Page 1 of 1
Exim Seems to be Hacked
Posted: Tue Jun 26, 2018 4:54 pm
by rmjserver
Hi,
My Exim/Server seems to be hacked. My exim usage is showing up high in vesta graphs and in Vesta panel logs I saw this:
I have replaced my domain with domain.com
Exim queue status
42m 3.2K 1fXqWc-00034q-2h <> *** frozen ***
[email protected]
12m 3.2K 1fXqzd-0005In-AM <> *** frozen ***
[email protected]
Please, can anybody please tell me what above log means.
Re: Exim Seems to be Hacked
Posted: Tue Jun 26, 2018 8:52 pm
by alexcy
Most probably an infected website sends spam.
You can check files in /var/spool/exim4 and find the PHP script(s) generating the emails.
Re: Exim Seems to be Hacked
Posted: Wed Jun 27, 2018 7:47 am
by grayfolk
I'm recommend to use
https://github.com/scr34m/php-malware-scanner for find infected scripts.
Re: Exim Seems to be Hacked
Posted: Wed Jun 27, 2018 7:53 am
by ScIT
Re: Exim Seems to be Hacked
Posted: Wed Jun 27, 2018 11:51 am
by ahouse
You can use AI-Bolit Very intelligent software. It's free for non-commercial use
https://revisium.com/aibo/
Re: Exim Seems to be Hacked
Posted: Wed Jun 27, 2018 5:07 pm
by Messiah
Maybe hacked maybe not.
Look into the messages contents, probably inside /var/spool/exim/...
If there is a spam - use previous advices, at first disable all Joomla websites, it's the most vulnerable popular CMS.
Also there could be some system messages like
sudo: unable to resolve host %some_hostname%
or other error notifications rooted to system administrator email.
Re: Exim Seems to be Hacked
Posted: Sat Jul 21, 2018 12:50 pm
by rmjserver
I have found that these are being sent by cron job for php session clean. Can anybody help me to stop this?
I have already set MAILTO="' in crontab. But still, this doesn't stop.
Mail Content:
Code: Select all
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
Re: Exim Seems to be Hacked
Posted: Fri Aug 17, 2018 2:23 am
by baxterdmutt
On my server this was happening because VESTACP seems to send system emails via
[email protected]. and since there was no root mail account, the messages get frozen and build up for 7days before they clear. All I did was create a root mail account and redirected all it’s mail to the admin user. I wasn’t sure how else to handle it and I wanted the system messages that VESTACP sends out.
Re: Exim Seems to be Hacked
Posted: Fri Aug 17, 2018 4:52 am
by baxterdmutt
Sorry, I should have added that another way around your problem is to make sure you have a root entry in /etc/aliases.
root :
[email protected]
That is supposed to work but it didn’t for me. That’s why I created a root mail user account. I don’t like having a root mail user account so if anyone knows why the /etc/aliases didn’t work for me please let me know. Hope this helps.