Mail Server Hacked...
-
Ghillie-up
- Posts: 22
- Joined: Fri Jun 20, 2014 8:35 am
Mail Server Hacked...
It appears my mail server has somehow been hacked:
Here is output from one of the emails:
exim -Mvh 1ZBocF-0007lE-67
(I have removed my own domain with mydomain and my ip with X.X.X.
I am not great at reading mail logs, am i being spoofed or is there a script on my box.
I am getting hundreds of replies from hotmail servers until i stopped exim with "Mail Delivery System, Undelivered mail returned to sender".
Any help would be appreciated.
Here is output from one of the emails:
exim -Mvh 1ZBocF-0007lE-67
(I have removed my own domain with mydomain and my ip with X.X.X.
Code: Select all
root@vesta log]# exim -Mvh 1ZBocF-0007lE-67
1ZBocF-0007lE-67-H
exim 93 93
<hello@mydomain.com>
1436120771 0
-helo_name mydomain.com
-host_address 186.39.161.102.3785
-host_auth dovecot_plain
-interface_address X.X.X.69.587
-received_protocol esmtpa
-body_linecount 48
-max_received_linelength 79
-auth_id hello@mydomain.com
-host_lookup_failed
YY jimster1033@hotmail.com
YN dveras25@msn.com
NN anaconda_911@hotmail.com
YN rbdurantjr@msn.com
NN niceguynyc@hotmail.com
6
dveras25@msn.com
anaconda_911@hotmail.com
jimster1033@hotmail.com
8889828279@airmessage.net
niceguynyc@hotmail.com
rbdurantjr@msn.com
197P Received: from [186.39.161.102] (helo=mydomain.com)
by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
(envelope-from <hello@mydomain.com>)
id 1ZBocF-0007lE-67; Sun, 05 Jul 2015 19:26:12 +0100
063I Message-ID: <A31E20E17241C63F3562DA656A1D1068@mydomain.com>
041F From: "Lateefah" <hello@mydomain.com>
211T To: "jose" <dveras25@msn.com>, "hansum thug" <anaconda_911@hotmail.com>,
"jim" <jimster1033@hotmail.com>, "House keepin" <8889828279@airmessage.net>,
"jay" <niceguynyc@hotmail.com>, "Leo" <rbdurantjr@msn.com>
047 Subject: =?ISO-8859-1?Q?Re=3AFrom=3ALateefah?=
038 Date: Wed, 25 Jun 2015 07:26:02 +0000
018 MIME-Version: 1.0
091 Content-Type: multipart/alternative;
boundary="----=_NextPart_000_1C31_7FA1CCDB.17735F73"
014 X-Priority: 3
026 X-MSMail-Priority: Normal
019 Importance: Normal
052 X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056 X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
[root@vesta log]#
I am getting hundreds of replies from hotmail servers until i stopped exim with "Mail Delivery System, Undelivered mail returned to sender".
Any help would be appreciated.
Re: Mail Server Hacked...
exim -Mvb 1ZBocF-0007lE-67
show us spam mail with Mvb option
may be it's not mail server hack, but php shell or something like this
show us spam mail with Mvb option
may be it's not mail server hack, but php shell or something like this
-
Ghillie-up
- Posts: 22
- Joined: Fri Jun 20, 2014 8:35 am
Re: Mail Server Hacked...
I cleared that queue for that previous mail, however from a new one inside
msglog -
and ...
I have done some checking and this may appear to be a backscatter, however would this show output like this from
msglog -
Code: Select all
[root@vesta msglog]# exim -Mvb 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-D
This is a multi-part message in MIME format.
