All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
HELP: VPS suspended due to abuse report (spam email). How can it be?
Hi,
Long story short:
I don’t even use email on my VPS , but last week I received 3 abuse reports from my VPS provider related to email spam from the IP of one of my VPS.
On the weekend I re-installed CentOS 6 32 bits, couple of hours after that I got another abuse report from email spam!
Then I did the following things on chronological order
-I re-installed CentOS 6 32 bits on my server was on Monday.
-Uninstalled sendmail program with “yum remove sendmail” command.
-addition of epel repository
-yum update
-I installed ONLY nginx, php-fpm, clamav & maldet.
-I disabled root login allowing only login to ssh through SSH Keys
-I added the following iptables that can be seen here: http://pastebin.com/raw.php?i=gQasbSw8
-I uploaded my website files
-I ran clamav and maldet, which didn’t detect any malicious software among my website files neither root folder.
Three days after that my VPS provider informs me that in the last 24 hours they received 10 abuse reports related to email spam for the same VPS, so they have had to suspend my VPS.
Ramnode says that the files of my website could be infected but even if that’s the case I understand that no email should be sent thanks to the iptables I have now.
What can I do?
Thanks,
Comments
Do you use any CMS, WordPress maybe?
edit:
You could also try this one if you also have IPv6 https://vpsboard.com/topic/980-iptablesip6tables-one-file-script/
Just what are they basing it off of are you running openvz? And if so it is possible NodeWatch is running as well and it could be they don't know how to interpret NodeWatch's reports as I take them with a grain of salt so to speak if NodeWatch plus my provider(ovh etc) sends abuse reports I might have to look into it otherwise if it is just nodewatch yea I wouldn't take it as seriously as ovh etc let me just get to my point ask them for the logs of the abuse report and if all they have to base it off of is NodeWatch they have no basis for suspending it or considering it abuse to start with so I hope I have helped you out with my experience plus my knowledge
@vRozenSch00n This can't cause it without a local MTA I'd say. Someone would need to use a external SMTP like Sendgrid and etc. And even in this case the external SMTP server would rather get suspended for spam but not the VPS where the CMS is hosted.
Unless you mean the CMS was used to exploit into his system and install a MTA to send spam.
Hi,
@vRozenSch00n I don't use CMS neither Wordpress (I don't even have mysql installed). I only have 2 glype proxy sites installed on it.
@timnboys yes, I'm using OpenVZ. The spam reports that they are getting seem to come from https://www.spamcop.net
Am I wrong when I say that with the iptables I posted in the OP should stop any malicious software from sending emails?
PS:
My vps is ramnode, but I do nott blame them at all. They gave me several warnings and I understand they just want to protect their servers or IP's.
I'm really happy with ramnode service so I just want to fix the issue so I can stay with them rather than try to find another VPS provider with such good price/quality balance...
Unfortunately I lack the skills to stop this problem that's why I come here asking for help and advice
thanks
@nick_a can you help with this ?
@tittooo7 mind posting your ticket id so nick can help you ?
Have you done a nmap scan to see if you have any open ports ? Did they say it was mail spam?
I think somebody use your glype to send spam, and of course the spam came from your IP.
If you enable the log on your glype, you can see which IP it came from.
That's one of the possibility.
Run "tcpdump -w vps.pcap", then download the .pcap file, open in Wireshark and type "smtp" into the filter box. I wonder if Ramnode could setup packet capturing on their side to verify?
Should provide further insights and/or prove your innocence, I'm sure false spam reports are great fun for some...
@Mun my ticket is 230771.
How can I run nmap to see which ports I have open?
Yes it's email spam
One of the ramnode guys is already giving me some hints, but I understand that his job is not to secure my VPS.
As I said I don't blame them at all as they gave me warnings and I consider them the best vps provider I had, so I just want to fix the issue so I can keep my webs hosted with them
@vRozenSch00n I will check if my glype has log enabled. thanks
it's that glype proxy. been receiving spam abuse too before when i had glype. try to check header on that spam mail, block that country that sent spam using blockscript.
Is it possible one of your competitors are reporting you? Can you turn off your server(if it's not suspended) and see if you keep getting abuse mails?
See for the original idea from many years ago http://original.bluehatseo.com/how-to-take-down-a-competitors-website-legally/
RamNode is one of the best providers in LET, and in order to keep their service quality, they are strict when it comes to abuse / possible abuse.
@tittooo7 see this http://www.webhostingtalk.com/showthread.php?t=1036623
If possible, follow instruction from @linuxthefish to make sure no open smtp in your system.
