1

Topic: server compromised

Hi,


My server is compromised and listed on RBL listing and i am not able to send/receive emails from domains other than mydomain.com

I've checked for the rootkits but nothing found. I've changed the server password..
but my maillog still gets too many emails going out ..

I want to know that how can i empty the mail queue in iRedmail..

2

Re: server compromised

Which version of iRedMail and Roundcube do you use?
For queue manage, use command 'postqueue' and 'postsuper':
http://www.postfix.org/postqueue.1.html
http://www.postfix.org/postsuper.1.html

3

Re: server compromised

damage has been done...

I've configured a new server and pointed emails there..
But i want to keep my mail server secure so that it won't happen next time..

Can you please guide what are the checklists of securing an email server running with iredmail..

4

Re: server compromised

sandeep.singh wrote:

damage has been done...

I've configured a new server and pointed emails there..
But i want to keep my mail server secure so that it won't happen next time..

Can you please guide what are the checklists of securing an email server running with iredmail..

Hi Sandeep,

Which version of iredmail you were using?  Can you let us know what was the cause of the problem?

Is some users on your servers were spamming?

Richard

5

Re: server compromised

Yes i was using the latest version of iredmail.. and on saturday morning i found that my server was compromised and sending spams..

My /var/log/maillog was full of outgoing emails and i checked the malicious code in temp files... checked for rootkit with chkrootkit , and also checked for any newly created user.. but i found nothing..

From the server processes... postfix was heavily used process during that process...

My mail server IP was listed on RBL, PBL.. i instantly changed the IP address of the server.. but i could not stop the spam emails from going out my server..

Then i updated my server.. From /var/log/maillog i found that many email addresses to which emails are sending are coming from mail queue.. that's why i first asked to clear the mail queue..

After server update i restarted the server thinking that it'll close all the connections that have made and also it will clear the mail queue..

But to my bad luck...  i got the "kernel panic .. not syncing. Attempting to kill init.." 
And the server never came up ..

Thankfully i have everything in the backups except that the emails that were bounced during the period when my server IP was listed on RBL and PBL and Trend micro databases...


One very annoying thing i found was, during this period(when the server was sending spam emails)  my ldap logs were increasing like crazy..  /var/log/ldap.log went for 5GB in one day... and it was increasing heavily...

can  spammers log into through my ldap and send emails.. this way..

6

Re: server compromised

Please post related logs in postfix maillog, what you did and what result/output you got. It's hard to help without these info.

- Any other web applications hosted on this server? As i know, no security issues with web applications shipped within iRedMail.
- As you see in postfix mail queue, what's the sender of spam mails?
- Is the spam mail generated locally (on your server) or sent remotely with a remote ip address?

7

Re: server compromised

Hi Zhang,

I don't have the logs file now.. because the server has been crashed.

There are no web applications hosted no the server except for the SVN repositories and mod_dav_svn apache module..

The sender of the spam was not a single email address.. they were coming from different email addresses

The spams were not getting generated locally, They were coming from many remote IP's

8

Re: server compromised

Recently I came across a similar problem. On investigation found out 4 user's email password has been compromised and spammers are using their accounts to send out spam.

9

Re: server compromised

Integrate fail2ban into your servers. You could for example ban IP addresses that give the wrong password 5 times in 2 hours period.

10

Re: server compromised

Thanks.

I will give it a try..initially i was thinking of using denyhosts.. but let me check this one also..

11

Re: server compromised

maxie_ro wrote:

Integrate fail2ban into your servers. You could for example ban IP addresses that give the wrong password 5 times in 2 hours period.

Hi, maxie_ro.

Would you mind sharing us your Fail2ban experiense in our wiki? http://www.iredmail.org/wiki/

12

Re: server compromised

ZhangHuangbin wrote:

Hi, maxie_ro.

Would you mind sharing us your Fail2ban experiense in our wiki? http://www.iredmail.org/wiki/

Hi, I already wrote in a forum topic some time ago:

http://www.iredmail.org/forum/topic344- … lures.html

I used fail2ban with shorewall, most people will probably refrain to use shorewall, and use just the iptables interface. Also, fail2ban rules change, depending on the log format, and service version. So I guess writing on the wiki a tutorial that would fit all distros and all deployments is quite impossible, this is why I didn't do it till now...