Topic: [Solved - false alarm] Have i been hacked - sending alot of mails!

[milaweb]

Hi there

My home SMEserver 7.5 with all updates have worked alot tonight!!

It has send/tried to send around 6000 mails from mailadress' i don't know.
Can anybody tell my if i have been hacked or what is going on?

This is a snippet from the qpsmtp-log.

Code: [Select]

2011-09-15 02:53:44.179646500 4577 dispatching MAIL FROM:<apj@flatrate.dk>
2011-09-15 02:53:44.179651500 4577 full from_parameter: FROM:<apj@flatrate.dk>
2011-09-15 02:53:44.179656500 4577 from email address : [<apj@flatrate.dk>]
2011-09-15 02:53:44.179661500 4577 running plugin (mail): tls
2011-09-15 02:53:44.179666500 4577 Plugin tls, hook mail returned DECLINED,
2011-09-15 02:53:44.179672500 4577 running plugin (mail): require_resolvable_fromhost
2011-09-15 02:53:44.179700500 4577 Plugin require_resolvable_fromhost, hook mail returned DECLINED,
2011-09-15 02:53:44.179706500 4577 running plugin (mail): check_badmailfrom
2011-09-15 02:53:44.179711500 4577 Plugin check_badmailfrom, hook mail returned DECLINED,
2011-09-15 02:53:44.179716500 4577 getting mail from <apj@flatrate.dk>
2011-09-15 02:53:44.179721500 4577 250 <apj@flatrate.dk>, sender OK - how exciting to get mail from you!
2011-09-15 02:53:44.179727500 4577 dispatching RCPT TO:<boiron2006@yahoo.com.tw>
2011-09-15 02:53:44.179736500 4577 to email address : [<boiron2006@yahoo.com.tw>]
2011-09-15 02:53:44.179741500 4577 running plugin (rcpt): tls
2011-09-15 02:53:44.179746500 4577 Plugin tls, hook rcpt returned DECLINED,
2011-09-15 02:53:44.179751500 4577 running plugin (rcpt): check_badmailfrom
2011-09-15 02:53:44.179756500 4577 Plugin check_badmailfrom, hook rcpt returned DECLINED,
2011-09-15 02:53:44.179762500 4577 running plugin (rcpt): check_badrcptto_patterns
2011-09-15 02:53:44.179771500 4577 Plugin check_badrcptto_patterns, hook rcpt returned DECLINED,
2011-09-15 02:53:44.179776500 4577 running plugin (rcpt): check_badrcptto
2011-09-15 02:53:44.179789500 4577 Plugin check_badrcptto, hook rcpt returned DECLINED,
2011-09-15 02:53:44.179795500 4577 running plugin (rcpt): check_goodrcptto
2011-09-15 02:53:44.179800500 4577 check_goodrcptto plugin (rcpt): stripping '-' extensions
2011-09-15 02:53:44.179805500 4577 check_goodrcptto plugin (rcpt): address includes extn '-', checking users: boiron2006
2011-09-15 02:53:44.179811500 4577 check_goodrcptto plugin (rcpt): recipient boiron2006@yahoo.com.tw denied
2011-09-15 02:53:44.179844500 4577 Plugin check_goodrcptto, hook rcpt returned DENY, relaying denied boiron2006@yahoo.com.tw
2011-09-15 02:53:44.179850500 4577 logging::logterse plugin (deny): ` 124.12.193.232 124-12-193-232.dynamic.tfn.net.tw none-009ee9794e <apj@flatrate.dk> check_goodrcptto 901 relaying denied boiron2006@yahoo.com.tw msg denied before queued
2011-09-15 02:53:44.179856500 4577 550 relaying denied boiron2006@yahoo.com.tw
2011-09-15 02:53:44.179865500 4577 dispatching DATA
2011-09-15 02:53:44.179870500 4577 running plugin (data): tls
2011-09-15 02:53:44.179875500 4577 Plugin tls, hook data returned DECLINED,
2011-09-15 02:53:44.179880500 4577 running plugin (data): check_earlytalker
2011-09-15 02:53:44.179885500 4577 Plugin check_earlytalker, hook data returned DECLINED,
2011-09-15 02:53:44.179891500 4577 503 RCPT first
2011-09-15 02:53:45.294137500 4577 dispatching RSET
2011-09-15 02:53:45.294143500 4577 250 OK
Thanks!

