Qmail hacked in my server

highllamas · 01-03-2011, 05:55 PM

Hello.
I would like your help. My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.
Here is a sample of it:

Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: to=frnklnjac7@aol.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: recipient[3] = 'frnklnjac7@aol.com'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/frnklnjac7@aol.com'
Jan 4 00:47:10 acv360 qmail: 1294098430.077707 starting delivery 22: msg 35096084 to remote frnklnjac7@aol.com
Jan 4 00:47:10 acv360 qmail: 1294098430.077800 status: local 0/10 remote 2/20

It is not an apache issue, because I had tried to stop apache when these emails have been sent but nothing changed. Also I cannot find any suspicious script running using ps xaf command.
Also every 5 minutes or so, I see these messages:
Jan 4 00:51:53 acv360 pop3d: Connection, ip=[209.85.213.27]
Jan 4 00:51:59 acv360 pop3d: IMAP connect from @ [209.85.213.27]ERR: LOGIN FAILED, ip=[209.85.213.27]
The IP usually changes, but all of them are from Google. I don't if that has something to do with the spam emails

I would appreciate your help
Thank you,
Dennis

kaushalpatel1982 · 01-03-2011, 10:51 PM

You are right, It is not Apache issue. Seems your mail server act as open relay server and sending spam mails. Go through the link to configure selective relay configuration.

http://qmail.3va.net/qdp/qmail-antirelay.html

highllamas · 01-05-2011, 01:46 AM

Hello.
Thanks a lot for your reply. I think I have managed to close open relay on my server, I have tested it through here too:
http://www.checkor.com/

But it seems the problem continues someway. Here is another new entry from maillog:

Jan 5 08:43:49 acv360 qmail: 1294213429.868606 starting delivery 7402: msg 35096526 to remote loratemple@aol.com
Jan 5 08:43:49 acv360 qmail: 1294213429.868635 status: local 0/10 remote 1/20
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: Handlers Filter before-remote for qmail started ...
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: from=root@acv360.com
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: to=loratemple@aol.com
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: recipient[3] = 'loratemple@aol.com'
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/loratemple@aol.com'
Jan 5 08:43:56 acv360 qmail: 1294213436.065059 delivery 7402: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Jan 5 08:43:56 acv360 qmail: 1294213436.065097 status: local 0/10 remote 0/20

The email user loratemple@aol.com changes periodically to lorddilo@aol.com,lorddoomsock13@aol.com etc, maybe some kind of vocabulary is running.

Noway2 · 01-05-2011, 04:22 AM

If you are not acting as an open relay and you are not being subject to scripting issues from a web site, chances are that one (or more) of your email account passwords has been guessed (cracked) and this account is being used to send mail. You need to determine which user or process is responsible for sending the mail.

I am not expert enough in qmail to give you explicit advice on how to do this, but see the following link. Specifically look at the m option which will attach the process-id to the message envelope. This paper may also be of interest to you too.

TheVillageIdiot · 01-05-2011, 07:04 AM

Couldn't you also check your logs to see who logged in around that time? Might be a simpler approach.

GrapefruiTgirl · 01-05-2011, 08:55 AM

Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.

highllamas · 01-05-2011, 12:07 PM

Hello.

Thanks for your replies. I have changed the passwords, I will wait if the problem continues. I can't find anything in the log files,nor on cronjobs, as far as I know. Also I cannot understand hte fact that there is a lot of entries in maillog every few minutes saying this:
Jan 5 19:02:34 acv360 pop3d: IMAP connect from @ [209.85.161.40]ERR: LOGIN FAILED, ip=[209.85.161.40]
Jan 5 19:05:50 acv360 pop3d: Connection, ip=[209.85.161.34]

These ips are always from Google.

I runned rkhunter, but returned nothing suspicious too.

Thanks

dman1 · 02-10-2011, 07:22 AM

Dear highllamas,

Please take a look at our thread here:
http://www.linuxquestions.org/questi...856/page5.html

There seems to be some kind of exploit affecting many of us.