hacked mail server

I have stopped my PostFix mail server (with DoveCot pop3) a while ago because someone was able to send spams with it.

I tried a few ‘mail relay’ testing and it worked. Mail relay is disabled according to those tests.

Now I am trying to figure out how he was doing it.

I see a lot of failed ‘pop3’ login attempts which is probably ‘normal’ for any mail server?

I am also getting tons of these in my PostFix mail queue and wonder what they are:


Mail headers:
From root (Cron Daemon)
To root
Date
Subject Cron root@XXXXXX [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete
Message text

PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20090626+lfs/mcrypt.so’

  • /usr/lib/php5/20090626+lfs/mcrypt.so: cannot open shared object file: No such file
    or directory in Unknown on line 0

Any other suggestions of where I can look or what I should do to prevent further spams is welcomed.

Howdy,

Well, the key would be to review the spam messages in question.

The email headers that they contain would help explain how they are getting there.

It’s likely either an issue with an email users password being guessed, or a web application that contains a security vulnerability.

-Eric

Thanks for the info.

I could not find any in the ‘Postfix mail server’ -> ‘User mailboxes’. I use POP3, is it possible they are removed from the mail server by the ‘spammer’ so I won’t see them?

Is there a log somewhere I could see a trace of those?

I saw a ton of messages on the mail queue but it’s either a ‘backup successful’ message or the one I added in my original post.