Control Web Panel

WebPanel => CentOS 7 Problems => Topic started by: nontechyguy on May 06, 2019, 02:35:18 PM

Title: SMTP Server Has Been Hacked
Post by: nontechyguy on May 06, 2019, 02:35:18 PM
Oh my god, I don't know where to post, anyone know how to trace the connection of the Hacker?

I found one of my mail created by a freelancer I hired, test@peakpoint.my has received over 10,000 "Failed to send Recipents' in my inbox.

I have suspended that account, I wanted to load mail queue to delete all queries, but the page failed to load.

I will be in deep trouble soon. I'm done.
Title: Re: SMTP Server Has Been Hacked
Post by: nontechyguy on May 06, 2019, 03:37:00 PM
I'm in big trouble soon, I found a way to delete all the mail queue.

Either the freelancer did illegal stuff, or either I got hacked randomly.

The weird thing is, my website is not indexed in google, I blocked robots from indexing.

Never rely on someone for server installation.
Title: Re: SMTP Server Has Been Hacked
Post by: nontechyguy on May 06, 2019, 03:40:45 PM
How come my firewall did not block this guy?

103.231.139.146
93.157.63.30

http://whois.domaintools.com/103.231.139.146

Very upset.

Code: [Select]
Apr 14 03:23:46 vps postfix/pickup[32135]: 1CB6D14F: uid=0 from=<root>
Apr 14 03:23:46 vps postfix/cleanup[2235]: 1CB6D14F: message-id=<20190414012346.1CB6D14F@vps.peakpoint.my>
Apr 14 03:23:46 vps opendkim[3048]: 1CB6D14F: no signing table match for 'root@vps.peakpoint.my'
Apr 14 03:23:46 vps opendkim[3048]: 1CB6D14F: no signature data
Apr 14 03:23:46 vps postfix/qmgr[3466]: 1CB6D14F: from=<root@vps.peakpoint.my>, size=5077, nrcpt=1 (queue active)
Apr 14 03:23:46 vps postfix/local[2242]: 1CB6D14F: to=<root@vps.peakpoint.my>, orig_to=<root>, relay=local, delay=0.08, delays=0.07/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 14 03:23:46 vps postfix/qmgr[3466]: 1CB6D14F: removed
Apr 14 03:23:54 vps postfix/smtpd[32565]: connect from unknown[103.231.139.146]
Apr 14 03:23:57 vps postfix/smtpd[32758]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:23:57 vps postfix/smtpd[32758]: disconnect from unknown[93.157.63.30]
Apr 14 03:23:59 vps postfix/smtpd[1869]: connect from unknown[91.212.150.158]
Apr 14 03:24:00 vps postfix/smtpd[32565]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:00 vps postfix/smtpd[32565]: disconnect from unknown[103.231.139.146]
Apr 14 03:24:03 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:24:06 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:07 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:24:13 vps postfix/smtpd[1869]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:14 vps postfix/smtpd[1869]: disconnect from unknown[91.212.150.158]
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max connection rate 2/60s for (smtp:93.157.63.30) at Apr 14 03:14:48
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max connection count 1 for (smtp:103.231.139.146) at Apr 14 03:14:19
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max cache size 7 at Apr 14 03:22:09
Apr 14 03:24:26 vps postfix/smtpd[32758]: connect from unknown[103.231.139.146]
Apr 14 03:24:34 vps postfix/smtpd[32758]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:34 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.146]
Apr 14 03:24:34 vps postfix/smtpd[1869]: connect from unknown[93.157.63.30]
Apr 14 03:24:41 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:24:44 vps postfix/smtpd[2264]: connect from unknown[193.169.254.69]
Apr 14 03:24:46 vps postfix/smtpd[2266]: connect from unknown[91.212.150.158]
Apr 14 03:24:47 vps postfix/smtpd[2264]: warning: unknown[193.169.254.69]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:47 vps postfix/smtpd[2264]: lost connection after AUTH from unknown[193.169.254.69]
Apr 14 03:24:47 vps postfix/smtpd[2264]: disconnect from unknown[193.169.254.69]
Apr 14 03:24:48 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:48 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:24:49 vps postfix/smtpd[1869]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:53 vps postfix/smtpd[1869]: disconnect from unknown[93.157.63.30]
Apr 14 03:24:58 vps postfix/smtpd[2264]: connect from unknown[103.231.139.146]
Apr 14 03:25:03 vps postfix/smtpd[2266]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:04 vps postfix/smtpd[2266]: disconnect from unknown[91.212.150.158]
Apr 14 03:25:04 vps postfix/smtpd[2277]: connect from unknown[92.246.76.92]
Apr 14 03:25:09 vps postfix/smtpd[2264]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:09 vps postfix/smtpd[2264]: disconnect from unknown[103.231.139.146]
Apr 14 03:25:10 vps postfix/smtpd[2277]: warning: unknown[92.246.76.92]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:10 vps postfix/smtpd[2277]: disconnect from unknown[92.246.76.92]
Apr 14 03:25:20 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:25:27 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:27 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:25:30 vps postfix/smtpd[1869]: connect from unknown[103.231.139.146]
Apr 14 03:25:32 vps postfix/smtpd[2266]: connect from unknown[91.212.150.158]
Apr 14 03:25:33 vps postfix/smtpd[2264]: connect from unknown[93.157.63.30]
Apr 14 03:25:39 vps postfix/smtpd[1869]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:40 vps postfix/smtpd[2266]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:40 vps postfix/smtpd[1869]: disconnect from unknown[103.231.139.146]
Apr 14 03:25:40 vps postfix/smtpd[2266]: disconnect from unknown[91.212.150.158]
Apr 14 03:25:42 vps postfix/smtpd[32758]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.172.85
Apr 14 03:25:42 vps postfix/smtpd[32758]: connect from unknown[89.248.172.85]
Apr 14 03:25:45 vps postfix/smtpd[32758]: warning: unknown[89.248.172.85]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:45 vps postfix/smtpd[32758]: disconnect from unknown[89.248.172.85]
Apr 14 03:25:47 vps postfix/smtpd[2264]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:48 vps postfix/smtpd[2264]: disconnect from unknown[93.157.63.30]
Apr 14 03:25:59 vps postfix/smtpd[1869]: connect from unknown[103.231.139.56]
Apr 14 03:26:03 vps postfix/smtpd[2266]: connect from unknown[103.231.139.146]
Apr 14 03:26:05 vps postfix/smtpd[1869]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:05 vps postfix/smtpd[1869]: disconnect from unknown[103.231.139.56]
Apr 14 03:26:08 vps postfix/smtpd[2266]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:09 vps postfix/smtpd[2266]: disconnect from unknown[103.231.139.146]
Apr 14 03:26:19 vps postfix/smtpd[32758]: connect from unknown[91.212.150.158]
Apr 14 03:26:26 vps postfix/smtpd[32758]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:26 vps postfix/smtpd[32758]: disconnect from unknown[91.212.150.158]
Apr 14 03:26:32 vps postfix/smtpd[2264]: connect from unknown[93.157.63.30]
Apr 14 03:26:35 vps postfix/smtpd[1869]: connect from unknown[103.231.139.146]
Apr 14 03:26:37 vps postfix/smtpd[2266]: connect from unknown[103.231.139.56]
Apr 14 03:26:45 vps postfix/smtpd[2266]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Title: Re: SMTP Server Has Been Hacked
Post by: studio4host on May 07, 2019, 10:52:46 AM
you need to check that your log paths are correct int he config

