• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Hacked? Mail relay?

A

aernative

Guest
My plesk install is uptodate (at time of writing) we have -

however we have noticed we're getting some issues with email. Such as discovering our IP on a spam list...

ps -ax | grep qmail
gives ->


  • 32223 ? S 0:00 qmail-remote schroeter-goldmark.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32224 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32225 ? S 0:00 qmail-remote ltinet.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32226 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32228 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32235 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32236 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32242 ? S 0:00 qmail-remote yahoo.ca IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32243 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32244 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32253 ? S 0:00 qmail-remote pchnet.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32258 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32266 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32274 ? S 0:00 qmail-remote mia.bellsouth.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32275 ? S 0:00 qmail-remote nctimes.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32277 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32281 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32282 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32283 ? S 0:00 qmail-remote wrldnet.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32284 ? S 0:00 qmail-remote cis.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]

Or similar - only by stopping qmail can i clear this list of processes, when i restart i get similar load start almost right away.

Is this normal - or has is server beeing exploited by spammers?

Please help!

We do have a BB installed on the server - and right now we're removing it to test if its that that is the problem. Firewall has been setup to block SMTP requests and under /server/mail we have selected the "closed" option on Relaying (was set to authourisation required).
 
We have managed to clear the que by running -

for i in bounce info intd local mess remote todo; do
find /var/qmail/queue/$i -type f -exec rm {} \;
done
Click to expand...


We're keeping an eye on this now - any tips on how we can prevent this from happinging again would be apreciated!
 
We have the same problem.
Running freebsd (up to date, firewalled, ...)

Have you found an evil script in the BB's?

Have you rescued the server?

Thanks in advance for providing some more information!

Jan
 
we've updated bb to 2.0.19, on first glance there is nothing obvious wrong with the boards - however touch wood we are still clear.

We backed up the forum folders before updating, so we're going to download them and analise their contents - there is nothing unusual in the /tmp directory either. Although we feel it may have been the forum at fault we are not happy to settle for the "easy" target.

The server gives a worrying result when you run ->

  • telnet relay-test.mail-abuse.org

we get ->

  • Trying 168.61.4.13...
    Connected to relay-test.mail-abuse.org.
    Escape character is '^]'.
    Connecting to [X.X.X.X] ...
    <<< 220 [MYSERVER].info ESMTP
    >>> HELO cygnus.mail-abuse.org
    <<< 250 [MYSERVER].info
    :Relay test: #Quote test
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <"[email protected]">
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 1
    >>> mail from: <[email protected]>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 2
    >>> mail from: <[email protected]>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #test 3
    >>> mail from: <spamtest@localhost>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 4
    >>> mail from: <spamtest>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 5
    >>> mail from: <>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 6
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 7
    >>> mail from: <spamtest@[82.165.40.50]>
    <<< 250 ok
    >>> rcpt to: <[email protected]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 8
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <nobody%mail-abuse.org@[MYSERVER].info>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 9
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <nobody%mail-abuse.org@[82.165.40.50]>
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 10
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <"[email protected]">
    <<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
    >>> rset
    <<< 250 flushed
    :Relay test: #Test 11
    >>> mail from: <spamtest@[MYSERVER].info>
    <<< 250 ok
    >>> rcpt to: <"nobody%mail-abuse.org">
    <<< 250 ok
    >>> QUIT
    <<< 221 [MYSERVER].info
    Tested host banner: 220 [MYSERVER].info ESMTP
    System appeared to accept 1 relay attempts
    Connection closed by foreign host.

What does this mean - is the server acting as an open relay or not...

Updated

I have had some pointers given from "anand" over here -

http://netfusionx.com/forum/viewtopic.php?p=79#79

Will repost once i have followed them!
 
I'm having the same problem.
Can somebody help?


Originally posted by aernative
My plesk install is uptodate (at time of writing) we have -

however we have noticed we're getting some issues with email. Such as discovering our IP on a spam list...

ps -ax | grep qmail
gives ->


  • 32223 ? S 0:00 qmail-remote schroeter-goldmark.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32224 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32225 ? S 0:00 qmail-remote ltinet.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32226 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32228 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32235 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32236 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32242 ? S 0:00 qmail-remote yahoo.ca IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32243 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32244 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32253 ? S 0:00 qmail-remote pchnet.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32258 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32266 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32274 ? S 0:00 qmail-remote mia.bellsouth.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32275 ? S 0:00 qmail-remote nctimes.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32277 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32281 ? S 0:00 qmail-remote yahoo.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32282 ? S 0:00 qmail-remote aol.com IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32283 ? S 0:00 qmail-remote wrldnet.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]
    32284 ? S 0:00 qmail-remote cis.net IssueOfTheWeek4185@[MYSERVERNAME].info [email protected]

Or similar - only by stopping qmail can i clear this list of processes, when i restart i get similar load start almost right away.

Is this normal - or has is server beeing exploited by spammers?

Please help!

We do have a BB installed on the server - and right now we're removing it to test if its that that is the problem. Firewall has been setup to block SMTP requests and under /server/mail we have selected the "closed" option on Relaying (was set to authourisation required).
Click to expand...
 
Problems may also be related to mailman - we've disabled mailman and we have set all mail that is to an unknown email address to be rejected. This appears (so far) to cure the problem.
 
Thanks for the infomation!

How can I disable Mailman?
I just started to use a dedicated server and haven't done anything about Mailman.
 
Ok - panic over - problem is down to a loose php script which was suffering from BCC injection.

For those who want to know how to diagnose and remove the thread see the thread over here -

http://netfusionx.com/forum/viewtopic.php?t=31

My best advice is to get gcc, httpd_devel and mod_security installed using yum or up2date.

Thats 2 days of my life you owe me plesk....
 
You must log in or register to reply here.

Similar threads

J
PHP Mail huge delay
Replies
0
Views
2K
jgpv247
J
Back
Top