We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Mail server compromised?!? Help!!!
-
- Posts: 33
- Joined: Sun Apr 27, 2014 3:40 pm
Mail server compromised?!? Help!!!
I think my mail server has been compromised. I logged in today to find out that i had 400 undelivered emails, and all of them where about porn.
Logged in to vestacp to find out the mail queue was above 30000.
How can i find what is going on? Where are these email being sent from, a rogue php script on the server, breach on my password? ( i just changed them yesterday)
What should i do next? i am a bit clueless at the moment. I have been reading stuff but nothing good so far....
var/exim/main_log shows stuff like this:
And the undelivered emails show this:
Logged in to vestacp to find out the mail queue was above 30000.
How can i find what is going on? Where are these email being sent from, a rogue php script on the server, breach on my password? ( i just changed them yesterday)
What should i do next? i am a bit clueless at the moment. I have been reading stuff but nothing good so far....
var/exim/main_log shows stuff like this:
Code: Select all
2015-03-21 02:07:45 1YYPGa-0005X4-BI [email protected]: error ignored
2015-03-21 02:07:45 1YYPGa-0005X4-BI Completed
2015-03-21 02:07:45 1YZ2I5-0002xZ-Dp Message is frozen
2015-03-21 02:07:45 1YYSYM-00079x-DK Message is frozen
2015-03-21 02:07:45 1YYTtr-00009w-NP Message is frozen
2015-03-21 02:07:45 1YYUQ3-0003fb-Gv Message is frozen
2015-03-21 02:07:45 1YYQrs-0000yD-0P Message is frozen
2015-03-21 02:07:45 1YYhhh-00012N-DM Message is frozen
2015-03-21 02:07:45 1YYRef-0000ih-Q7 Message is frozen
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Unfrozen by errmsg timer
2015-03-21 02:07:45 1YYPQK-0003ns-Pb ** [email protected]: Unrouteable address
2015-03-21 02:07:45 1YYPQK-0003ns-Pb [email protected]: error ignored
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Completed
2015-03-21 02:07:45 1YYRUs-0001VH-C6 Message is frozen
2015-03-21 02:07:50 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:51 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.68]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:52 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:52 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.67]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:54 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:54 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.99]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:55 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:56 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.88.131]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:56 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:57 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:57 1YYICX-0002Uy-0k == [email protected] R=dnslookup T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195$
2015-03-21 02:07:57 1YYg3k-0001zZ-7F Message is frozen
2015-03-21 02:07:57 1YYRoO-0007kU-CG Message is frozen
2015-03-21 02:07:57 1YYQCz-0005LD-Uo Message is frozen
Code: Select all
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from admin by myhost.com with local (Exim 4.72)
(envelope-from <[email protected]>)
id 1YZPb6-00081S-GB
for [email protected]; Sat, 21 Mar 2015 20:02:17 +0000
To: [email protected]
Subject: Shocking Secrets Women Don't Want You To Know
X-PHP-Originating-Script: 501:config87.php(1490) : eval()'d code
Date: Sat, 21 Mar 2015 20:02:16 +0000
From: Justin Haney <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_50e9526dcf3064d3da4b46a18d937a9c"
Content-Transfer-Encoding: 8bit
--b1_50e9526dcf3064d3da4b46a18d937a9c
Content-Type: text/plain; charset=us-ascii
-
- Posts: 33
- Joined: Sun Apr 27, 2014 3:40 pm
Re: Mail server compromised?!? Help!!!
found the file and several other suspicious.... generally the server is compromised... damn....
Re: Mail server compromised?!? Help!!!
Sorry to hear that.
But I understand you, with old Wordpress and Joomla my clients and friends have the same problems.
You need to search this and similar files with eval():
But I understand you, with old Wordpress and Joomla my clients and friends have the same problems.
You need to search this and similar files with eval():
Code: Select all
X-PHP-Originating-Script: 501:config87.php(1490) : eval()'d code
-
- Posts: 33
- Joined: Sun Apr 27, 2014 3:40 pm
Re: Mail server compromised?!? Help!!!
actually i was checking the entire server public directory and files structure of the server to find the suspicious files. Found loads and probably deleted by hand around 100.. Then i found maldetect software and installed. Should have done that before. Found around 40 files that i missed. Specially normal files with code injected into them. Offcourse some sites stopped working but i upload the original files and all is fine now.... My email queue is around 30 which sound pretty much normal :)
Another lesson learnt :)
Another lesson learnt :)
Re: Mail server compromised?!? Help!!!
Sad lesson, update your scripts and I'll hope everything will be fine.