[cactus]

Most likely one of the clients in your network is infected. Find out which one it is, disconnect it, make sure it is cleaned and then reconnect it.

[Stefano]

I would check also for any web app (phpmyadmin, joomla, wordpress and so on) if your server is exposed to wan

[milaweb]

Thank you!

But can you explain to me what the hacker is doing? Is he trying to send mails with different from-adress', and does he succeed in sending the mails?

The server is open to WAN on normal ports, and it has alot of webapps running.....

/Michael

[Stefano]

we don't know what the "hacker" is doing.. but you are likely sending spam and you'll be blacklisted (or your isp's ip, that is worst)

first of all disconnect your server from wan

then check all your clients with AV and anti rootkit sw

then, if there's no evidence of virus on lan side,  backup your data, reinstall your server and restore.. this is the safer (and the most correct) way to approach an intrusion.

next time, be sure to keep up-to-date the web apps and, of course, keep clean your client pcs.

NOTE: edited my post as cactus suggested..

[milaweb]

Ok. Thanks again...

I have taking it of WAN, and will do a reinstall, after a cleanup.

I discovered it this morning, as i get a mail every day from spamfilter-stats!

/Michael

[Stefano]

Ok. Thanks again...

I have taking it of WAN, and will do a reinstall, after a cleanup.

I discovered it this morning, as i get a mail every day from spamfilter-stats!

/Michael

well.. BEFORE reinstall all, be sure that your client pcs are not the source of spam

[cactus]

we don't know what the "hacker" is doing.. but you are likely sending spam and you'll be blacklisted (or your isp's ip, that is worst)

I strongly suggest you to disconnect your server from WAN, backup your data, reinstall your server and restore.. this is the safer (and the most correct) way to approach an intrusion.

next time, be sure to keep up-to-date the web apps and, of course, keep clean your client pcs.

I think that is a bit to quick to jump the gun. Although his server is sending lots of mail it is not sure that the server is the origin. In my experience most of the times it is a client in the network that is infected.
I would indeed disconnect the system from WAN and start diagnosis to find out which system is the culprit. As long as you are not sure your serve is hacked re-installing and restoring has no use, perhaps the backup also contains the infection already.

[Stefano]

I think that is a bit to quick to jump the gun. Although his server is sending lots of mail it is not sure that the server is the origin. In my experience most of the times it is a client in the network that is infected.
I would indeed disconnect the system from WAN and start diagnosis to find out which system is the culprit. As long as you are not sure your serve is hacked re-installing and restoring has no use, perhaps the backup also contains the infection already.

you're right.. I will edit my post for future readers

[Buckwheat]

You have mediawiki running on that server.

If so check Recent changes and see if any pages have been added that you did not create.

A lot off folks have had MW hacked...

[milaweb]

Thanks to all.
No, I do not have MediaWiki installed. I will try to look for the culprit. However, I am very unsure of what to look for..

/Michael

[janet]

milaweb

It has send/tried to send around 6000 mails from mailadress' i don't know.

What makes you conclude this ?

550 relaying denied boiron2006@yahoo.com.tw

Seems to suggest you have external access to your smtp server enabled, but your system has prevented someone using your server as a relay.

What are the access settings in server manager Email panel ?

[milaweb]

OMG!

I am so happy for your help, but I'm afraid I've wasted your time, sorry

If i carefully read the spam-stat mail that I get every night, it says precisely that the "hacker-mails" from this night are Denied!

I think you are right that someone is trying to use my server af relay, but don't succeed.



^{Incoming mails by recipient domains usage
-----------------------------------------
Domains                      Type       Total  Denied XferErr Accept %accept
---------------------------- ---------- ------ ------ ------- ------ -------
Internal                     other           1      0       0      1 100.00%
Others                       other        5779   5779       0      0   0.00%
milaweb.dk                   local         149     85       0     64  42.95%
mka-auto.dk                  local           3      3       0      0   0.00%
---------------------------- ---------- ------ ------- ------ ------ -------
Total                                     5932   5867       0     65   1.10%}

[brianr]

The "others" line indicates a request from the WAN side to send email to a third party email address, which is denied (as you'd expect) by qpsmtpd.

[CharlieBrady]

The "others" line indicates a request from the WAN side to send email to a third party email address, which is denied (as you'd expect) by qpsmtpd.

And all the early responders to this thread should have seen that, by more careful reading of the attached logfile snippet.

Could OP or moderator please put "[Solved - false alarm]" in the thread subject? Thanks.