Spamware как лечить

[grusha]

Недавно мой сервер на VestaCp был зломан и была произведена атака DOS, само собой хостер меня отключил , затем я востановил старый БАКАП, выкачал оттуда все домены и установил всё с нуля начиная с Убунту и затем Весту , прочитал , что взлом мог быть осуществлён через roundcubemail то и её обновил.
Всё работало как часы месяц , а позавчера сайты перестали работать , я попытался войти в админку Весты ,но получал ответ "502 bad gateway nginx" , тогда я полностью ребутнул сервер и после этого при попытке зайти в админку Весты , через обычный порт 8083 , получал ошибку "ERR_CONNECTION_REFUSED" .
В течении последних 7 дней я ничего не менял на сервере.
Проблема с входом в админку Весты я решил , решение тут >>> , но как в файле /usr/local/vesta/nginx/conf/nginx.conf поменлся порт с 8083 на 8084 я не понимаю.
Сейчас при отправки почты , если между своими доменами , то всё нормально , но если на любые другие домены получаю такую ошибку

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

ххххх@iххххх.ru
host dc-89a4480ef0e4.iconnect.pt [94.46.14.225]
SMTP error from remote mail server after RCPT TO:<ххххх@iххххх.ru>:
550-"JunkMail rejected - euve260866.serverprofi24.net (62.75.138.153)
550 [62.75.138.153]:44138 is in an RBL: https://www.spamhaus.org/query/ip/62.75.138.153"

Перехожу по ссылке https://www.spamhaus.org/query/ip/62.75.138.153 и там читаю , что то типо того что ваш компьютер заражён и скорее всего с него производится рассылка спама.
Полный текст :

RESULTS OF LOOKUP
62.75.138.153 is listed

This IP address was detected and listed 27 times in the past 28 days, and 1 times in the past 24 hours. The most recent detection was at Mon Oct 15 14:25:00 2018 UTC +/- 5 minutes

This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.

62.75.138.153 was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands as "62.75.138.153".

This is USUALLY spamware, but in some rare circumstances, it can be a misconfiguration in your mail server. The CBL attempts to distinguish real mail server software from malware SMTP clients by expecting users to name their mail server[s] to indicate who _they_ are, not their provider, not the destination server, and be consistent with Internet protocol standards.

Use of a bare IP address in the HELO is a violation of RFC2821 section 4.1.1.1, which says that the HELO value MUST be either a fully qualified domain name (such as "mail01.example.com") or an IP address enclosed in square brackets (such as "[62.75.138.153]").

You will need to investigate and fix this.

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.

If Microsoft Windows Defender is available to you, use it!

Is this IP address a NAT gateway/firewall/router? In other words, is this IP address shared with other computers? See NAT for further information about NATs and how to secure them.

If this IP address is shared with other computers, only the administrator of this IP address can prevent this happening again by following the instructions in NAT to secure the NAT against future infections. In this way, no matter how badly infected the network behind the NAT is, the network can't spam the Internet. The administrator can also refer to Advanced BOT detection for hints and tips on how to find the infected computer behind a NAT.

HOW IS THIS LISTING AFFECTING YOU?
The CBL is primarily intended to be used by mail servers to block inbound undesirable email containing spam or malware that was emitted by a computer virus or some other infection. CBL listings can affect users in a variety of ways beyond this. It is recommended that people unfamiliar with the CBL (or Spamhaus XBL) and/or are unsure of what is happening consult this link.

If this listing is of an unshared IP address, and the affected access is email, then, the computer corresponding to this IP address at time of detection (see above) is infected with a spambot, or, if it's a mail server, in some rare cases this can be a severe misconfiguration or bug.

The first step is to run at least one (preferably more) reputable anti-spam/spyware tools on your computer. If you're lucky, one of them will find and remove the infection.

If you are unable to find it using anti-virus tools, you may want to take a close look at the discussions of netstat or tcpview in the "Per-machine methods" section of Finding BOTs in a LAN.

If the above does not help, you may have to resort to taking your computer to a computer dealer/service company and have them clean it.

If all else fails, you may need to have your machine's software re-installed from scratch.

SELF REMOVAL:
Normally, you can remove the CBL listing yourself. If no removal link is given below, follow the instructions, and come back and do the lookup again, and the removal link will appear.

Подскажите , что делать в данном случае ?

[grusha]

Так же сейчас посмотрел файл и там очень много такого

2018-10-16 01:25:43 dovecot_login authenticator failed for (User) [94.102.51.67]: 535 Incorrect authentication data (set_id=admin)
2018-10-16 01:28:17 dovecot_login authenticator failed for (User) [45.125.66.215]: 535 Incorrect authentication data (set_id=abc123)

2018-10-16 01:32:14 dovecot_login authenticator failed for (User) [45.125.66.152]: 535 Incorrect authentication data (set_id=root1234)
2018-10-16 01:32:16 dovecot_login authenticator failed for (User) [45.125.66.168]: 535 Incorrect authentication data (set_id=slayer)
2018-10-16 01:39:07 dovecot_login authenticator failed for (USER) [103.72.162.186]: 535 Incorrect authentication data (set_id=[email protected])
2018-10-16 01:41:13 dovecot_login authenticator failed for (User) [45.125.66.146]: 535 Incorrect authentication data (set_id=nat)

[one]

Это есть и даже больше на любом сервере. Обычный брут.

[imperio]

В первую очередь обновить панель до 0.9.8-23
viewtopic.php?f=25&p=73942#p73942
Проверить сервер на наличие вируса
viewtopic.php?f=10&t=17795

но как в файле /usr/local/vesta/nginx/conf/nginx.conf поменлся порт с 8083 на 8084 я не понимаю.

Поменять мог только человек. Панель не меняла и не меняет порт, рабоает на стандартном 8083

[Alex Connor]

но как в файле /usr/local/vesta/nginx/conf/nginx.conf поменлся порт с 8083 на 8084 я не понимаю.

Поменять мог только человек. Панель не меняла и не меняет порт, рабоает на стандартном 8083

как вариант, инициатива хостера... другого варианта не вижу

[grusha]

С почтой проблему решил , оказалось что в самой панели VestaCp надо было везде поменять ИП адрес(пример:123.145.34.56) на имя хостинга(пример:myvps.host.name).
А вот как поменялся порт с 8083 на 8084 ... загадка.

[imperio]

А вот как поменялся порт с 8083 на 8084 ... загадка.

Возможно хостер

[grusha]

Возможно хостер

Думаю да