We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Exim Seems to be Hacked
Exim Seems to be Hacked
Hi,
My Exim/Server seems to be hacked. My exim usage is showing up high in vesta graphs and in Vesta panel logs I saw this:
My Exim/Server seems to be hacked. My exim usage is showing up high in vesta graphs and in Vesta panel logs I saw this:
Please, can anybody please tell me what above log means.I have replaced my domain with domain.com
Exim queue status
42m 3.2K 1fXqWc-00034q-2h <> *** frozen ***
[email protected]
12m 3.2K 1fXqzd-0005In-AM <> *** frozen ***
[email protected]
Re: Exim Seems to be Hacked
Most probably an infected website sends spam.
You can check files in /var/spool/exim4 and find the PHP script(s) generating the emails.
You can check files in /var/spool/exim4 and find the PHP script(s) generating the emails.
-
- Support team
- Posts: 1111
- Joined: Tue Jul 30, 2013 10:18 pm
- Contact:
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Exim Seems to be Hacked
I'm recommend to use https://github.com/scr34m/php-malware-scanner for find infected scripts.
Re: Exim Seems to be Hacked
also a good malwarescanner: https://www.rfxn.com/projects/linux-malware-detect/
Re: Exim Seems to be Hacked
You can use AI-Bolit Very intelligent software. It's free for non-commercial use
https://revisium.com/aibo/
https://revisium.com/aibo/
Re: Exim Seems to be Hacked
Maybe hacked maybe not.
Look into the messages contents, probably inside /var/spool/exim/...
If there is a spam - use previous advices, at first disable all Joomla websites, it's the most vulnerable popular CMS.
Also there could be some system messages like
Look into the messages contents, probably inside /var/spool/exim/...
If there is a spam - use previous advices, at first disable all Joomla websites, it's the most vulnerable popular CMS.
Also there could be some system messages like
or other error notifications rooted to system administrator email.sudo: unable to resolve host %some_hostname%
Re: Exim Seems to be Hacked
I have found that these are being sent by cron job for php session clean. Can anybody help me to stop this?
I have already set MAILTO="' in crontab. But still, this doesn't stop.
Mail Content:
I have already set MAILTO="' in crontab. But still, this doesn't stop.
Mail Content:
Code: Select all
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
-
- Posts: 9
- Joined: Thu Jul 19, 2018 3:53 pm
- Os: Debian 7x
- Web: apache + nginx
Re: Exim Seems to be Hacked
On my server this was happening because VESTACP seems to send system emails via [email protected]. and since there was no root mail account, the messages get frozen and build up for 7days before they clear. All I did was create a root mail account and redirected all it’s mail to the admin user. I wasn’t sure how else to handle it and I wanted the system messages that VESTACP sends out.
-
- Posts: 9
- Joined: Thu Jul 19, 2018 3:53 pm
- Os: Debian 7x
- Web: apache + nginx
Re: Exim Seems to be Hacked
Sorry, I should have added that another way around your problem is to make sure you have a root entry in /etc/aliases.
root : [email protected]
That is supposed to work but it didn’t for me. That’s why I created a root mail user account. I don’t like having a root mail user account so if anyone knows why the /etc/aliases didn’t work for me please let me know. Hope this helps.
root : [email protected]
That is supposed to work but it didn’t for me. That’s why I created a root mail user account. I don’t like having a root mail user account so if anyone knows why the /etc/aliases didn’t work for me please let me know. Hope this helps.