Exim Seems to be Hacked

[rmjserver]

Hi,
My Exim/Server seems to be hacked. My exim usage is showing up high in vesta graphs and in Vesta panel logs I saw this:

I have replaced my domain with domain.com
Exim queue status

42m 3.2K 1fXqWc-00034q-2h <> *** frozen ***
[email protected]

12m 3.2K 1fXqzd-0005In-AM <> *** frozen ***
[email protected]

Please, can anybody please tell me what above log means.

[alexcy]

Most probably an infected website sends spam.

You can check files in /var/spool/exim4 and find the PHP script(s) generating the emails.

[grayfolk]

I'm recommend to use https://github.com/scr34m/php-malware-scanner for find infected scripts.

[ScIT]

also a good malwarescanner: https://www.rfxn.com/projects/linux-malware-detect/

[ahouse]

You can use AI-Bolit Very intelligent software. It's free for non-commercial use

https://revisium.com/aibo/

[Messiah]

Maybe hacked maybe not.
Look into the messages contents, probably inside /var/spool/exim/...
If there is a spam - use previous advices, at first disable all Joomla websites, it's the most vulnerable popular CMS.

Also there could be some system messages like

sudo: unable to resolve host %some_hostname%

or other error notifications rooted to system administrator email.

[rmjserver]

I have found that these are being sent by cron job for php session clean. Can anybody help me to stop this?
I have already set MAILTO="' in crontab. But still, this doesn't stop.
Mail Content:

Code: Select all

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_intl.dll' - /usr/lib/php/20151012/php_intl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_imap.dll' - /usr/lib/php/20151012/php_imap.dll: cannot open shared object file: No such file or directory in Unknown on line 0

[baxterdmutt]

On my server this was happening because VESTACP seems to send system emails via [email protected]. and since there was no root mail account, the messages get frozen and build up for 7days before they clear. All I did was create a root mail account and redirected all it’s mail to the admin user. I wasn’t sure how else to handle it and I wanted the system messages that VESTACP sends out.

[baxterdmutt]

Sorry, I should have added that another way around your problem is to make sure you have a root entry in /etc/aliases.
root : [email protected]
That is supposed to work but it didn’t for me. That’s why I created a root mail user account. I don’t like having a root mail user account so if anyone knows why the /etc/aliases didn’t work for me please let me know. Hope this helps.