------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
=
http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaaoutm=
hmlrbligo
hello
This email has been protected by YAC (Yet Another Cleaner) http://www.yac.mx
------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=3DUTF-8></HEAD><BODY><br><br> <a href=
=3D"http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaao=
utmhmlrbligo">http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.ed=
ahqlecsaaoutmhmlrbligo</a> <br><br><br><br><br><br><br><br><br> hello=
<br><br><br><div style=3D"position:absolute;margin:15px 0 0 0px; =
padding-top:10px;padding-right:15px;min-width:350px; =
border-top:1px solid #ccc;font-size:12px; color: #333; =
font-family:arial,'Hiragino Sans GB',Tahoma,Helvetica,STHeiti; =
">This email has been protected by YAC (Yet Another Cleaner) =
<a href=3D"http://www.yac.mx?source=3Demail" style=3D"display:block;padding-top:5px; =
color:#2bafed;text-decoration:none;">www.yac.mx</a></div></body></HTML>
------=_NextPart_000_5B24_83A7AFF1.337DC5C4--
Code: Select all
[root@vesta msglog]# exim -Mvh 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-H
exim 93 93
<hello@stevedomain.com>
1436188263 0
-helo_name stevedomain.com
-host_address 46.177.21.185.51075
-host_name ppp046177021185.access.hol.gr
-host_auth dovecot_plain
-interface_address 109.200.19.69.587
-received_protocol esmtpa
-body_linecount 41
-max_received_linelength 86
-auth_id hello@stevedomain.com
YY heliogalvao@trilhazero.com.br
YY fabiobt@uol.com.br
NN eve_junkera@yahoo.com.br
YN guig.soares@gmail.com
NN fhr1980@yahoo.com.br
YY paulakunath@yahoo.com.br
YY jarbasbueno@pcmc.com
NN heluquisa2004@yahoo.com.br
NN leidegis@hotmail.com
NN sirnagovino@yahoo.com.br
11
MariseYFaria@solectron.com
heliogalvao@trilhazero.com.br
paulakunath@yahoo.com.br
eve_junkera@yahoo.com.br
fabiobt@uol.com.br
leidegis@hotmail.com
jarbasbueno@pcmc.com
heluquisa2004@yahoo.com.br
guig.soares@gmail.com
fhr1980@yahoo.com.br
sirnagovino@yahoo.com.br
226P Received: from ppp046177021185.access.hol.gr ([46.177.21.185] helo=stevedomain.com)
by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
(envelope-from <hello@stevedomain.com>)
id 1ZC6Ap-0005KE-Un; Mon, 06 Jul 2015 14:11:04 +0100
063I Message-ID: <A2D09F0BC1593F1EE577FBA5B2869F3B@stevedomain.com>
044F From: "veribenassi" <hello@stevedomain.com>
471T To: "Marise Yaine" <MariseYFaria@solectron.com>,
"Helinho" <heliogalvao@trilhazero.com.br>,
"Kunath" <paulakunath@yahoo.com.br>, "Evelyn" <eve_junkera@yahoo.com.br>,
"Fabio Junqueira" <fabiobt@uol.com.br>, "Gisleide" <leidegis@hotmail.com>,
"Jarbas" <jarbasbueno@pcmc.com>,
"iso 8859 1 B SGVs9A" <heluquisa2004@yahoo.com.br>,
"Guilherme gmail" <guig.soares@gmail.com>,
"Fernando Henrique" <fhr1980@yahoo.com.br>,
"Janaina Sirna Govino" <sirnagovino@yahoo.com.br>
055 Subject: =?ISO-8859-1?Q?6=2F26=2F2015_2=3A10=3A57_PM?=
038 Date: Thu, 26 Jun 2015 02:10:57 +0000
018 MIME-Version: 1.0
091 Content-Type: multipart/alternative;
boundary="----=_NextPart_000_5B24_83A7AFF1.337DC5C4"
014 X-Priority: 3
026 X-MSMail-Priority: Normal
019 Importance: Normal
052 X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056 X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
Code: Select all
[root@vesta msglog]# exim -bp
71m 2.5K 1ZC6Ap-0005KE-Un <hello@stevedomain.com>
MariseYFaria@solectron.com
D heliogalvao@trilhazero.com.br
D paulakunath@yahoo.com.br
D eve_junkera@yahoo.com.br
D fabiobt@uol.com.br
D leidegis@hotmail.com
D jarbasbueno@pcmc.com
D heluquisa2004@yahoo.com.br
D guig.soares@gmail.com
D fhr1980@yahoo.com.br
D sirnagovino@yahoo.com.br