• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Email Spoofing subsequent subsequent plesk.domain.com deceptive site ahead

B

bork

Basic Pleskian
Server operating system version
AlmaLinux 9.2 (Turquoise Kodkod)
Plesk version and microupdate number
Plesk Obsidian Version 18.0.56, last updated on Oct 13, 2023 01:25 AM
Hi,

Couple of days ago there was an email spoofing accident where someone sent some sort of threatening email that was sent to [email protected] to [email protected], [email protected] to [email protected] and then to a Gmail address.
Part of the email:

Sadly, there are some bad news that you are about to hear.
About few months ago I have gained a full access to all devices used by
you for internet browsing.
Shortly after, I started recording all internet activities done by you.

Below is the sequence of events of how that happened:
Earlier I purchased from hackers a unique access to diversified email
accounts (at the moment, it is really easy to do using internet).
As you can see, I managed to log in to your email account without
breaking a sweat: ([email protected])..... blah blah
Click to expand...
Firewall is enabled, fail2ban, SPF checking mode is set to fail. I tested the emails with mxtoolbox, the records are fine, there no certificate mismatches. The Safe Browsing site status from Google, checks mail, webmail, plesk.domain1.com as fine, however just domain1.com(which is no host domain) -> Some pages on this site are unsafe. The site domain1.com contains harmful content, including pages.... The deceptive site ahead prompts when I try to access into an individual email account settings, or email config check.

Any assistance would be greatly appreciated.
 
I forgot to add part of the log from the time of the incident.

2023-10-14 19:21:14INFOpostfix/qmgr [1179220]97A991960717: removed
2023-10-14 19:21:14INFOpostfix/smtp [1232627]97A991960717: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.165.26]:25, delay=1.4, delays=0.01/0.02/0.77/0.61, dsn=2.0.0, status=sent (250 2.0.0 OK 1697304074 z25-20020a2eb539000000b002c5052e36f1si1177617ljm.82 - gsmtp)
2023-10-14 19:21:12INFOpostfix/smtpd [1232594]disconnect from net-2-37-166-129.cust.vodafonedsl.it[2.37.166.129] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2023-10-14 19:21:12INFOpostfix/qmgr [1179220]97A991960717: from=<[email protected]>, size=7712, nrcpt=1 (queue active)
2023-10-14 19:21:12INFOpostfix/qmgr [1179220]332CA1960714: removed
2023-10-14 19:21:12INFOpostfix/pipe [1232607]332CA1960714: to=<[email protected]>, relay=plesk_virtual, delay=0.42, delays=0.33/0/0/0.09, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
2023-10-14 19:21:12INFOpostfix/cleanup [1232601]97A991960717: message-id=<001f01d9fed3$01c41d71$442ff898@dokdyw>
2023-10-14 19:21:12INFOpostfix/pickup [1225715]97A991960717: uid=30 from=<[email protected]>
2023-10-14 19:21:12INFOplesk-sendmail [1232622]S1232608: dk_sign: stderr: PASS
2023-10-14 19:21:12INFOplesk-sendmail [1232618]S1232608: check-quota: stderr: SKIP
2023-10-14 19:21:12INFOplesk-sendmail [1232618]S1232608: add-from: stderr: SKIP
2023-10-14 19:21:12INFOplesk-sendmail [1232617]S1232608: from=<[email protected]> to=<[email protected]>
2023-10-14 19:21:12INFOpostfix-local [1232608]332CA1960714: send message: id=S1232608 from=<[email protected]> to=<[email protected]>
2023-10-14 19:21:12INFOdovecot [1232612]service=lda, user=[email protected], ip=[]. sieve: msgid=<001f01d9fed3$01c41d71$442ff898@dokdyw>: stored mail into mailbox 'INBOX'
2023-10-14 19:21:12INFOpostfix-local [1232608]332CA1960714: dmarc: stderr: PASS
2023-10-14 19:21:12INFOpostfix-local [1232608]332CA1960714: dk_check: stderr: PASS
2023-10-14 19:21:12INFOpostfix-local [1232608]332CA1960714: from=<[email protected]>, to=<[email protected]>, dirname=/var/qmail/mailnames
2023-10-14 19:21:12INFOpostfix/qmgr [1179220]332CA1960714: from=<[email protected]>, size=6499, nrcpt=1 (queue active)
2023-10-14 19:21:12INFOpsa-pc-remote [1179022]332CA1960714: dk_sign: stderr: PASS
2023-10-14 19:21:12INFOpsa-pc-remote [1179022]332CA1960714: spf: stderr: PASS
2023-10-14 19:21:12INFOpsa-pc-remote [1179022]332CA1960714: check-quota: stderr: SKIP
2023-10-14 19:21:12INFOpostfix/cleanup [1232601]332CA1960714: message-id=<001f01d9fed3$01c41d71$442ff898@dokdyw>
2023-10-14 19:21:12INFOpsa-pc-remote [1179022]332CA1960714: from=<[email protected]> to=<[email protected]>
2023-10-14 19:21:12INFOpostfix/smtpd [1232594]332CA1960714: client=net-2-37-166-129.cust.vodafonedsl.it[2.37.166.129]
2023-10-14 19:21:11INFOpostfix/smtpd [1232594]connect from net-2-37-166-129.cust.vodafonedsl.it[2.37.166.129]
 
