• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Server compromised, need help.

M

marcus@

Guest
I'm getting bounced mail from a couple domains that looks like my server has been compromised to send spam. The mail comes from domains I have but not from mail users I have set up in Plesk/qmail.

For example, one was sent from:
From: "bucktoothed" <[email protected]>

I need some help in knowing where to start looking for the vulnerability.

I've ran chkrootkit and rkhunter and come up clean in both cases. I've also attempted looking at the
/var/qmail/mailnames/domain.com/legit-user/Maildir/.sent-mail/ folders for signs of the spam but since it's coming from users that shouldn't even exist there's nothing there.

I've checked my outgoing mail relay settings and it requires SMTP authentication.

The domain(s) in question are not running any scripts--in fact, one only has a single .html file and an image in the httpdocs dir.

I'm not sure where to go from here.
 
Since last night I've figured out that they can send mail from apparently *any* domain on the server, regardless of whether the domain is enabled or not. I disabled all domains and spam is still being sent. HTTPD must, however be running.

It's sending about 3 messages a minute.

ps -fuapache does not show any PPID's of 1.

I've installed mod_security but honestly I'm not really sure to start with it. One strange, repeated entry I've noticed is:

Apache-Error: [file "/usr/src/build/584794-i386/BUILD/httpd-2.0.46/server/core.c"] [line 3452] [level 3] File does not exist: /home/httpd/vhosts/default/htdocs/blog
Stopwatch: 1167915372113894 2112 (- - -)
Producer: ModSecurity v2.0.4 (Apache 2.x)
Server: Apache

I have neither the /sr/src/build/... folder or the /home/httpd/vhosts/default/htdocs/blog folders on my server.
 
Are you sure the mail is actually originating from your server, and it is not just a spammer spoofing the 'From' address?

Think of it this way
1. Spammer harvests domain names, sends spam out using [email protected]
2. One of the spam emails sent out was delivered to a mailbox that did not exist
3. As the mailbox did not exist the mail will bounce back to your domain, as the receiving mail server believes thats where the email originated from

Can you paste in the mail headers from one of the emails?

Nick.
 
You must log in or register to reply here.

Similar threads

propz
Resolved Email Domain Blacklisting not working 100%
Replies
7
Views
885
Kaspar
K
jproactive
Question Mail on multiple subdomains
Replies
0
Views
306
jproactive
jproactive
O
Question Need Help please Delete Server whois
Replies
5
Views
2K
myabrownn
myabrownn
Luiz_Gustavo
Issue Directory /opt/psa/handler/spool/ full of old e-mails.
Replies
1
Views
432
Peter Debik
P
A
Resolved Immediately logged out after creating email accounts
Replies
2
Views
269
AUSER
A
Back
Top