Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Mail server compromised?!? Help!!!

https://forum.vestacp.com/viewtopic.php?f=12&t=7388

Page 1 of 1

Mail server compromised?!? Help!!!

Posted: Sat Mar 21, 2015 8:18 pm
by lossehelin
I think my mail server has been compromised. I logged in today to find out that i had 400 undelivered emails, and all of them where about porn.
Logged in to vestacp to find out the mail queue was above 30000.

How can i find what is going on? Where are these email being sent from, a rogue php script on the server, breach on my password? ( i just changed them yesterday)
What should i do next? i am a bit clueless at the moment. I have been reading stuff but nothing good so far....

var/exim/main_log shows stuff like this:

Code: Select all

2015-03-21 02:07:45 1YYPGa-0005X4-BI [email protected]: error ignored
2015-03-21 02:07:45 1YYPGa-0005X4-BI Completed
2015-03-21 02:07:45 1YZ2I5-0002xZ-Dp Message is frozen
2015-03-21 02:07:45 1YYSYM-00079x-DK Message is frozen
2015-03-21 02:07:45 1YYTtr-00009w-NP Message is frozen
2015-03-21 02:07:45 1YYUQ3-0003fb-Gv Message is frozen
2015-03-21 02:07:45 1YYQrs-0000yD-0P Message is frozen
2015-03-21 02:07:45 1YYhhh-00012N-DM Message is frozen
2015-03-21 02:07:45 1YYRef-0000ih-Q7 Message is frozen
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Unfrozen by errmsg timer
2015-03-21 02:07:45 1YYPQK-0003ns-Pb ** [email protected]: Unrouteable address
2015-03-21 02:07:45 1YYPQK-0003ns-Pb [email protected]: error ignored
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Completed
2015-03-21 02:07:45 1YYRUs-0001VH-C6 Message is frozen
2015-03-21 02:07:50 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:51 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.68]: 421 4.2.1 :  (DYN:T1)  http://postmaster.info.aol.com/e$
2015-03-21 02:07:52 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:52 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.67]: 421 4.2.1 :  (DYN:T1)  http://postmaster.info.aol.com/e$
2015-03-21 02:07:54 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:54 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.99]: 421 4.2.1 :  (DYN:T1)  http://postmaster.info.aol.com/e$
2015-03-21 02:07:55 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:56 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.88.131]: 421 4.2.1 :  (DYN:T1)  http://postmaster.info.aol.com/e$
2015-03-21 02:07:56 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:57 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195]: 421 4.2.1 :  (DYN:T1)  http://postmaster.info.aol.com/e$
2015-03-21 02:07:57 1YYICX-0002Uy-0k == [email protected] R=dnslookup T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195$
2015-03-21 02:07:57 1YYg3k-0001zZ-7F Message is frozen
2015-03-21 02:07:57 1YYRoO-0007kU-CG Message is frozen
2015-03-21 02:07:57 1YYQCz-0005LD-Uo Message is frozen
And the undelivered emails show this:

Code: Select all

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from admin by myhost.com with local (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1YZPb6-00081S-GB
	for [email protected]; Sat, 21 Mar 2015 20:02:17 +0000
To: [email protected]
Subject: Shocking Secrets Women Don't Want You To Know
X-PHP-Originating-Script: 501:config87.php(1490) : eval()'d code
Date: Sat, 21 Mar 2015 20:02:16 +0000
From: Justin Haney <[email protected]>
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_50e9526dcf3064d3da4b46a18d937a9c"
Content-Transfer-Encoding: 8bit

--b1_50e9526dcf3064d3da4b46a18d937a9c
Content-Type: text/plain; charset=us-ascii

Re: Mail server compromised?!? Help!!!

Posted: Sun Mar 22, 2015 2:53 am
by lossehelin
found the file and several other suspicious.... generally the server is compromised... damn....

Re: Mail server compromised?!? Help!!!

Posted: Sun Mar 22, 2015 8:08 am
by skurudo
Sorry to hear that.
But I understand you, with old Wordpress and Joomla my clients and friends have the same problems.

You need to search this and similar files with eval():

Code: Select all

X-PHP-Originating-Script: 501:config87.php(1490) : eval()'d code

Re: Mail server compromised?!? Help!!!

Posted: Sun Mar 22, 2015 11:17 pm
by lossehelin
actually i was checking the entire server public directory and files structure of the server to find the suspicious files. Found loads and probably deleted by hand around 100.. Then i found maldetect software and installed. Should have done that before. Found around 40 files that i missed. Specially normal files with code injected into them. Offcourse some sites stopped working but i upload the original files and all is fine now.... My email queue is around 30 which sound pretty much normal :)

Another lesson learnt :)

Re: Mail server compromised?!? Help!!!

Posted: Tue Mar 24, 2015 4:49 pm
by skurudo
Sad lesson, update your scripts and I'll hope everything will be fine.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/