0

Having a bit of a nightmare with our Linux server.

Somehack is using our server for spaming. I sanitaized all inputs, have captcha image, change passwords, etc. but still.
Somehow they keep on doing it. Getting thousands of email by the hour. We have a 3000 emails limit daily, so this is blocking our SMTP nearly right after I clean the queue. The things is that all those emails that keep coming in, are stored as "unprocessed" somewhere and this increase our disk space to the limit and then I cant even see the websites. Our server is a typical Linux, using Plesk 9.3 as panel. On all those spam email, they display root@ip-188-121-62-27.ip-secureserver.net as the sender, which is a default system address I guess.

I desperately need to stop this and I simply don't know how. Is there a way of blocking that email address from sending emails? Via SSH or in Plesk?

This is the header of 1 of those spam emails:

Received: (qmail 20441 invoked by uid 48); 9 Mar 2012 09:29:55 -0200
Date: 9 Mar 2012 09:29:55 -0200
Message-ID: <20120309112955.20439.qmail@ip-188-121-62-27.ip.secureserver.net>
To: harsadeyes@aol.com
Subject: Viaqra 0,89
From: "Reuben Velasquez" <reuben_velasquez@vigrxplus-ue.com>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
JamesCW
  • 309
  • 1
  • 4
  • 16
Tino
  • 3
  • 3
  • Could you post full message headers here? It could be some script that sends spam, probably via webpage or some program running on your server. Or it could be 'bounce attack'- users are getting bounces contain gin spam. Check your /var/log/maillog via ssh, it will probably let you know what is going on. If it's bounce attack, you will see who sends emails. If you have catch-all configured, you probably should disable it and configure your mail server to disable bounces. – Dmitry Alexeyev Mar 09 '12 at 10:45
  • 5
    If you haven't already, do the world a favour and take the server off line. – Bryan Mar 09 '12 at 10:46
  • Agreed. I'd start from stopping email service and checking logs and scripts on hosted sites. – Dmitry Alexeyev Mar 09 '12 at 10:50
  • They come from multiples IPs or always the same? The recipient is always the same? Any address can receive a mail from your server or only some from a list? –  Mar 09 '12 at 10:14
  • Since the server which is hacking into your system has your systems rsa fingerprint it can login always without password. So my suggestion would be you have to change the rsa fingerprint of our server so that the hacker cont login into your system automatically using ssh –  Mar 09 '12 at 10:25
  • Thax you all!! Listes: The emails go to different recipients. Raghuram: I have no idea what you are talking about, sorry. I have no knowledge enough of Telnet commands or server technology. Can you explain, please? Perreal: Thanx, I´ll post my question there also – Tino Mar 09 '12 at 10:34
  • to check for all ssh accounts that can login without password, search for authorized_keys file in .ssh directories. A.e: run `updatedb` and `locate authorized_keys` – Dmitry Alexeyev Mar 09 '12 at 11:06
  • This is the header of 1 of the email... For me is meaningless, I dnt understand: Received: (qmail 20441 invoked by uid 48); 9 Mar 2012 09:29:55 -0200 Date: 9 Mar 2012 09:29:55 -0200 Message-ID: <20120309112955.20439.qmail@ip-188-121-62-27.ip.secureserver.net> To: harsadeyes@aol.com Subject: Viaqra 0,89 From: "Reuben Velasquez" MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -------------------- – Tino Mar 09 '12 at 11:36
  • http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – Zoredache Jul 12 '12 at 18:16

3 Answers3

5

It looks like the root account has been compromised, or has some processes or scripts running that it shouldn't. It's also possible you're running an open relay (which is a really bad idea).

You can easily check if you are running an open relay with mxtoolbox, just enter your domain and test SMTP.

In case the root account has been compromised, the only real solution is to get rid of the server entirely, and reinstall the OS.
Either restore it from a backup that you can trust has not been compromised, or do a clean install from scratch.

Kenny Rasschaert
  • 8,925
  • 3
  • 41
  • 58
  • Thank you Kenny, and all... Looks like you all agree on the same solution. Kill the server and burn it. I stopped already the mail services, but emamil keep coming in, and piled somewhere as "unprocessed"... but arent going out. Thanx you all again – Tino Mar 09 '12 at 11:02
0

An SMTP mail server maintains on-disk queues to prevent server problems leading to lost messages. You can see what is in the current queues by running mailq as root.

It would also help to know what mail server you are using; include some logs showing the handling of one of these spam mails so we can see what's what.

adaptr
  • 16,479
  • 21
  • 33
  • loged as root, and on the root folder I typede "mailq" and tells me "Command not found". Sorry not really familiar with SSH commands or technology – Tino Mar 09 '12 at 11:47
0

You say that you've stopped the service but email is still coming in.

If you mean that you are receiving messages which appear to come from your own mail server; then I suggest that the headers are forged, i.e. the message are actually coming from somewhere else but are created in a way to make it look like they come from your server.

You need to look at the full headers of the messages are they arrive to determine the true IP address of the sender. Also you need to look at the logs, including bandwidth logs, of your own server to ensure that it is not active.

John
  • 1