Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - nontechyguy

Pages: [1]
1
CentOS 7 Problems / Re: SMTP Server Has Been Hacked
« on: May 08, 2019, 04:01:32 PM »

I'm in big trouble soon, I found a way to delete all the mail queue.

Either the freelancer did illegal stuff, or either I got hacked randomly.

The weird thing is, my website is not indexed in google, I blocked robots from indexing.

Never rely on someone for server installation.
Hi! Relax, your email server didn't get hacked. That's just a log that is saying "authentication failed". The "UGFzc3dvcmQ6" string is a base64 encoded text for "Password:".

So, someone is trying to login to your SMTP account. Why it didn't get banned?

You need to set in
Code: [Select]
/etc/csf/csf.conf at this line
Code: [Select]
RESTRICT_SYSLOG = "3", instead of 3, set 0 or 2.

Everyone that will try to login and fail will get banned acording to number of failures.

Good luck!

That is just a copy of a few lines, the size of the log file is 2.3GB and 2.7GB, I couldn't able to download it, not even opening it.

Any other evidence of your server has been hacked..??
You just put "LOGIN authentication failed" messages, so, some people could not login on your server, nothing more.

The fact that you had 10,000 return messages just means that someone used your email address to send messages to other people.

But, likewise, it would just have been someone getting login access to only one email account of yours, and the damage is done. The person can send thousands of messages from your server.

But, these mail was sento from your server..??
Check you '/var/log/maillog' file.
There was any account was logged in..??

If so, check the beggining of that sending, and take action about that account.
If it was just an email account that logged in, then the damage possibly is just small.

Regards,
Netino

Just this email account itself got hacked, no serious damage done on my server.

I'm unable to upload 2.3GB & 2.7 GB of the mail log file.
https://i.snag.gy/Cm9j3M.jpg

Deleted 418,000 in mail queue, I'm so upset my mail server being hacked and used to scam people.
The damage to me is nothing, $25 for setting up a SMTP server, I hope nobody got scam.
https://i.snag.gy/p8oSqb.jpg

Mail return error.
https://i.snag.gy/tpOX1Z.jpg

Scam message #1
https://i.snag.gy/yGtlTv.jpg

Scam message #2
https://i.snag.gy/3HWgta.jpg

I suspended that account, I believe it has weak password.

I'm wondering how did they know such email exist, test (at) peakpoint.my

No one else would know that my website wasn't indexed and the SMTP were freshly created at the end of March, this account was created by the freelancer alone.

I tried sending an email and I got blacklisted, I think I should change a new set of IP that probably would get me out from that.

2
CentOS 7 Problems / Re: SMTP Server Has Been Hacked
« on: May 06, 2019, 03:40:45 PM »
How come my firewall did not block this guy?

103.231.139.146
93.157.63.30

http://whois.domaintools.com/103.231.139.146

Very upset.

