Server Compromised?

lss1 · 12-14-2005, 11:11 PM

Hello everyone, I hate that y first post here has to be about this. Our server was shut down by the host. We called and they claim it was caught sending spam. We dont send spam. HE asked us if a domain was ours, and it was not, and he said someone looged in as root and configured the mail to send mail from it. Our password is not eaily crackable, its 10 character random, and the only login attempts that stand out are the ones mentioned in the sticky. The mail, mail.1, mail.2 logs are all empty. It runs plesk control panel. In the psa/mail log I think I see the spam. They gave us another chance and brought the server online, but I assure you we had nothing to do with it, I think they are not telling us everything. What should I do? We disabled SMTP for now. How can I figure what happend and prevent it? Thanks.
John

lss1 · 12-15-2005, 01:29 AM

Dec 15 01:13:26 www qmail: 1134630806.036662 status: local 0/25 remote 10/25
Dec 15 01:13:26 www qmail: 1134630806.036929 triple bounce: discarding bounce/803671
Dec 15 01:13:26 www qmail: 1134630806.107710 end msg 803671
Dec 15 01:13:26 www qmail: 1134630806.125142 starting delivery 19: msg 804082 to remote Kianaojfg@filmelsker.com
Dec 15 01:13:26 www qmail: 1134630806.130192 status: local 0/25 remote 11/25
Dec 15 01:13:26 www qmail: 1134630806.136371 starting delivery 20: msg 804249 to remote odgdfnejobs@efastrigone.net
Dec 15 01:13:26 www qmail: 1134630806.138991 status: local 0/25 remote 12/25
Dec 15 01:13:26 www qmail: 1134630806.140958 starting delivery 21: msg 804010 to remote alidsfgfg@zybermail.com
Dec 15 01:13:26 www qmail: 1134630806.142926 status: local 0/25 remote 13/25
Dec 15 01:13:26 www qmail: 1134630806.145120 starting delivery 22: msg 804118 to remote Meladsfgmpr@qatarmail.com
Dec 15 01:13:26 www qmail: 1134630806.165357 status: local 0/25 remote 14/25
Dec 15 01:13:26 www qmail: 1134630806.188423 starting delivery 23: msg 804302 to remote Ramodsfrgdx@godisenga.com
Dec 15 01:13:26 www qmail: 1134630806.202869 status: local 0/25 remote 15/25
Dec 15 01:13:26 www qmail: 1134630806.228151 starting delivery 24: msg 804155 to remote Carsdsfg@kosejexxnte.com
Dec 15 01:13:26 www qmail: 1134630806.236485 status: local 0/25 remote 16/25
Dec 15 01:13:26 www qmail: 1134630806.238851 new msg 804457
Dec 15 01:13:26 www qmail: 1134630806.272343 info msg 804457: bytes 3810 from <leon@holstein.com> qp 11364 uid 2020
Dec 15 01:13:26 www qmail: 1134630806.340326 starting delivery 25: msg 804457 to local 1-sdsfgean@xxxxxx.com
Dec 15 01:13:26 www qmail: 1134630806.418966 status: local 1/25 remote 16/25
Dec 15 01:13:26 www qmail: 1134630806.485114 starting delivery 26: msg 804534 to remote rosdsfsdfdsfgles@adxxone.com
Dec 15 01:13:26 www qmail: 1134630806.542818 status: local 1/25 remote 17/25
Dec 15 01:13:26 www qmail: 1134630806.634775 starting delivery 27: msg 804313 to remote Kimsasdafdpsl@dansexxgulvet.com
Dec 15 01:13:26 www qmail: 1134630806.696604 status: local 1/25 remote 18/25
Dec 15 01:13:26 www qmail: 1134630806.715084 delivery 26: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Dec 15 01:13:26 www qmail: 1134630806.740208 status: local 1/25 remote 17/25
Dec 15 01:13:26 www qmail: 1134630806.778740 starting delivery 28: msg 804316 to remote Daniasdfsadfta04fo@psykxcopat.com

On server restart qmail fires back up and is at it again. How can I stop this? Granted we dont know how it started! Note: Email addys have been edited.

