1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Second box Second time QMAILD user hacked QMAILD user consumes 99% CPU

Discussion in 'Plesk for Linux - 8.x and Older' started by mdowner, Jan 31, 2007.

  1. mdowner

    mdowner Guest

    I had this same issue on our last box, percula-clown. So we built a new server starfish with differant passwords. I am begining to beleive the PLESK product has an exploit some place that is allowing the boxes to get hacked! There is no reason this should happen twice!

    We are spamming thousands of users per second!

    Everytime support dials in they give some random usless excuse but there is obvioulsy a serrioius exploit here!
  2. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    There are 3 vectors this could be coming from:

    1) You're an open relay, this can be caused through a whitelist, or through poplocking. Poplocking will whitelist an IP temporarily, and its not uncommon for users to come from proxies.

    Action: Go into PSA, make sure you dont have any whitelists, and turn off poplocking. Clean your queue out with qmHandle or something like that, and then see if the spam continues.

    2) They're using a compromised user account. I see this happening more and more, so look at your logs for "smtp_auth: smtp_auth: SMTP user ..." entries.

    Action: clear your queue again, then watch /var/log/messages or /usr/local/psa/var/log/maillog for smtp_auth and spam. Thats going to tell you the account thats been compromised

    3) Its coming through a web app. This is the vector I see about 90% of the time. A really dedicated spammer will go so far as to create their own MTA in perl, bypassing all your logs completely.

    Action: clear your queue, and shut down the web server. If spam continues, then you can rule the web app as a source completely. If it does stop, then you'll need to go through each domains logs to see where the spam is coming from, or in my case, I fire up a sniffer and watch for the URL they're hitting.