• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Server Hacked

LuigiMdg

LuigiMdg

Basic Pleskian
Server operating system version
AlmaLinux 9
Plesk version and microupdate number
Plesk Obsidian v18.0.55.2
Hi guys, at this point I'm at a crossroads, just as it happened on another server, equipped with Webmin, I also suffered an attack on the server with Plesk, although the site is different and had never been hacked before.

The purpose is always the same, to send emails from the server, I suspect that the problem is in the Postfix configuration, but if you tell me to ask Postfix for support, well... I might as well use a free panel.
 
That doesn't sound like the server is hacked but more of just utilizing your email server. By default the relaying options should be authorized is a requirement for SMTP. You might want to make sure your network isn't configured as an open relay and that any networks you have configured is not added to the white list. You can look at https://support.plesk.com/hc/en-us/...rver-is-not-acting-as-an-open-relay-on-Plesk- for more information about that.

The other possibility is one of the user's (or email user account's) password is supe weak and so they're able to utilize that account to send spam email. You'll need to review the logs to see what's what and plug the hole.

The last possibility is someone is utilizing the PHP function of sendmail. Again, you'll need to review logs, and plug the hole (aka disable the PHP mail() function for the domain). You can check https://support.plesk.com/hc/en-us/...-a-spamming-domain-on-Plesk-for-Linux-server- for how to disable the PHP mail() function for the domain or how to turn it off globally.

As I've mention before, by default, the settings is set up in away to prevent unauthorized use but sites can still utilize sending emails through the PHP sendmail function. Need to review logs to find out which way it's being abused and apply accordingly.
 
No, they don't use the email function and no, the Postfix configuration hasn't been changed, so it's not an open relay
 
When you examine /var/log/maillog for outgoing spam, you can see from where the sender logs in to send the spam. Does the sender login from 127.0.0.1? Then very likely code in the website can access mailbox credentials stored in some configuration file. This is often the case with Joomla, but it can happen with other CMS, too. If the sender ip is the ip of your own local network, then very likely a malware in your network is logging in, e.g. utilizing the login procedure that is available in your existing mail software. If the sender ip is unknown/external, very like someone has spied your password, e.g. using a keylogger on one of your enduser device, and is using the loginname/password combination to login to the mailbox to submit spam.
 