bork said:
Part of the email:

Sadly, there are some bad news that you are about to hear.
About few months ago I have gained a full access to all devices used by
you for internet browsing.
Shortly after, I started recording all internet activities done by you.

Below is the sequence of events of how that happened:
Earlier I purchased from hackers a unique access to diversified email
accounts (at the moment, it is really easy to do using internet).
As you can see, I managed to log in to your email account without
breaking a sweat: ([email protected])..... blah blah
Click to expand...
This sounds like a standard spam/phishing/backmail email. I would not worry about the email.

bork said:
[...] however just domain1.com(which is no host domain) -> Some pages on this site are unsafe. The site domain1.com contains harmful content, including pages.... The deceptive site ahead prompts when I try to access into an individual email account settings, or email config check.
Click to expand...
Can you post a screen shot? Obfuscating any sensitive of course.
 
Last edited:
Sorry, you might meant transparencyreport.google.com. This is from domain1.com. plesk.domain1.com is safe according to this.
screenshot2.jpg
 
The two incidents are independent from one another. The standard spam-blackmail mail can be ignored. Millions of these are sent daily around the globe. The website message means that Google (or other players) have determined that the domain contains malware. This can be an active source that attacks other websites or browsers, but it can also mean that a phishing path exists in that website that is used in phishing attempts. You may never see the actual mail that uses the files in your site to mimic another website, but it is likely there. Does ImunifyAV in Plesk show infected files?
 
Peter Debik said:
The two incidents are independent from one another. The standard spam-blackmail mail can be ignored. Millions of these are sent daily around the globe. The website message means that Google (or other players) have determined that the domain contains malware. This can be an active source that attacks other websites or browsers, but it can also mean that a phishing path exists in that website that is used in phishing attempts. You may never see the actual mail that uses the files in your site to mimic another website, but it is likely there. Does ImunifyAV in Plesk show infected files?
Click to expand...
Thank you for the clarification, I though if maybe that mail event initiated the deceptive site issue.
In any case, I scan with Imunify daily, it reports that everything is okay. I have the standard WordPress vulnerabilities(WordPress <= 6.2 - Unauth. Blind SSRF vulnerability/WordPress tagDiv Composer plugin <= 4.1 - CSRF to XSS vulnerability ), I don't know if that maybe could cause that issue. If not, how can I detect where that issue originates from?
 
That vulnerability cannot cause the reported issue directly. It is also possible that ImunifyAV misses something.

You could manually look into the file structure of your website whether you see suspicious files, like "a49837.php", "fjn29.php" etc. You could also check the timestamp of scripts whether they make sense, maybe look into scripts and check whether they contain obfuscated code. These can be a sign for malware. Maybe your .htaccess file contains an unwanted redirect, too.
 
Peter Debik said:
That vulnerability cannot cause the reported issue directly. It is also possible that ImunifyAV misses something.

You could manually look into the file structure of your website whether you see suspicious files, like "a49837.php", "fjn29.php" etc. You could also check the timestamp of scripts whether they make sense, maybe look into scripts and check whether they contain obfuscated code. These can be a sign for malware. Maybe your .htaccess file contains an unwanted redirect, too.
Click to expand...
I have Wordfence installed on all of the sites, and check them regularly. In any case I checked the files/folders and since I've had several malware clean-ups done so far(not on these sites), I can confirm that they are clean. Only thing that could possibly mess things up is that couple of the sites were migrated with Duplicator from a managed host environment, and have some leftovers I'm sure, that might be causing the issue. Other then that, I really don't know what could be causing the deceptive site situation.
 
You must log in or register to reply here.

Similar threads

A
My Suggestions for features
Replies
1
Views
3K
flosoft
F
Back
Top