Advanced Persistent Threat (APT) hackers had hacked into my Virtualmin Linux Virtual Private Server (VPS) on 15 Dec 2025 Monday around noon time

Virtualmin
1
SYSTEM INFORMATION
OS type and version AlmaLinux 9.6
Webmin version 2.520
Virtualmin version 7.50.0 GPL
Webserver version REQUIRED
Related packages SUGGESTED

Subject: Advanced Persistent Threat (APT) hackers had hacked into my Virtualmin Linux Virtual Private Server (VPS) on 15 Dec 2025 Monday around noon time

Good day from Singapore,

Today 17 Dec 2025 Wednesday around 12.30 PM, I was trying to use GMail (Google Mail) to send email to my email accounts hosted in Virtualmin Linux Virtual Private Server (VPS) (aka web hosting control panel). GMail reported the error “554 5.7.1 Relay access denied”. Which means all of my email accounts hosted in Virtualmin Linux VPS could no longer receive emails.

Advanced Persistent Threat (APT) hackers must have hacked into my Virtualmin Linux VPS and changed my server configuration.

Webmin version: 2.520
Virtualmin version: 7.50.0 GPL
Operating system: AlmaLinux 9.6
Usermin version: 2.420
Authentic theme version: 25.20
Linux Kernel and CPU: Linux 5.14.0-570.51.1.el9_6.x86_64 on x86_64

When I logged in to Roundcube Webmail, I noticed that I had stopped receiving emails with the email accounts hosted in Virtualmin Linux VPS since 15 Dec 2025 Monday around 12 noon Singapore Time.

When I checked /var/log/maillog in Virtualmin Linux VPS, I observed that I had started getting “554 5.7.1 Relay access denied” errors since 15 Dec 2025 Monday around 12.28 PM (for my email accounts hosted in Virtualmin Linux VPS).

Advanced Persistent Threat (APT) hackers must have hacked into my Virtualmin Linux VPS and changed my server configuration.

When I checked /etc/postfix/main.cf on my Virtualmin Linux VPS, Advanced Persistent Threat (APT) hackers had changed the following line to:

mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com

I had to change the above line back to:

mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com, teo-en-ming.com, teo-en-ming-corp.com

And then restart Postfix daemon/service (systemctl restart postfix).

For Virtual Server teo-en-ming-corp.com in Virtualmin Linux VPS:

Advanced Persistent Threat (APT) hackers had changed my email account user’s Login access to Database, FTP and SSH. I had to change it back to Database, Email, FTP and SSH.

Advanced Persistent Threat (APT) hackers had also changed “Primary email address enabled” to No. I had to change it back to Yes.

For Virtual Server teo-en-ming.com in Virtualmin Linux VPS:

Advanced Persistent Threat (APT) hackers had changed my email account user’s Login access to FTP and SSH. I had to change it back to Email, FTP and SSH.

Advanced Persistent Threat (APT) hackers had also changed “Primary email address enabled” to No. I had to change it back to Yes.

After making all of the above changes, I am able to start receiving emails with my email accounts hosted in Virtualmin Linux VPS since 1.15 PM today 17 Dec 2025 Wednesday.

When I checked OpenSSH server logins and Virtualmin logins, only public IPv4 addresses belonging to me were present. There were no traces of Advanced Persistent Threat (APT) hackers gaining unauthorized entry into my Virtualmin Linux VPS at all. Of course, if they are Advanced Persistent Threat (APT) hackers, they must be very smart and intelligent (their intelligence quotient IQ sure way above me) to remove all traces of their unauthorized intrusions into my Virtualmin Linux VPS.

How can I make a request to Advanced Persistent Threat (APT) hackers so that they will stop playing pranks on my Android (Linux) phones, home desktop computer, laptops, Virtualmin and Webmin Linux servers and other various numerous online accounts not secured with 2FA / MFA?

Please advise.

Thank you very much.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Extremely Democratic People’s Republic of Singapore
17 Dec 2025 Wednesday 3.50 PM Singapore Time

2

I don’t see any evidence of hackers in what you’re suggesting was changed (“Advanced Persistent Threat” or otherwise).

Why would hackers change your mail server configuration?

And, as far as I can tell, you’ve changed the configuration in a way that would break it. Why do you think this is correct?

mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com, teo-en-ming.com, teo-en-ming-corp.com

Are those domains virtually hosted (in /etc/postfix/virtual)? If so, they should not be listed in mydestination. So, the configuration was probably correct before you “fixed” it.