Example:
2972040053F 51296 Mon Dec 4 02:45:53 [email protected]
(host alt1.gmail-smtp-in.l.google.com[142.251.9.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help i2-20020a05640242c200b0054ce04d7710si619239edc.651 - gsmtp (in reply to RCPT TO command))
[email protected]
Click to expand...
mail.log lines of this night without my IP:
Dec 4 03:30:51 vmi1354264 postfix/qmgr[1083]: 18688400543: from=<[email protected]>, size=51283, nrcpt=1 (queue active)
Dec 4 03:30:51 vmi1354264 postfix/qmgr[1083]: 53448400569: from=<[email protected]>, size=47791, nrcpt=1 (queue active)
Dec 4 03:30:52 vmi1354264 postfix/smtp[4090596]: 18688400543: host gmail-smtp-in.l.google.com[142.250.27.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help y22-20020a17090629d600b00a185d3274d6si3968402eje.403 - gsmtp (in reply to RCPT TO command)
Dec 4 03:30:52 vmi1354264 postfix/smtp[4090597]: 53448400569: host gmail-smtp-in.l.google.com[142.250.27.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help og40-20020a1709071de800b009fd1b3720a7si3977249ejc.64 - gsmtp (in reply to RCPT TO command)
Dec 4 03:30:52 vmi1354264 postfix/smtp[4090596]: 18688400543: to=<[email protected]>, relay=alt1.gmail-smtp-in.l.google.com[142.251.9.27]:25, delay=17224, delays=17224/0.06/0.24/0.03, dsn=4.2.1, status=deferred (host alt1.gmail-smtp-in.l.google.com[142.251.9.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help cf17-20020a170906b2d100b009fdd0105422si4000760ejb.857 - gsmtp (in reply to RCPT TO command))
Dec 4 03:30:52 vmi1354264 postfix/smtp[4090597]: 53448400569: to=<[email protected]>, relay=alt1.gmail-smtp-in.l.google.com[142.251.9.27]:25, delay=17224, delays=17224/0.09/0.24/0.02, dsn=4.2.1, status=deferred (host alt1.gmail-smtp-in.l.google.com[142.251.9.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help l10-20020a056402254a00b0054b5cd925fesi4092634edb.477 - gsmtp (in reply to RCPT TO command))
Dec 4 03:32:19 vmi1354264 postfix/smtpd[4090970]: connect from scanner-29.ch1.censys-scanner.com[167.248.133.191]
Dec 4 03:32:49 vmi1354264 postfix/smtpd[4090970]: SSL_accept error from scanner-29.ch1.censys-scanner.com[167.248.133.191]: -1
Dec 4 03:32:49 vmi1354264 postfix/smtpd[4090970]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:320:
Dec 4 03:32:49 vmi1354264 postfix/smtpd[4090970]: lost connection after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.191]
Dec 4 03:32:49 vmi1354264 postfix/smtpd[4090970]: disconnect from scanner-29.ch1.censys-scanner.com[167.248.133.191] commands=0/0
Dec 4 03:32:49 vmi1354264 postfix/smtpd[4090970]: connect from scanner-05.ch1.censys-scanner.com[162.142.125.216]
Dec 4 03:33:19 vmi1354264 postfix/smtpd[4090970]: SSL_accept error from scanner-05.ch1.censys-scanner.com[162.142.125.216]: -1
Dec 4 03:33:19 vmi1354264 postfix/smtpd[4090970]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:320:
Dec 4 03:33:19 vmi1354264 postfix/smtpd[4090970]: lost connection after CONNECT from scanner-05.ch1.censys-scanner.com[162.142.125.216]
Dec 4 03:33:19 vmi1354264 postfix/smtpd[4090970]: disconnect from scanner-05.ch1.censys-scanner.com[162.142.125.216] commands=0/0
Dec 4 03:33:19 vmi1354264 postfix/smtpd[4090970]: connect from scanner-27.ch1.censys-scanner.com[167.94.138.127]
Dec 4 03:33:49 vmi1354264 postfix/smtpd[4090970]: SSL_accept error from scanner-27.ch1.censys-scanner.com[167.94.138.127]: -1
Dec 4 03:33:49 vmi1354264 postfix/smtpd[4090970]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:320:
Dec 4 03:33:49 vmi1354264 postfix/smtpd[4090970]: lost connection after CONNECT from scanner-27.ch1.censys-scanner.com[167.94.138.127]
Dec 4 03:33:49 vmi1354264 postfix/smtpd[4090970]: disconnect from scanner-27.ch1.censys-scanner.com[167.94.138.127] commands=0/0
Dec 4 03:35:51 vmi1354264 postfix/qmgr[1083]: 9B72240058C: from=<[email protected]>, size=51291, nrcpt=1 (queue active)
Dec 4 03:35:51 vmi1354264 postfix/qmgr[1083]: DE91A400587: from=<[email protected]>, size=47798, nrcpt=1 (queue active)
Dec 4 03:35:51 vmi1354264 postfix/smtp[4091750]: 9B72240058C: host gmail-smtp-in.l.google.com[142.250.27.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help r14-20020a170906350e00b00a1a47fe1ba0si2640741eja.222 - gsmtp (in reply to RCPT TO command)
Dec 4 03:35:51 vmi1354264 postfix/smtp[4091751]: DE91A400587: host gmail-smtp-in.l.google.com[142.250.27.26] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help hs2-20020a1709073e8200b00a1a5f778fc7si1960374ejc.56 - gsmtp (in reply to RCPT TO command)
Dec 4 03:35:52 vmi1354264 postfix/smtp[4091750]: 9B72240058C: to=<[email protected]>, relay=alt1.gmail-smtp-in.l.google.com[142.251.9.27]:25, delay=17161, delays=17161/0.05/0.27/0.04, dsn=4.2.1, status=deferred (host alt1.gmail-smtp-in.l.google.com[142.251.9.27] said: 450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 Limits for sending & getting mail - Gmail Help b7-20020a170906660700b00a10bc71a8a3si4051788ejp.291 - gsmtp (in reply to RCPT TO command))
Click to expand...
 
None of these log entries can help. You'll need to find the line where a mail is submitted. The lines above where this happens come from the existing mail queue.
 
