Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Mail Server
  • Search

Mail Server Hacked...

Questions regarding the Mail Server
Dovecot, Exim, RoundCube
Post Reply
  • Print view
Advanced search
3 posts • Page 1 of 1
Ghillie-up
Posts: 22
Joined: Fri Jun 20, 2014 8:35 am

Mail Server Hacked...
  • Quote

Post by Ghillie-up » Sun Jul 05, 2015 7:49 pm

It appears my mail server has somehow been hacked:

Here is output from one of the emails:

exim -Mvh 1ZBocF-0007lE-67

(I have removed my own domain with mydomain and my ip with X.X.X.

Code: Select all

root@vesta log]# exim -Mvh 1ZBocF-0007lE-67
1ZBocF-0007lE-67-H
exim 93 93
<[email protected]>
1436120771 0
-helo_name mydomain.com
-host_address 186.39.161.102.3785
-host_auth dovecot_plain
-interface_address X.X.X.69.587
-received_protocol esmtpa
-body_linecount 48
-max_received_linelength 79
-auth_id [email protected]
-host_lookup_failed
YY [email protected]
YN [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
6
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

197P Received: from [186.39.161.102] (helo=mydomain.com)
	by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
	(envelope-from <[email protected]>)
	id 1ZBocF-0007lE-67; Sun, 05 Jul 2015 19:26:12 +0100
063I Message-ID: <[email protected]>
041F From: "Lateefah" <[email protected]>
211T To: "jose" <[email protected]>, "hansum thug" <[email protected]>,
 "jim" <[email protected]>, "House keepin" <[email protected]>,
 "jay" <[email protected]>, "Leo" <[email protected]>
047  Subject: =?ISO-8859-1?Q?Re=3AFrom=3ALateefah?=
038  Date: Wed, 25 Jun 2015 07:26:02 +0000
018  MIME-Version: 1.0
091  Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_1C31_7FA1CCDB.17735F73"
014  X-Priority: 3
026  X-MSMail-Priority: Normal
019  Importance: Normal
052  X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056  X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
[root@vesta log]#
I am not great at reading mail logs, am i being spoofed or is there a script on my box.

I am getting hundreds of replies from hotmail servers until i stopped exim with "Mail Delivery System, Undelivered mail returned to sender".

Any help would be appreciated.
Top
skurudo
VestaCP Team
Posts: 8099
Joined: Fri Dec 26, 2014 2:23 pm
Contact:
Contact skurudo
Website Facebook Google+ Skype
Twitter

Re: Mail Server Hacked...
  • Quote

Post by skurudo » Mon Jul 06, 2015 1:36 pm

exim -Mvb 1ZBocF-0007lE-67

show us spam mail with Mvb option
may be it's not mail server hack, but php shell or something like this
Top
Ghillie-up
Posts: 22
Joined: Fri Jun 20, 2014 8:35 am

Re: Mail Server Hacked...
  • Quote

Post by Ghillie-up » Mon Jul 06, 2015 2:31 pm

I cleared that queue for that previous mail, however from a new one inside

msglog -

Code: Select all

[root@vesta msglog]# exim -Mvb 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-D
This is a multi-part message in MIME format.

------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable



 =
 http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaaoutm=
hmlrbligo








 hello


This email has been protected by YAC (Yet Another Cleaner) http://www.yac.mx
------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
 charset=3DUTF-8></HEAD><BODY><br><br>  <a href=
=3D"http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaao=
utmhmlrbligo">http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.ed=
ahqlecsaaoutmhmlrbligo</a> <br><br><br><br><br><br><br><br><br> hello=
 <br><br><br><div style=3D"position:absolute;margin:15px 0 0 0px; =
padding-top:10px;padding-right:15px;min-width:350px; =
border-top:1px solid #ccc;font-size:12px; color: #333; =
font-family:arial,'Hiragino Sans GB',Tahoma,Helvetica,STHeiti; =
">This email has been protected by YAC (Yet Another Cleaner) =
<a href=3D"http://www.yac.mx?source=3Demail" style=3D"display:block;padding-top:5px; =
color:#2bafed;text-decoration:none;">www.yac.mx</a></div></body></HTML>

------=_NextPart_000_5B24_83A7AFF1.337DC5C4--
and ...

Code: Select all

[root@vesta msglog]# exim -Mvh 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-H
exim 93 93
<[email protected]>
1436188263 0
-helo_name stevedomain.com
-host_address 46.177.21.185.51075
-host_name ppp046177021185.access.hol.gr
-host_auth dovecot_plain
-interface_address 109.200.19.69.587
-received_protocol esmtpa
-body_linecount 41
-max_received_linelength 86
-auth_id [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
NN [email protected]
11
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

226P Received: from ppp046177021185.access.hol.gr ([46.177.21.185] helo=stevedomain.com)
        by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
        (envelope-from <[email protected]>)
        id 1ZC6Ap-0005KE-Un; Mon, 06 Jul 2015 14:11:04 +0100
063I Message-ID: <[email protected]>
044F From: "veribenassi" <[email protected]>
471T To: "Marise Yaine" <[email protected]>,
 "Helinho" <[email protected]>,
 "Kunath" <[email protected]>, "Evelyn" <[email protected]>,
 "Fabio Junqueira" <[email protected]>, "Gisleide" <[email protected]>,
 "Jarbas" <[email protected]>,
 "iso 8859 1 B SGVs9A" <[email protected]>,
 "Guilherme gmail" <[email protected]>,
 "Fernando Henrique" <[email protected]>,
 "Janaina Sirna Govino" <[email protected]>
055  Subject: =?ISO-8859-1?Q?6=2F26=2F2015_2=3A10=3A57_PM?=
038  Date: Thu, 26 Jun 2015 02:10:57 +0000
018  MIME-Version: 1.0
091  Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_5B24_83A7AFF1.337DC5C4"
014  X-Priority: 3
026  X-MSMail-Priority: Normal
019  Importance: Normal
052  X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056  X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
I have done some checking and this may appear to be a backscatter, however would this show output like this from

Code: Select all

[root@vesta msglog]# exim -bp
71m  2.5K 1ZC6Ap-0005KE-Un <[email protected]>
          [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
        D [email protected]
Top
Post Reply
  • Print view
3 posts • Page 1 of 1

Return to “Mail Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password