Code: [Select]
Apr 14 03:23:46 vps postfix/pickup[32135]: 1CB6D14F: uid=0 from=<root>
Apr 14 03:23:46 vps postfix/cleanup[2235]: 1CB6D14F: message-id=<20190414012346.1CB6D14F@vps.peakpoint.my>
Apr 14 03:23:46 vps opendkim[3048]: 1CB6D14F: no signing table match for 'root@vps.peakpoint.my'
Apr 14 03:23:46 vps opendkim[3048]: 1CB6D14F: no signature data
Apr 14 03:23:46 vps postfix/qmgr[3466]: 1CB6D14F: from=<root@vps.peakpoint.my>, size=5077, nrcpt=1 (queue active)
Apr 14 03:23:46 vps postfix/local[2242]: 1CB6D14F: to=<root@vps.peakpoint.my>, orig_to=<root>, relay=local, delay=0.08, delays=0.07/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Apr 14 03:23:46 vps postfix/qmgr[3466]: 1CB6D14F: removed
Apr 14 03:23:54 vps postfix/smtpd[32565]: connect from unknown[103.231.139.146]
Apr 14 03:23:57 vps postfix/smtpd[32758]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:23:57 vps postfix/smtpd[32758]: disconnect from unknown[93.157.63.30]
Apr 14 03:23:59 vps postfix/smtpd[1869]: connect from unknown[91.212.150.158]
Apr 14 03:24:00 vps postfix/smtpd[32565]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:00 vps postfix/smtpd[32565]: disconnect from unknown[103.231.139.146]
Apr 14 03:24:03 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:24:06 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:07 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:24:13 vps postfix/smtpd[1869]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:14 vps postfix/smtpd[1869]: disconnect from unknown[91.212.150.158]
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max connection rate 2/60s for (smtp:93.157.63.30) at Apr 14 03:14:48
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max connection count 1 for (smtp:103.231.139.146) at Apr 14 03:14:19
Apr 14 03:24:19 vps postfix/anvil[3674]: statistics: max cache size 7 at Apr 14 03:22:09
Apr 14 03:24:26 vps postfix/smtpd[32758]: connect from unknown[103.231.139.146]
Apr 14 03:24:34 vps postfix/smtpd[32758]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:34 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.146]
Apr 14 03:24:34 vps postfix/smtpd[1869]: connect from unknown[93.157.63.30]
Apr 14 03:24:41 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:24:44 vps postfix/smtpd[2264]: connect from unknown[193.169.254.69]
Apr 14 03:24:46 vps postfix/smtpd[2266]: connect from unknown[91.212.150.158]
Apr 14 03:24:47 vps postfix/smtpd[2264]: warning: unknown[193.169.254.69]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:47 vps postfix/smtpd[2264]: lost connection after AUTH from unknown[193.169.254.69]
Apr 14 03:24:47 vps postfix/smtpd[2264]: disconnect from unknown[193.169.254.69]
Apr 14 03:24:48 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:48 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:24:49 vps postfix/smtpd[1869]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:24:53 vps postfix/smtpd[1869]: disconnect from unknown[93.157.63.30]
Apr 14 03:24:58 vps postfix/smtpd[2264]: connect from unknown[103.231.139.146]
Apr 14 03:25:03 vps postfix/smtpd[2266]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:04 vps postfix/smtpd[2266]: disconnect from unknown[91.212.150.158]
Apr 14 03:25:04 vps postfix/smtpd[2277]: connect from unknown[92.246.76.92]
Apr 14 03:25:09 vps postfix/smtpd[2264]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:09 vps postfix/smtpd[2264]: disconnect from unknown[103.231.139.146]
Apr 14 03:25:10 vps postfix/smtpd[2277]: warning: unknown[92.246.76.92]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:10 vps postfix/smtpd[2277]: disconnect from unknown[92.246.76.92]
Apr 14 03:25:20 vps postfix/smtpd[32758]: connect from unknown[103.231.139.56]
Apr 14 03:25:27 vps postfix/smtpd[32758]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:27 vps postfix/smtpd[32758]: disconnect from unknown[103.231.139.56]
Apr 14 03:25:30 vps postfix/smtpd[1869]: connect from unknown[103.231.139.146]
Apr 14 03:25:32 vps postfix/smtpd[2266]: connect from unknown[91.212.150.158]
Apr 14 03:25:33 vps postfix/smtpd[2264]: connect from unknown[93.157.63.30]
Apr 14 03:25:39 vps postfix/smtpd[1869]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:40 vps postfix/smtpd[2266]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:40 vps postfix/smtpd[1869]: disconnect from unknown[103.231.139.146]
Apr 14 03:25:40 vps postfix/smtpd[2266]: disconnect from unknown[91.212.150.158]
Apr 14 03:25:42 vps postfix/smtpd[32758]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.172.85
Apr 14 03:25:42 vps postfix/smtpd[32758]: connect from unknown[89.248.172.85]
Apr 14 03:25:45 vps postfix/smtpd[32758]: warning: unknown[89.248.172.85]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:45 vps postfix/smtpd[32758]: disconnect from unknown[89.248.172.85]
Apr 14 03:25:47 vps postfix/smtpd[2264]: warning: unknown[93.157.63.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:25:48 vps postfix/smtpd[2264]: disconnect from unknown[93.157.63.30]
Apr 14 03:25:59 vps postfix/smtpd[1869]: connect from unknown[103.231.139.56]
Apr 14 03:26:03 vps postfix/smtpd[2266]: connect from unknown[103.231.139.146]
Apr 14 03:26:05 vps postfix/smtpd[1869]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:05 vps postfix/smtpd[1869]: disconnect from unknown[103.231.139.56]
Apr 14 03:26:08 vps postfix/smtpd[2266]: warning: unknown[103.231.139.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:09 vps postfix/smtpd[2266]: disconnect from unknown[103.231.139.146]
Apr 14 03:26:19 vps postfix/smtpd[32758]: connect from unknown[91.212.150.158]
Apr 14 03:26:26 vps postfix/smtpd[32758]: warning: unknown[91.212.150.158]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Apr 14 03:26:26 vps postfix/smtpd[32758]: disconnect from unknown[91.212.150.158]
Apr 14 03:26:32 vps postfix/smtpd[2264]: connect from unknown[93.157.63.30]
Apr 14 03:26:35 vps postfix/smtpd[1869]: connect from unknown[103.231.139.146]
Apr 14 03:26:37 vps postfix/smtpd[2266]: connect from unknown[103.231.139.56]
Apr 14 03:26:45 vps postfix/smtpd[2266]: warning: unknown[103.231.139.56]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

3
CentOS 7 Problems / Re: SMTP Server Has Been Hacked
« on: May 06, 2019, 03:37:00 PM »
I'm in big trouble soon, I found a way to delete all the mail queue.

Either the freelancer did illegal stuff, or either I got hacked randomly.

The weird thing is, my website is not indexed in google, I blocked robots from indexing.

Never rely on someone for server installation.

4
CentOS 7 Problems / SMTP Server Has Been Hacked
« on: May 06, 2019, 02:35:18 PM »
Oh my god, I don't know where to post, anyone know how to trace the connection of the Hacker?

I found one of my mail created by a freelancer I hired, test@peakpoint.my has received over 10,000 "Failed to send Recipents' in my inbox.

I have suspended that account, I wanted to load mail queue to delete all queries, but the page failed to load.

I will be in deep trouble soon. I'm done.

5
Anyway how to pernamently delete the file, I deleted the daily backup but I don't see I save many spaces.

6
 ???

The disk is full, no wonder.

7
All files are not writable, uploads is not possible, the "File System Lock" is disabled, mod security is disabled too.

I tried to edit a file, here's what happen.

https://i.snag.gy/rmd7TG.jpg

https://i.snag.gy/qNH3F4.jpg

Nothing happened.

I left my server untouched for a month, I just noticed it today that I'm unable to login to my wordpress.

Pages: [1]