look like a robot is using my server as spam relay.
postqueue -p :
Code- 86D8332E9A 758 Fri Aug 8 13:14:46 lena_reed@domain1.com jesusalfonsocarrillosanchez@hotmail.com8EA93328B6 654 Fri Aug 8 13:13:44 tara_cooley@domain2.org kat_ontario@yahoo.ca2EF0827E40 703 Fri Aug 8 13:09:20 laurie_leblanc@domain3.fr 08034@dixonsca.com9223532276 630 Fri Aug 8 13:12:43 charity_mckee@domain1.fr b.botefuhr@hotmail.co.uk67D7832A31 561 Fri Aug 8 13:14:07 ruby_malone@domain1.fr jotay@aol.com7C66F3252E 655 Fri Aug 8 13:13:10 ella_gillespie@domain2.com ghillamaz@gmail.com
domain2.com exist on my server, but not the user ella_gillespie@domain2.com
ps aux | grep "postfix" :
Display MoreCode- root 4628 1.5 0.1 5492 1848 ? Ss 15:20 0:00 /usr/lib/postfix/master
- postfix 4633 0.5 0.1 5504 1820 ? S 15:20 0:00 pickup -l -t fifo -u -c
- postfix 4634 2.7 0.1 6032 2460 ? R 15:20 0:00 qmgr -l -t fifo -u
- postfix 4649 2.3 0.2 5980 2688 ? R 15:20 0:00 trivial-rewrite -n rewrite -t unix -u -c
- postfix 4652 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4655 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4656 0.0 0.2 6720 3248 ? S 15:20 0:00 smtpd -n smtp -t inet -u -c -o stress
- postfix 4657 0.0 0.1 5660 2080 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4662 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4663 0.0 0.1 5660 2084 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4667 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4670 0.0 0.1 5528 1808 ? R 15:20 0:00 bounce -z -n defer -t unix -u -c
- postfix 4671 0.0 0.1 5660 2056 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4672 0.0 0.1 5660 2092 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4675 0.0 0.1 5660 2020 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4676 0.3 0.1 5500 1844 ? S 15:20 0:00 scache -l -t unix -u -c
- postfix 4679 0.0 0.1 5660 2112 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4680 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4683 0.0 0.1 5660 2112 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4686 0.3 0.1 5660 2112 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4688 0.0 0.1 5660 2092 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4689 0.0 0.1 5660 2092 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4691 0.0 0.1 5660 2096 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4693 0.0 0.1 5660 2056 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4695 0.0 0.1 5660 2072 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4697 0.5 0.1 5528 1872 ? S 15:20 0:00 bounce -z -t unix -u -c
- postfix 4698 0.0 0.1 5660 2080 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4701 0.0 0.1 5660 2104 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4703 0.0 0.1 5660 2088 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4705 0.0 0.1 5660 2080 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4708 0.0 0.1 5660 2008 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4710 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4714 0.0 0.1 5660 2084 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4716 0.0 0.1 5660 2068 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4719 0.0 0.1 5660 2060 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4721 0.0 0.1 5660 2064 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4723 0.0 0.1 5660 2016 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4726 0.0 0.1 5660 2044 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4727 0.0 0.1 5660 2068 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4730 0.0 0.1 5660 2060 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4733 0.0 0.1 5660 2096 ? S 15:20 0:00 smtp -t unix -u -c
- postfix 4736 0.0 0.1 5528 1808 ? S 15:20 0:00 bounce -z -n defer -t unix -u -c
- postfix 4737 0.0 0.1 5528 1812 ? S 15:20 0:00 bounce -z -n defer -t unix -u -c
My server is a little bit older and it's running a legacy version of i-MSCP (ispCP 1.0.3 OMEGA build: 20091224 Codename: Priamos).
Please don't laught about it : it's not so easy to migrate this kind of server with lots of customers on it (I also looking for a way to do this easily
).
So maybe there is a security hole on it, but my question is how can I stop this spam attack.
And I came here to post my question because several member of the original ispCP team moved here and there is no chance to get answer over there
Thanks a lot for your help.