Is it possible the spam cop reports are old? Check the date and time stamp on the emails.
Did you check your maillog?
@linuxthefish the VPS has been suspended already so I can't run that command...
But with the iptables that I posted on the OP it should be impossible to send emails from my VPS isn't?
@marl I'm afraid you could be right. Let's see how I solve it as I want/need to keep using glype...
The spam report shows one IP that it's from USA, I won't block that country lol
@GM2015 The VPS is already suspended. I will cancel it and order a new one when I get home, but I want to make sure that it won't happen again on the new VPS file...
My websites are not TOP but I start to think that someone got obsessed with one of my domains...
@vRozenSch00n I know ramnode is one of the best VPS providers, that's why I'm worried about the possiblity of getting my webs kicked from their servers
@AlexanderM, nope... the reports are not old...
@sman I unninstalled sendmail and my iptables written on the OP if I'm not wrong (please someoen correct me if I'm wrong) don't allow the use of email ports.
Anyway I can't check the mailogs now because the VPS is suspended
Thanks to everyone for the information & tips. it's really really appreciated
Don't run public proxies! They are a open gate for all kind of abuse.
Something could be wrong with the rule or it could have been overwritten or cleared on reboot, it could be anything from someone with access to your pc/email messing with you to some secret NSA backdoor in your SSH client!
Add "service iptables save" and "iptables-save > /etc/iptables.up.rules" after you run the iptables command, this should make sure the rules are saved on CentOS and Debian 7. Please someone correct me if I'm wrong about this
Or run all traffic outbound traffic through Tor
thanks, but that's like ask someone to don't play any sports to avoid injuries...
I finally cancelled my VPS and ordered a new one... I write the website files from the begining and took the following actions:
-update all the software, install nginx, php-fpm, fail2ban, clamav, maldet
-with iptables I kept open only the ports 22, 80 and 443
-I also uninstalled sendmail so I guess I don't run any email service and I dont even have mysql installed
I host only one website on the new vps. Yes, it's a glype proxy website but there are hundreds of sites like mine.... so hopefully however got obsessed with my site now will think about a different target in the future.
In the meantime I will try to find more ways to secure my vps... (it's so bad that blockscript is so expensive...)
Probably your glype proxy just being abused. Stop the evil now otherwise it will not end well for you since you're responsible for that.
Here's a (really) old page on renaming browse.php to temporarily stop automated scripts, it may help a bit, for a little while. if it's still valid that is.
Sorry it's cached view only
http://webcache.googleusercontent.com/search?q=cache:3nmSLqlgjrYJ:glypetemplates.com/rename-browse.php-to-prevent-abuse-from-automated-scripts.html+&cd=4&hl=en&ct=clnk&gl=au
Thank you @ATHK I just did that, this probably would help!
By the way I just ran a netstat -nl command and I got this:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::22 :::* LISTEN Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 306134995 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 341934736 /var/run/php5-fpm.sock unix 2 [ ACC ] STREAM LISTENING 307511539 /var/run/saslauthd/muxThe unis lines are normal? I'm worrited about the ubuntu upstart one as I use CentOS 6... is it normal??
Just one question why do you have ssh on default port 22 you should probably change that to some what custom port like 30613 this one
Uh...
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
More of personal preference? Disabling password logins and only permitting SSH keys as a login method would be good enough already, in my opinion.
And my question to you would be why bother changing it?
don't go above 1024
If you don't use emails just block outgoing SMTP ports on ip(6)tables and be done with it, but it looks like your web application might be breached.
To avoid bots trying to crack the security & most bots and probes scan the default port for all services so when you have ssh in default port bots will try to crack the security all day long are for some time and some one can take down the vps by DDOS the ssh port i had experienced that one time but when you keep in custom port like 33075 the most bots wont scan ports above 1024
What ever i say are others say it all come personal preference i just don't want you to exp the same bad exp i had that's all
@tittooo7 ask the ramnode that they is there any way they can block the port 25 in their network for your VPS
Hi,
@simonindia as @theroyalstudent mentioned I disabled password login and I only allow login to ssh keys. That’s why I thought it wouldn’t matter to keep the port 22
@Clouvider yeah, I think that the problem must be that the Glype proxies can be “easily” abused. But I don’t know how it could go till the extent of causing abuse reports related to my IP.
Maybe someone has a some kind of software that automatically visit glype websites, visit some email website and from there automatically sends hundreds of emails...
Is that possible?
As my iptables are blocking any incoming connection except the ones of port 25, 80 and 443 that must be the reason.
thanks
@tittooo7 ask ramnode to block port 25 for you IP id that can be done