http://wiki.centos-webpanel.com/csflfd-firewall-configuration
Title: Re: SMTP Server Has Been Hacked
Post by: Linux on May 07, 2019, 07:53:17 PM

I'm in big trouble soon, I found a way to delete all the mail queue.

Either the freelancer did illegal stuff, or either I got hacked randomly.

The weird thing is, my website is not indexed in google, I blocked robots from indexing.

Never rely on someone for server installation.
Hi! Relax, your email server didn't get hacked. That's just a log that is saying "authentication failed". The "UGFzc3dvcmQ6" string is a base64 encoded text for "Password:".

So, someone is trying to login to your SMTP account. Why it didn't get banned?

You need to set in
Code: [Select]
/etc/csf/csf.conf at this line
Code: [Select]
RESTRICT_SYSLOG = "3", instead of 3, set 0 or 2.

Everyone that will try to login and fail will get banned acording to number of failures.

Good luck!
Title: Re: SMTP Server Has Been Hacked
Post by: Netino on May 08, 2019, 04:31:45 AM
Any other evidence of your server has been hacked..??
You just put "LOGIN authentication failed" messages, so, some people could not login on your server, nothing more.

The fact that you had 10,000 return messages just means that someone used your email address to send messages to other people.

But, likewise, it would just have been someone getting login access to only one email account of yours, and the damage is done. The person can send thousands of messages from your server.

But, these mail was sento from your server..??
Check you '/var/log/maillog' file.
There was any account was logged in..??

If so, check the beggining of that sending, and take action about that account.
If it was just an email account that logged in, then the damage possibly is just small.

