Second box Second time QMAILD user hacked QMAILD user consumes 99% CPU

[mdowner]

I had this same issue on our last box, percula-clown. So we built a new server starfish with differant passwords. I am begining to beleive the PLESK product has an exploit some place that is allowing the boxes to get hacked! There is no reason this should happen twice!

We are spamming thousands of users per second!

Everytime support dials in they give some random usless excuse but there is obvioulsy a serrioius exploit here!

 

[atomicturtle]

There are 3 vectors this could be coming from:

1) You're an open relay, this can be caused through a whitelist, or through poplocking. Poplocking will whitelist an IP temporarily, and its not uncommon for users to come from proxies.

Action: Go into PSA, make sure you dont have any whitelists, and turn off poplocking. Clean your queue out with qmHandle or something like that, and then see if the spam continues.

2) They're using a compromised user account. I see this happening more and more, so look at your logs for "smtp_auth: smtp_auth: SMTP user ..." entries.

Action: clear your queue again, then watch /var/log/messages or /usr/local/psa/var/log/maillog for smtp_auth and spam. Thats going to tell you the account thats been compromised

3) Its coming through a web app. This is the vector I see about 90% of the time. A really dedicated spammer will go so far as to create their own MTA in perl, bypassing all your logs completely.

Action: clear your queue, and shut down the web server. If spam continues, then you can rule the web app as a source completely. If it does stop, then you'll need to go through each domains logs to see where the spam is coming from, or in my case, I fire up a sniffer and watch for the URL they're hitting.