Mail server compromised

lossehelin

Hello.. I am using vesta cp with exim/dovecot
I think my mail server has been compromised. I logged in today to find out that i had 400 undelivered emails, and all of them where about porn.
Logged in to vestacp to find out the mail queue was above 30000.

How can i find what is going on? Where are these email being sent from, a rogue php script on the server, breach on my password? ( i just changed them yesterday)
What should i do next? i am a bit clueless at the moment. I have been reading stuff but nothing good so far....

var/exim/main_log shows stuff like this:

[code]
2015-03-21 02:07:45 1YYPGa-0005X4-BI [email protected]: error ignored
2015-03-21 02:07:45 1YYPGa-0005X4-BI Completed
2015-03-21 02:07:45 1YZ2I5-0002xZ-Dp Message is frozen
2015-03-21 02:07:45 1YYSYM-00079x-DK Message is frozen
2015-03-21 02:07:45 1YYTtr-00009w-NP Message is frozen
2015-03-21 02:07:45 1YYUQ3-0003fb-Gv Message is frozen
2015-03-21 02:07:45 1YYQrs-0000yD-0P Message is frozen
2015-03-21 02:07:45 1YYhhh-00012N-DM Message is frozen
2015-03-21 02:07:45 1YYRef-0000ih-Q7 Message is frozen
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Unfrozen by errmsg timer
2015-03-21 02:07:45 1YYPQK-0003ns-Pb ** [email protected]: Unrouteable address
2015-03-21 02:07:45 1YYPQK-0003ns-Pb [email protected]: error ignored
2015-03-21 02:07:45 1YYPQK-0003ns-Pb Completed
2015-03-21 02:07:45 1YYRUs-0001VH-C6 Message is frozen
2015-03-21 02:07:50 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:51 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.68]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:52 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:52 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.67]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:54 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:54 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [152.163.0.99]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:55 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:56 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.88.131]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:56 1YYICX-0002Uy-0k unable to open private key file for reading: /etc/exim/domains/myhost.com/dkim.pem
2015-03-21 02:07:57 1YYICX-0002Uy-0k SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195]: 421 4.2.1 : (DYN:T1) http://postmaster.info.aol.com/e$
2015-03-21 02:07:57 1YYICX-0002Uy-0k == [email protected] R=dnslookup T=remote_smtp defer (-46): SMTP error from remote mail server after end of data: host mailin-01.mx.aol.com [64.12.91.195$
2015-03-21 02:07:57 1YYg3k-0001zZ-7F Message is frozen
2015-03-21 02:07:57 1YYRoO-0007kU-CG Message is frozen
2015-03-21 02:07:57 1YYQCz-0005LD-Uo Message is frozen
[/code]

And the undelivered emails show this:

[code]------ This is a copy of the message, including all the headers. ------

Return-path: support@myemail.com
Received: from admin by myhost.com with local (Exim 4.72)
(envelope-from support@myemail.com)
id 1YZPb6-00081S-GB
for [email protected]; Sat, 21 Mar 2015 20:02:17 +0000
To: [email protected]
Subject: Shocking Secrets Women Don't Want You To Know
X-PHP-Originating-Script: 501:config87.php(1490) : eval()'d code
Date: Sat, 21 Mar 2015 20:02:16 +0000
From: Justin Haney support@myemail.com
Message-ID: 50e9526dcf3064d3da4b46a18d937a9c@myemail.com
X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_50e9526dcf3064d3da4b46a18d937a9c"
Content-Transfer-Encoding: 8bit

--b1_50e9526dcf3064d3da4b46a18d937a9c
Content-Type: text/plain; charset=us-ascii
[/code]

joereid

I see things about eval'd code from scripts like config87.php so you most likely have a hacked wordpress site going on. Do you run any websites on this server?

timnboys

also run this: http://mxtoolbox.com/diagnostic.aspx it will tell you whether your mail server is a open relay or not....plus I agree with joereid that it sounds like a comprised wordpress site.

jar

@joereid said:
I see things about eval'd code from scripts like config87.php so you most likely have a hacked wordpress site going on. Do you run any websites on this server?

This. It's clear that your website was compromised and used to send spam from config87.php. You'll want to stat that file, chmod 0 it, and start tracking the origin of this event by referencing the modify time with access logs. It may have been created by a POST to another file, so you may find yourself doing this in parts until you trace the origin. It is extremely important that you do not simply delete this file and consider the job done.

joereid

The best way to recover from a hacked wordpress site is to delete it and start over with a backup of your database. Make sure every part of the site is up to date, the wp core, all themes, plugins, everything. Make sure the only directory writable from the webserver user is your uploads directory.

jar

joereid said: Make sure the only directory writable from the webserver user is your uploads directory.

That'll certainly help too.

Also if you want to go ahead and clear your mail queue:

for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done

joereid

@joereid said:
The best way to recover from a hacked wordpress site is to delete it and start over with a backup of your database. Make sure every part of the site is up to date, the wp core, all themes, plugins, everything. Make sure the only directory writable from the webserver user is your uploads directory.

Also be careful with themes or plugins from sites other than wordpress.org. I've seen those "1001 wordpress themes" torrent downloads where probably 999 of them have hacks written in them.

mustafaramadhan

Near 100% for this issue related to sendmail (execute by mail() function in php). We can disable/ban sendmail for certain website with modified sendmail file.

This trick already implemented in Kloxo-MR.

jar

@mustafaramadhan said:
Near 100% for this issue related to sendmail (execute by mail() function in php). We can disable/ban sendmail for certain website with modified sendmail file.

This trick already implemented in Kloxo-MR.

That's not really the way you want to address a compromised website though. It is good for protection from it happening though, definitely. You just have an easy switch for it in Kloxo-MR?

mustafaramadhan

@Jar said:
That's not really the way you want to address a compromised website though. It is good for protection from it happening though, definitely. You just have an easy switch for it in Kloxo-MR?

Possible implementing to other control panels.

This trick only protecting send mail from website.

lossehelin

thanks for the help guys. i found the file in question and some others. my wordpress install is totally compromised, so i need totake care of that asap.

trvz

Someone unable to run Wordpress securely shouldn't run his own mailserver either. I recommend Fastmail.