Did you send this mail?
Dec 4 04:02:45 vmi1354264 postfix/smtpd[4098047]: 71B3D40005F: client=vmi1354264.contaboserver.net[SERVER_IP], sasl_method=CRAM-MD5, sasl_username=info@MY_WEBSITE.eu
Dec 4 04:02:45 vmi1354264 psa-pc-remote[1561404]: 71B3D40005F: from=<info@MY_WEBSITE.eu> to=<some address>
Dec 4 04:02:45 vmi1354264 postfix/cleanup[4098054]: 71B3D40005F: message-id=<20231204050245.1603011755.swift@MY_WEBSITE.eu>
Dec 4 04:02:45 vmi1354264 psa-pc-remote[1561404]: 71B3D40005F: check-quota: stderr: SKIP
Dec 4 04:02:45 vmi1354264 psa-pc-remote[1561404]: 71B3D40005F: spf: stderr: PASS
Dec 4 04:02:45 vmi1354264 psa-pc-remote[1561404]: 71B3D40005F: dk_sign: stderr: PASS
Dec 4 04:02:45 vmi1354264 postfix/qmgr[1083]: 71B3D40005F: from=<info@MY_WEBSITE.eu>, size=51297, nrcpt=1 (queue active)
Click to expand...
To me this looks like a suspicious entry, because the login to the mailbox info@MY_WEBSITE.eu comes from another server, not a dynamic Internet access point. Normally this is the case when malicious scripts running on third-party websites abuse login data that were previously captured try to send spam through the mailbox. If you agree that this login should not have taken place, the mitigation steps are:
1) Make sure that none of your enduser devices that are associated with your mail accounts have malware on them. It could be a smartphone, it could be a tablet, it could be a desktop computer. The hackers must have obtained your login data from some device using a keylogger. This could be a real virus/trojan, but it could also be hidden in a browser plugin. Check your system with different antivirus tools.
2) Only after you found and removed the malware, change all passwords of all mailboxes and all other logins you were using on the affected device. If a keylogger was active, not only logins to your mailboxes will have been harvested, but all other data you every typed in, too.
 
It could have been, but recently I formatted all the devices..
Also I don't see the IP between those lines or am I wrong..?!?
 
LuigiMdg said:
It could have been, but recently I formatted all the devices..
Also I don't see the IP between those lines or am I wrong..?!?
Click to expand...
I think all necessary advice has already been given. I am not sure what the question on the "IP" is. You had
Dec 4 04:02:45 vmi1354264 postfix/smtpd[4098047]: 71B3D40005F: client=vmi1354264.contaboserver.net[SERVER_IP], sasl_method=CRAM-MD5,
in your log, so the IP was replaced by the redacted part in brackets. All you need to do is to check that ip whether it is yours. Then simply follow the steps mentioned above.
 
That would also be great to know. So the case I described above is a mail submission from your own server to its own mail server. This means that your mailbox access credentials are stored somewhere on the server so that a malicious software can use them to login and to send spam. This behavior is most often the case with SMTP login data that is stored in a website. Personally, I most often observed it with Joomla websites, but other CMS or website software stores email data, too. What you'll need to do is to check, which of your websites has that information stored. There you'll find the malicious scripts.

You can also wrap Postfix as described in https://support.plesk.com/hc/en-us/...dentify-spam-source-on-Plesk-for-Linux-Server so that it could become easier to find the source of the mails on your own server.
 
Peter Debik said:
1) Make sure that none of your enduser devices that are associated with your mail accounts have malware on them. It could be a smartphone, it could be a tablet, it could be a desktop computer. The hackers must have obtained your login data from some device using a keylogger.
Click to expand...
JFTR: Not necessarily. We had an email abuse incident when one of our users didn't have their mail client set to SSL only (shame on outlook for not having that as default). Some WLAN AP must have stolen the unencrypted login data.
 
The only things I have collected in so many hours are only my 2 accesses even though there are 10 emails in the queue....
X-Additional-Header: /root
X-Additional-Header: /root
Click to expand...
I would say that this is NOT the right path to follow.
mow said:
JFTR: Not necessarily. We had an email abuse incident when one of our users didn't have their mail client set to SSL only (shame on outlook for not having that as default). Some WLAN AP must have stolen the unencrypted login data.
Click to expand...
But I don't use Outlook but Thunderbird.
 
mow said:
JFTR: Not necessarily. We had an email abuse incident when one of our users didn't have their mail client set to SSL only (shame on outlook for not having that as default). Some WLAN AP must have stolen the unencrypted login data.
Click to expand...
I agree that as it's the user's own server IP, his mail credentials were probably spied on.
 
So it should be enough to change the password after checking that there is no malware on all devices, especially keyloggers?
 
You must log in or register to reply here.

Similar threads

E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
3K
MartinT
M
E
Issue Several understanding errors in my postfix
Replies
4
Views
5K
estanis
E
V
Issue Smarthost + SRS = relay?
Replies
2
Views
881
vanlier
V
A
Question Disable local mail delivery
Replies
3
Views
993
Kaspar
K
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
242
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top