Regards,
Netino
Title: Re: SMTP Server Has Been Hacked
Post by: nontechyguy on May 08, 2019, 04:01:32 PM

I'm in big trouble soon, I found a way to delete all the mail queue.

Either the freelancer did illegal stuff, or either I got hacked randomly.

The weird thing is, my website is not indexed in google, I blocked robots from indexing.

Never rely on someone for server installation.
Hi! Relax, your email server didn't get hacked. That's just a log that is saying "authentication failed". The "UGFzc3dvcmQ6" string is a base64 encoded text for "Password:".

So, someone is trying to login to your SMTP account. Why it didn't get banned?

You need to set in
Code: [Select]
/etc/csf/csf.conf at this line
Code: [Select]
RESTRICT_SYSLOG = "3", instead of 3, set 0 or 2.

Everyone that will try to login and fail will get banned acording to number of failures.

Good luck!

That is just a copy of a few lines, the size of the log file is 2.3GB and 2.7GB, I couldn't able to download it, not even opening it.

Any other evidence of your server has been hacked..??
You just put "LOGIN authentication failed" messages, so, some people could not login on your server, nothing more.

The fact that you had 10,000 return messages just means that someone used your email address to send messages to other people.

But, likewise, it would just have been someone getting login access to only one email account of yours, and the damage is done. The person can send thousands of messages from your server.

But, these mail was sento from your server..??
Check you '/var/log/maillog' file.
There was any account was logged in..??

If so, check the beggining of that sending, and take action about that account.
If it was just an email account that logged in, then the damage possibly is just small.

Regards,
Netino

Just this email account itself got hacked, no serious damage done on my server.

I'm unable to upload 2.3GB & 2.7 GB of the mail log file.
https://i.snag.gy/Cm9j3M.jpg

Deleted 418,000 in mail queue, I'm so upset my mail server being hacked and used to scam people.
The damage to me is nothing, $25 for setting up a SMTP server, I hope nobody got scam.
https://i.snag.gy/p8oSqb.jpg

Mail return error.
https://i.snag.gy/tpOX1Z.jpg

Scam message #1
https://i.snag.gy/yGtlTv.jpg

Scam message #2
https://i.snag.gy/3HWgta.jpg

I suspended that account, I believe it has weak password.

I'm wondering how did they know such email exist, test (at) peakpoint.my

No one else would know that my website wasn't indexed and the SMTP were freshly created at the end of March, this account was created by the freelancer alone.

I tried sending an email and I got blacklisted, I think I should change a new set of IP that probably would get me out from that.
Title: Re: SMTP Server Has Been Hacked
Post by: Netino on May 08, 2019, 08:27:44 PM
Quote
I'm unable to upload 2.3GB & 2.7 GB of the mail log file.
https://i.snag.gy/Cm9j3M.jpg

You really don't need to download that files, although you could rotate them (urgently recommended) and compact them.

You could use live tools in root ssh shell.
You cannot defend your server simply using the panel.
There are innumerable task tools you must run daily, and check results.
All of them run through ssh shell.

For example, you must check the virtual harassment level your server has, checking how much attempts to hack your server, and react them, blocking some addresses, or implementing new blockings in csf firewall to stop hacking attempts.
Ssh shell is indispensable.
May be you thinking one user was hacked, but not, maybe was another.
Just one user in your server could send mail identified as any other user in your server.
And block one user cannot deter the attack, if was another.

Quote
I'm wondering how did they know such email exist, test (at) peakpoint.my

No one else would know that my website wasn't indexed and the SMTP were freshly created at the end of March, this account was created by the freelancer alone.

This is not difficult.
Maybe you published that mail in SOA register of your DNS domain name. (yes, all of SOA records have a mail address, maybe your user)
Maybe you have suffered a sniff in your (or the user) local network.
Maybe you had mentioned to another mail.
Mailbe you mentioned it in this forum.
There are too many innumerable other possibilities.

Quote
I tried sending an email and I got blacklisted, I think I should change a new set of IP that probably would get me out from that.
Yes, be prepared, this is common to 400K level of mail sent.
You must need check WHEN these mails begin, and check WHO logged in your server to stop the attack.
You have no other alternative, to be sure.

And never let your users use a simple password: this is a real serious problem.
Title: Re: SMTP Server Has Been Hacked
Post by: daz123 on May 10, 2019, 06:35:26 PM
Quote
I'm wondering how did they know such email exist, test (at) peakpoint.my

Always some spammers/someone/something scanning for such generic email accounts, that's why security of the mail server is very important