We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Mail Server Hacked...
-
- Posts: 22
- Joined: Fri Jun 20, 2014 8:35 am
Mail Server Hacked...
It appears my mail server has somehow been hacked:
Here is output from one of the emails:
exim -Mvh 1ZBocF-0007lE-67
(I have removed my own domain with mydomain and my ip with X.X.X.
I am not great at reading mail logs, am i being spoofed or is there a script on my box.
I am getting hundreds of replies from hotmail servers until i stopped exim with "Mail Delivery System, Undelivered mail returned to sender".
Any help would be appreciated.
Here is output from one of the emails:
exim -Mvh 1ZBocF-0007lE-67
(I have removed my own domain with mydomain and my ip with X.X.X.
Code: Select all
root@vesta log]# exim -Mvh 1ZBocF-0007lE-67
1ZBocF-0007lE-67-H
exim 93 93
<[email protected]>
1436120771 0
-helo_name mydomain.com
-host_address 186.39.161.102.3785
-host_auth dovecot_plain
-interface_address X.X.X.69.587
-received_protocol esmtpa
-body_linecount 48
-max_received_linelength 79
-auth_id [email protected]
-host_lookup_failed
YY [email protected]
YN [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
6
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
197P Received: from [186.39.161.102] (helo=mydomain.com)
by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
(envelope-from <[email protected]>)
id 1ZBocF-0007lE-67; Sun, 05 Jul 2015 19:26:12 +0100
063I Message-ID: <[email protected]>
041F From: "Lateefah" <[email protected]>
211T To: "jose" <[email protected]>, "hansum thug" <[email protected]>,
"jim" <[email protected]>, "House keepin" <[email protected]>,
"jay" <[email protected]>, "Leo" <[email protected]>
047 Subject: =?ISO-8859-1?Q?Re=3AFrom=3ALateefah?=
038 Date: Wed, 25 Jun 2015 07:26:02 +0000
018 MIME-Version: 1.0
091 Content-Type: multipart/alternative;
boundary="----=_NextPart_000_1C31_7FA1CCDB.17735F73"
014 X-Priority: 3
026 X-MSMail-Priority: Normal
019 Importance: Normal
052 X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056 X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
[root@vesta log]#
I am getting hundreds of replies from hotmail servers until i stopped exim with "Mail Delivery System, Undelivered mail returned to sender".
Any help would be appreciated.
Re: Mail Server Hacked...
exim -Mvb 1ZBocF-0007lE-67
show us spam mail with Mvb option
may be it's not mail server hack, but php shell or something like this
show us spam mail with Mvb option
may be it's not mail server hack, but php shell or something like this
-
- Posts: 22
- Joined: Fri Jun 20, 2014 8:35 am
Re: Mail Server Hacked...
I cleared that queue for that previous mail, however from a new one inside
msglog -
and ...
I have done some checking and this may appear to be a backscatter, however would this show output like this from
msglog -
Code: Select all
[root@vesta msglog]# exim -Mvb 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-D
This is a multi-part message in MIME format.
------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
=
http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaaoutm=
hmlrbligo
hello
This email has been protected by YAC (Yet Another Cleaner) http://www.yac.mx
------=_NextPart_000_5B24_83A7AFF1.337DC5C4
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
=EF=BB=BF<HTML><HEAD><META http-equiv=3D"content-type" content: text/html;=
charset=3DUTF-8></HEAD><BODY><br><br> <a href=
=3D"http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.edahqlecsaao=
utmhmlrbligo">http://mitems.com/zxayd/atxpjuoybinqodbunrnwovvadgaqhamdjsmdf.ed=
ahqlecsaaoutmhmlrbligo</a> <br><br><br><br><br><br><br><br><br> hello=
<br><br><br><div style=3D"position:absolute;margin:15px 0 0 0px; =
padding-top:10px;padding-right:15px;min-width:350px; =
border-top:1px solid #ccc;font-size:12px; color: #333; =
font-family:arial,'Hiragino Sans GB',Tahoma,Helvetica,STHeiti; =
">This email has been protected by YAC (Yet Another Cleaner) =
<a href=3D"http://www.yac.mx?source=3Demail" style=3D"display:block;padding-top:5px; =
color:#2bafed;text-decoration:none;">www.yac.mx</a></div></body></HTML>
------=_NextPart_000_5B24_83A7AFF1.337DC5C4--
Code: Select all
[root@vesta msglog]# exim -Mvh 1ZC6Ap-0005KE-Un
1ZC6Ap-0005KE-Un-H
exim 93 93
<[email protected]>
1436188263 0
-helo_name stevedomain.com
-host_address 46.177.21.185.51075
-host_name ppp046177021185.access.hol.gr
-host_auth dovecot_plain
-interface_address 109.200.19.69.587
-received_protocol esmtpa
-body_linecount 41
-max_received_linelength 86
-auth_id [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
YN [email protected]
NN [email protected]
YY [email protected]
YY [email protected]
NN [email protected]
NN [email protected]
NN [email protected]
11
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
226P Received: from ppp046177021185.access.hol.gr ([46.177.21.185] helo=stevedomain.com)
by vesta.slidomain.co.uk with esmtpa (Exim 4.72)
(envelope-from <[email protected]>)
id 1ZC6Ap-0005KE-Un; Mon, 06 Jul 2015 14:11:04 +0100
063I Message-ID: <[email protected]>
044F From: "veribenassi" <[email protected]>
471T To: "Marise Yaine" <[email protected]>,
"Helinho" <[email protected]>,
"Kunath" <[email protected]>, "Evelyn" <[email protected]>,
"Fabio Junqueira" <[email protected]>, "Gisleide" <[email protected]>,
"Jarbas" <[email protected]>,
"iso 8859 1 B SGVs9A" <[email protected]>,
"Guilherme gmail" <[email protected]>,
"Fernando Henrique" <[email protected]>,
"Janaina Sirna Govino" <[email protected]>
055 Subject: =?ISO-8859-1?Q?6=2F26=2F2015_2=3A10=3A57_PM?=
038 Date: Thu, 26 Jun 2015 02:10:57 +0000
018 MIME-Version: 1.0
091 Content-Type: multipart/alternative;
boundary="----=_NextPart_000_5B24_83A7AFF1.337DC5C4"
014 X-Priority: 3
026 X-MSMail-Priority: Normal
019 Importance: Normal
052 X-Mailer: Microsoft Windows Live Mail 16.4.3522.110
056 X-MIMEOLE: Produced By Microsoft MimeOLE V16.4.3522.110
Code: Select all
[root@vesta msglog]# exim -bp
71m 2.5K 1ZC6Ap-0005KE-Un <[email protected]>
[email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]
D [email protected]