I think you need to step back and stop assuming you know why things went wrong, and get to some root causes. It may be hackers, but nothing about the configuration you’ve posted indicates hackers (it indicates you had a correct configuration, and then made it not correct…if it wasn’t working before you added those domains to mydestination, that means your virtual map is misconfigured or corrupt or whatever…if they’re domains managed by Virtualmin they should not be in mydestination).

2 Likes
3

Dear Joe,

Google generative artificial intelligence (AI) guided me to make those changes in /etc/postfix/main.cf mydestination directive.

The lines in /etc/postfix/virtual are:

alerts@teo-en-ming-corp.com     alerts-teo-en-ming-corp.com
ceo@teo-en-ming-corp.com        ceo
ceo@teo-en-ming.com     ceo-teo-en-ming.com

So I should remove teo-en-ming.com and teo-en-ming-corp.com from mydestination?

What should I do next?

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Singapore

4

no hackers evidence, looks like configuration (dns or mail) issues..
edit] same spam message sent in postfix-users mailing list..

5

Are these the ONLY changes you made? The links seem to be the default landing page. If you are not too far along is it possible to re-image the server and start over? This should all work out of the box, especially with an Alma image. Then if something doesn’t work come back here and ask questions.

6

You probably asked the wrong questions (if you gave it the rant about “Advanced Persistent Threat” hackers, I’m sure you asked the wrong questions, because that’s bizarre and confusing). LLMs don’t know how to tell you you’re asking the wrong questions, and so they are very susceptible to following you down dead end paths when you bring it XY problems.

Well, they can’t be in both virtual and mydestination, either the domains are hosted virtually or the server is that domain, it can’t be both. Postfix should have warned you about this in its log. You are looking at your logs, right? (The journal postfix unit is where you’ll find Postfix logs. The System Logs viewer can show the journal, or you can use journalctl to view the journal.)

This assumes you have virtual configured correctly (I mean, it is being used for the Postfix virtual_alias_maps db).

As others mentioned, if you’re just getting started and don’t have anything important on the system, starting fresh with a grade A supported OS and our install script is a good idea. We can’t guess what all you and your pal Gemini have done to this one. Since Gemini was trying to solve the wrong problem, it certainly didn’t do anything good.

3 Likes
7

this makes more sense :

8

Hi guys,

It appears that my /etc/postfix/virtual configuration file was modified. I have no idea whether it was Advanced Persistent Threat (APT) hackers who modified it or something else on my Linux server modified it. But if it were Advanced Persistent Threat (APT) hackers, I am nowhere as smart and intelligent as them, for they are extremely good in hiding their tracks. I am clearly no match at all for Advanced Persistent Threat (APT) hackers. Apparently my /etc/postfix/virtual was modified to a breaking point after I had created a new email account “alerts@teo-en-ming-corp.com” on 15 Dec 2025 Monday at around 12.29 PM Singapore Time. I was helping my client to configure email alerts in their Lenovo ThinkSystem SR530 server XClarity Controller when Gmail and their corporate email don’t work.

Now, here is what I have done on my Virtualmin Linux VPS to solve the problem (as advised by the community and generative AI).

Edit /etc/postfix/main.cf

I have removed the domains teo-en-ming.com and teo-en-ming-corp.com from the mydestination directive.

Now my FINAL mydestination looks like:

mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com

Save the changes to /etc/postfix/main.cf

Since my present /etc/postfix/virtual is not working, I have renamed it.

cd /etc/postfix

mv virtual virtual.notworking

I have decided to restore virtual.rpmsave which has a timestamp of 14 Dec 2022 (3 years ago).

cp virtual.rpmsave virtual

postmap /etc/postfix/virtual

systemctl restart postfix

Now I have managed to solve the problem with the help and assistance of the folks at Virtualmin community and elsewhere. Their help and assistance is deeply appreciated. Many thanks.
Now all of my email accounts hosted in Virtualmin Linux VPS are able to receive emails.

Before solving the problem tonight / this evening, GMail used to send me Delivery Staus Notification (Failure).

Thank you for all the help and advise guys! The cause of the problem is with /etc/postfix/virtual and not /etc/postfix/main.cf. But I still have no idea who or what modified /etc/postfix/virtual that caused my Linux mail server to go down. I am no forensic expert.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Singapore
18 Dec 2025 Thursday 11.02 pm Singapore Time