LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-03-2011, 05:55 PM   #1
highllamas
LQ Newbie
 
Registered: Nov 2006
Distribution: Ubuntu Edgy
Posts: 5

Rep: Reputation: 0
Qmail hacked in my server


Hello.
I would like your help. My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.
Here is a sample of it:

Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: to=frnklnjac7@aol.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: recipient[3] = 'frnklnjac7@aol.com'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/frnklnjac7@aol.com'
Jan 4 00:47:10 acv360 qmail: 1294098430.077707 starting delivery 22: msg 35096084 to remote frnklnjac7@aol.com
Jan 4 00:47:10 acv360 qmail: 1294098430.077800 status: local 0/10 remote 2/20

It is not an apache issue, because I had tried to stop apache when these emails have been sent but nothing changed. Also I cannot find any suspicious script running using ps xaf command.
Also every 5 minutes or so, I see these messages:
Jan 4 00:51:53 acv360 pop3d: Connection, ip=[209.85.213.27]
Jan 4 00:51:59 acv360 pop3d: IMAP connect from @ [209.85.213.27]ERR: LOGIN FAILED, ip=[209.85.213.27]
The IP usually changes, but all of them are from Google. I don't if that has something to do with the spam emails

I would appreciate your help
Thank you,
Dennis

Last edited by highllamas; 01-03-2011 at 05:58 PM.
 
Old 01-03-2011, 10:51 PM   #2
kaushalpatel1982
Member
 
Registered: Aug 2007
Location: INDIA
Distribution: CentOS, RHEL, Fedora, Debian, Ubuntu, LinuxMint, Kali Linux, Raspbian
Posts: 166

Rep: Reputation: 10
You are right, It is not Apache issue. Seems your mail server act as open relay server and sending spam mails. Go through the link to configure selective relay configuration.

http://qmail.3va.net/qdp/qmail-antirelay.html
 
Old 01-05-2011, 01:46 AM   #3
highllamas
LQ Newbie
 
Registered: Nov 2006
Distribution: Ubuntu Edgy
Posts: 5

Original Poster
Rep: Reputation: 0
Hello.
Thanks a lot for your reply. I think I have managed to close open relay on my server, I have tested it through here too:
http://www.checkor.com/

But it seems the problem continues someway. Here is another new entry from maillog:

Jan 5 08:43:49 acv360 qmail: 1294213429.868606 starting delivery 7402: msg 35096526 to remote loratemple@aol.com
Jan 5 08:43:49 acv360 qmail: 1294213429.868635 status: local 0/10 remote 1/20
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: Handlers Filter before-remote for qmail started ...
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: from=root@acv360.com
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: to=loratemple@aol.com
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: recipient[3] = 'loratemple@aol.com'
Jan 5 08:43:49 acv360 qmail-remote-handlers[9349]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/loratemple@aol.com'
Jan 5 08:43:56 acv360 qmail: 1294213436.065059 delivery 7402: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Jan 5 08:43:56 acv360 qmail: 1294213436.065097 status: local 0/10 remote 0/20

The email user loratemple@aol.com changes periodically to lorddilo@aol.com,lorddoomsock13@aol.com etc, maybe some kind of vocabulary is running.
 
Old 01-05-2011, 04:22 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
If you are not acting as an open relay and you are not being subject to scripting issues from a web site, chances are that one (or more) of your email account passwords has been guessed (cracked) and this account is being used to send mail. You need to determine which user or process is responsible for sending the mail.

I am not expert enough in qmail to give you explicit advice on how to do this, but see the following link. Specifically look at the m option which will attach the process-id to the message envelope. This paper may also be of interest to you too.
 
Old 01-05-2011, 07:04 AM   #5
TheVillageIdiot
LQ Newbie
 
Registered: Sep 2003
Posts: 9

Rep: Reputation: 0
Couldn't you also check your logs to see who logged in around that time? Might be a simpler approach.
 
Old 01-05-2011, 08:55 AM   #6
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 552Reputation: 552Reputation: 552Reputation: 552Reputation: 552Reputation: 552
Moved: This thread is more suitable in Linux Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 01-05-2011, 12:07 PM   #7
highllamas
LQ Newbie
 
Registered: Nov 2006
Distribution: Ubuntu Edgy
Posts: 5

Original Poster
Rep: Reputation: 0
Hello.

Thanks for your replies. I have changed the passwords, I will wait if the problem continues. I can't find anything in the log files,nor on cronjobs, as far as I know. Also I cannot understand hte fact that there is a lot of entries in maillog every few minutes saying this:
Jan 5 19:02:34 acv360 pop3d: IMAP connect from @ [209.85.161.40]ERR: LOGIN FAILED, ip=[209.85.161.40]
Jan 5 19:05:50 acv360 pop3d: Connection, ip=[209.85.161.34]

These ips are always from Google.

I runned rkhunter, but returned nothing suspicious too.

Thanks
 
Old 02-10-2011, 07:22 AM   #8
dman1
LQ Newbie
 
Registered: Dec 2010
Posts: 16

Rep: Reputation: 0
Dear highllamas,

Please take a look at our thread here:
http://www.linuxquestions.org/questi...856/page5.html

There seems to be some kind of exploit affecting many of us.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hacked bruxelles2010 Linux - Security 9 11-15-2010 07:23 AM
qmail - mail server hacked,sending spam - help.. > skate Linux - Server 8 07-29-2008 02:25 AM
applying c.k. davis qmail buffer patch to live qmail server baronsam Linux - Server 4 04-22-2007 02:02 PM
Why is my server getting hacked so much? dsschanze Linux - Security 17 07-27-2006 01:16 PM
qmail +qmail-qfilter + qmail-scanner-queue+qmail-user-masq.pl problem countcobolt Linux - Networking 0 07-08-2004 11:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration