Page 1 of 1

Exim Seems to be Hacked

Posted: Tue Jun 26, 2018 4:54 pm
by rmjserver
Hi,
My Exim/Server seems to be hacked. My exim usage is showing up high in vesta graphs and in Vesta panel logs I saw this:
I have replaced my domain with domain.com
Exim queue status

42m 3.2K 1fXqWc-00034q-2h <> *** frozen ***
root@domain.com

12m 3.2K 1fXqzd-0005In-AM <> *** frozen ***
root@domain.com
Please, can anybody please tell me what above log means.

Re: Exim Seems to be Hacked

Posted: Tue Jun 26, 2018 8:52 pm
by alexcy
Most probably an infected website sends spam.

You can check files in /var/spool/exim4 and find the PHP script(s) generating the emails.

Re: Exim Seems to be Hacked

Posted: Wed Jun 27, 2018 7:47 am
by grayfolk
I'm recommend to use https://github.com/scr34m/php-malware-scanner for find infected scripts.

Re: Exim Seems to be Hacked

Posted: Wed Jun 27, 2018 7:53 am
by ScIT

Re: Exim Seems to be Hacked

Posted: Wed Jun 27, 2018 11:51 am
by ahouse
You can use AI-Bolit Very intelligent software. It's free for non-commercial use

https://revisium.com/aibo/

Re: Exim Seems to be Hacked

Posted: Wed Jun 27, 2018 5:07 pm
by Messiah
Maybe hacked maybe not.
Look into the messages contents, probably inside /var/spool/exim/...
If there is a spam - use previous advices, at first disable all Joomla websites, it's the most vulnerable popular CMS.

Also there could be some system messages like
sudo: unable to resolve host %some_hostname%
or other error notifications rooted to system administrator email.

Re: Exim Seems to be Hacked

Posted: Sat Jul 21, 2018 12:50 pm
by rmjserver
I have found that these are being sent by cron job for php session clean. Can anybody help me to stop this?
I have already set MAILTO="' in crontab. But still, this doesn't stop.
Mail Content:

Code: Select all

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0

Re: Exim Seems to be Hacked

Posted: Fri Aug 17, 2018 2:23 am
by baxterdmutt
On my server this was happening because VESTACP seems to send system emails via root@yourdomain.tld. and since there was no root mail account, the messages get frozen and build up for 7days before they clear. All I did was create a root mail account and redirected all it’s mail to the admin user. I wasn’t sure how else to handle it and I wanted the system messages that VESTACP sends out.

Re: Exim Seems to be Hacked

Posted: Fri Aug 17, 2018 4:52 am
by baxterdmutt
Sorry, I should have added that another way around your problem is to make sure you have a root entry in /etc/aliases.
root : someone@domain.tld
That is supposed to work but it didn’t for me. That’s why I created a root mail user account. I don’t like having a root mail user account so if anyone knows why the /etc/aliases didn’t work for me please let me know. Hope this helps.