1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Hacked? Mail relay?

Discussion in 'Plesk for Linux - 8.x and Older' started by aernative, Feb 8, 2006.

  1. aernative

    aernative Guest

    0
     
    My plesk install is uptodate (at time of writing) we have -

    however we have noticed we're getting some issues with email. Such as discovering our IP on a spam list...

    ps -ax | grep qmail
    gives ->


    Or similar - only by stopping qmail can i clear this list of processes, when i restart i get similar load start almost right away.

    Is this normal - or has is server beeing exploited by spammers?

    Please help!

    We do have a BB installed on the server - and right now we're removing it to test if its that that is the problem. Firewall has been setup to block SMTP requests and under /server/mail we have selected the "closed" option on Relaying (was set to authourisation required).
     
  2. aernative

    aernative Guest

    0
     
    We have managed to clear the que by running -


    We're keeping an eye on this now - any tips on how we can prevent this from happinging again would be apreciated!
     
  3. jschuer

    jschuer Guest

    0
     
    We have the same problem.
    Running freebsd (up to date, firewalled, ...)

    Have you found an evil script in the BB's?

    Have you rescued the server?

    Thanks in advance for providing some more information!

    Jan
     
  4. aernative

    aernative Guest

    0
     
    we've updated bb to 2.0.19, on first glance there is nothing obvious wrong with the boards - however touch wood we are still clear.

    We backed up the forum folders before updating, so we're going to download them and analise their contents - there is nothing unusual in the /tmp directory either. Although we feel it may have been the forum at fault we are not happy to settle for the "easy" target.

    The server gives a worrying result when you run ->

    • telnet relay-test.mail-abuse.org

    we get ->

    • Trying 168.61.4.13...
      Connected to relay-test.mail-abuse.org.
      Escape character is '^]'.
      Connecting to [X.X.X.X] ...
      <<< 220 [MYSERVER].info ESMTP
      >>> HELO cygnus.mail-abuse.org
      <<< 250 [MYSERVER].info
      :Relay test: #Quote test
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <"nobody@mail-abuse.org">
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 1
      >>> mail from: <nobody@mail-abuse.org>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 2
      >>> mail from: <spamtest@maps1.pa.vix.com>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #test 3
      >>> mail from: <spamtest@localhost>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 4
      >>> mail from: <spamtest>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 5
      >>> mail from: <>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 6
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 7
      >>> mail from: <spamtest@[82.165.40.50]>
      <<< 250 ok
      >>> rcpt to: <nobody@mail-abuse.org>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 8
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <nobody%mail-abuse.org@[MYSERVER].info>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 9
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <nobody%mail-abuse.org@[82.165.40.50]>
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 10
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <"nobody@mail-abuse.org">
      <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
      >>> rset
      <<< 250 flushed
      :Relay test: #Test 11
      >>> mail from: <spamtest@[MYSERVER].info>
      <<< 250 ok
      >>> rcpt to: <"nobody%mail-abuse.org">
      <<< 250 ok
      >>> QUIT
      <<< 221 [MYSERVER].info
      Tested host banner: 220 [MYSERVER].info ESMTP
      System appeared to accept 1 relay attempts
      Connection closed by foreign host.

    What does this mean - is the server acting as an open relay or not...

    Updated

    I have had some pointers given from "anand" over here -

    http://netfusionx.com/forum/viewtopic.php?p=79#79

    Will repost once i have followed them!
     
  5. jackop

    jackop Guest

    0
     
    I'm having the same problem.
    Can somebody help?


     
  6. aernative

    aernative Guest

    0
     
    Problems may also be related to mailman - we've disabled mailman and we have set all mail that is to an unknown email address to be rejected. This appears (so far) to cure the problem.
     
  7. jackop

    jackop Guest

    0
     
    Thanks for the infomation!

    How can I disable Mailman?
    I just started to use a dedicated server and haven't done anything about Mailman.
     
  8. aernative

    aernative Guest

    0
     
    Ok - panic over - problem is down to a loose php script which was suffering from BCC injection.

    For those who want to know how to diagnose and remove the thread see the thread over here -

    http://netfusionx.com/forum/viewtopic.php?t=31

    My best advice is to get gcc, httpd_devel and mod_security installed using yum or up2date.

    Thats 2 days of my life you owe me plesk....
     
  9. wagnerch

    wagnerch Guest

    0
     
    Uhm, but it wasn't a Plesk problem.
     
  10. pdreissen

    pdreissen Guest

    0
     
    Do you receive money for every hit on you site? Please post the solution over here, and do not try to send users to your own forum, this looks like SPAMvertising !
     
  11. anton_latvia

    anton_latvia Guest

    0
     
Loading...