Question Too much connections to blacklisted bot IP's

[Walkum]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.54

Hi.

I've recently observed quite a large amount of outgoing connections from port 25 to numerous (malicious?) IP's through postfix, in turn creating several rather strange smtpd processes. I think they are bad bots. I'm mass banning them via fail2ban in the plesk-postfix part every time they do something, but they seem to be endless.

Are these connections harmful? Is there a way to prevent them from occurring? Can they cause me to enter blacklists like Spamhaus.org?

I attach images of the command used "netstat -natup | grep :25" where these connections can be seen, also of the "htop" command where said processes are executed, and also of the result of the mxtoolbox.com blacklists when entering any of these IP's.

Thank you so much.

 

[Peter Debik]

Banning the target addresses won't help, because the spam was already sent at that time. Instead, you need to identify the source of the spam. This is normally a script in a website or an SMTP login by a hacked password.
A first step should be to look at /var/log/maillog, find one of these spams that are mailed, and determine the submission type. Is it postfix/smtp or postfix/pickup?

If it is /smtp, then the account through which the spam is sent was either hacked or the account credentials were stored in a website, e.g. as a configuration for PHPMailer or similar. In that case, updating the password of the sending mailbox will stop the mails (but do not store the credentials in any website again afterwards).

If it is /pickup, then the mails are sent through the PHP mail() function of a website. This is either a hacked website or a malicious plugin in a website. You may be able to determine the website by checking the limit counters in Tools & Settings > Outgoing Mail Control. To fix that, the website needs to be replaced by a copy that is free of malware.

In any case, I recommend to clear the outgoing mail queue after solving the underlying issue, because some spams may still wait there to be sent out.

 

[Walkum]

RESOLVED.

I will explain how I have solved it to help future people who may have this problem.

First, using the "htop" command (install with "sudo apt-get install htop" if you don't have it), I filtered processes by "cron" name, there were numerous processes like ./cron.php -p0.0.0.0 -e18924 or similar, you have to kill them all. They come from malware.

Second, using the command "netstat -natup | grep :25", all the local connections from the server's IP with port 25 to different external IP's, I killed all those processes. If you look for those external IP's to which a connection is made in MXtoolbox in "Blacklists", you will see that they are on more than 6 blacklists. They are bad IP's, probably from bots.

Finally. I configured fail2ban so that specifically for "plest-postfix" it bans when detecting 3 errors, with a duration of 3 hours (this parameter can be configured to be like as you want). Without exaggeration, 1500 IP's fell in a few hours, all from bots. Don't be afraid of false positives.

With all this steps, no longer more Spamhaus included me on blacklists.

Obviously, try check all malware that would be in your server and clean it before doing all this steps.

Hope that helps.

All the best.