lss1 · 12-15-2005, 01:50 AM

More info. QMail queue looks like:
[root@www /]# /var/qmail/bin/qmail-qread
10 Dec 2005 04:59:09 GMT #804379 1944 <>
remote 924-13672568-1-13-37000mpxas@blankink.com
11 Dec 2005 11:52:31 GMT #804218 9070 <>
remote 71-5786060-xtremedreamz.net?junk@mese.zzsave.com
8 Dec 2005 17:20:19 GMT #804310 1311 <>
remote 1xgprtefy@247medsavings.net
11 Dec 2005 15:21:22 GMT #804563 4752 <>
remote Tricia94tg@minpost.no
9 Dec 2005 06:19:10 GMT #803919 2203 <>
remote 910-13672568-1-13-42260mpxaads@expresasdfsmetro.com
9 Dec 2005 23:01:22 GMT #804402 1937 <>
remote 924-13672568-1-13-92569mapxdsaas@blansadfkink.com
9 Dec 2005 21:44:37 GMT #804288 4208 <>
remote Samsadfv1qj@sinnssyk.com
11 Dec 2005 17:36:51 GMT #804633 4066 <>
remote Maynardw7wsadfu@superelsker.com
12 Dec 2005 12:40:44 GMT #804035 2844 <>
remote 914-13672568-1-13-616mpsaxas@lapexsadfpress.com
10 Dec 2005 21:16:24 GMT #804610 3987 <>
remote greatoffersadf@usdaily005.com
12 Dec 2005 17:26:35 GMT #804219 1983 <>
remote infsadfo@microgrses.com
9 Dec 2005 01:08:40 GMT #804680 3762 <>
remote 919-13672568-1-13-19510mpxas@blanksugar.com
9 Dec 2005 20:52:31 GMT #804082 5477 <>
remote Kianaojfsadfg@filmelsker.com
9 Dec 2005 07:06:12 GMT #804013 2162 <>
remote offeronlinejobsdafdsadsas@efastrigone.net
11 Dec 2005 16:54:19 GMT #804612 3497 <>
remote Kyleru3fsadfwt@iraqmail.com
11 Dec 2005 18:43:17 GMT #804060 3413 <>

lss1 · 12-15-2005, 02:27 AM

Here is the content of one of the message in queue. I think what might be happening is messages are being sent to a site hosted on this dedicated servers junkmail account, bouncing because its full, be returned to sender, and those returns contain original message, thus are being flagged as spam, possibly because the sender has been spoofed. Think maybe thats what is going on?

Quote:

Received: (qmail 7189 invoked for bounce); 10 Dec 2005 18:10:34 -0000
Date: 10 Dec 2005 18:10:34 -0000
From: MAILER-DAEMON@www.mydomain.com
To: Tibetan@ivic.net
Subject: failure notice

Hi. This is the qmail-send program at www.mydomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<junk@ahosteddomainonmydedi.net>:
Recipient's mailbox is full, message returned to sender. (#5.2.2)

--- Below this line is a copy of the message.

Return-Path: <Tibefgxtan@ivic.net>
Received: (qmail 7184 invoked from network); 10 Dec 2005 18:10:33 -0000
Received: from 6532195hfc44.tampabay.res.rr.com (65.32.195.44)
by 226-44-182-242.dedicated.myhost.net with SMTP; 10 Dec 2005 18:10:33 -0000
From: <Tibsadfetan@ivic.net>
To: <junk@myhosteddomain.net>
Subject: Howdy!
Date: Sun, 11 Dec 2005 02:13:07 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="buCvm3BstpiF4OPqHZmS7V"

This is a multi-part message in MIME format.

--buCvm3BstpiF4OPqHZmS7V
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

TruckStuff · 12-15-2005, 03:03 AM

Post the full, unedited output of /var/qmail/bin/qmail-showctl

nx5000 · 12-15-2005, 07:18 AM

You have come to the good place, there are a lot of persons that will help you here, so giving the information that TruckStuff asked would be the more effective.

More generaly, depending on if you are running a business, depending on the country where you host this server, depending on the links you have with your ISP, you could call the police...
You could even get some cash back!
http://www.aboutspam.com/

You can also by yourself track the spammer. For this you will need a good understanding of email headers and a good cooperation of all the admins of each mail servers on the link. The latter is the most difficult depending on the country where they live, their disponibility,...

This link could be worth reading (killing a spammer):

http://home1.gte.net/parntson/PaulSpamWar.html

lss1 · 12-15-2005, 09:30 AM

Removed Log File

lss1 · 12-16-2005, 12:49 AM

That was the issue. A few full mailboxes shooting out tons of return emails.