spammers are using my server

Virtualmin
21

I found an example, I did this:

$ttl 38400 @ IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. ( 1385376458 10800 3600 604800 38400 ) @ IN NS ns1.penghosting.nl. @ IN NS ns2.penghosting.nl. penghosting.nl. IN A 88.208.193.145 www.penghosting.nl. IN A 88.208.193.145 ftp.penghosting.nl. IN A 88.208.193.145 m.penghosting.nl. IN A 88.208.193.145 ns1.penghosting.nl. IN A 88.208.193.145 ns2.penghosting.nl. IN A 88.208.193.146 localhost.penghosting.nl. IN A 127.0.0.1 webmail.penghosting.nl. IN A 88.208.193.145 admin.penghosting.nl. IN A 88.208.193.145 mail.penghosting.nl. IN A 88.208.193.145 penghosting.nl. IN MX 5 mail.penghosting.nl. penghosting.nl. IN TXT "v=spf1 a mx a:penghosting.nl ip4:88.208.193.145 ?all" autoconfig.penghosting.nl. IN A 88.208.193.145

restarted bind, and now I could restart apache2 as well.

No luck on starting up virtualmin, but at least I can now create manually those hosts file for all the domains and get those up and running which seems now the most important thing.

22

All the info in /etc/apache2/sites-available/hollandsenieuwe.com.conf seems all right:

SuexecUserGroup "#1004" "#1004" ServerName hollandsenieuwe.com ServerAlias www.hollandsenieuwe.com ServerAlias webmail.hollandsenieuwe.com ServerAlias admin.hollandsenieuwe.com ServerAlias autoconfig.hollandsenieuwe.com DocumentRoot /home/hn/public_html ErrorLog /var/log/virtualmin/hollandsenieuwe.com_error_log CustomLog /var/log/virtualmin/hollandsenieuwe.com_access_log combined ScriptAlias /cgi-bin/ /home/hn/cgi-bin/ ScriptAlias /awstats/ /home/hn/cgi-bin/ DirectoryIndex index.html index.htm index.php index.php4 index.php5 Options -Indexes +IncludesNOEXEC +SymLinksifOwnerMatch +ExecCGI allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch allow from all AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch RewriteEngine on RewriteCond %{HTTP_HOST} =webmail.hollandsenieuwe.com RewriteRule ^(.*) https://hollandsenieuwe.com:20000/ [R] RewriteCond %{HTTP_HOST} =admin.hollandsenieuwe.com RewriteRule ^(.*) https://hollandsenieuwe.com:10000/ [R]

etc…

23

Take a look at the Apache error logs, to find out where the relative links point to. Without concrete example I can’t say much more.

24

I agree Lex, you might find this a bit easier to fix if you could access Virtualmin, and just re-generate some of those files, and/or access your backups.

After starting Webmin, do you see any errors in /var/webmin/miniserv.error?

Also, what is the output of this command:

netstat -an | grep :10000

-Eric

25

Thanks people!

Here’s the output from netstat:

tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:10000 0.0.0.0:*

I just restarted webmin now, and in the error log, I see:

[25/Nov/2013:14:39:50 +0000] miniserv.pl started [25/Nov/2013:14:39:50 +0000] Using MD5 module Digest::MD5 [25/Nov/2013:14:39:50 +0000] PAM authentication enabled
26

This server, is supposed to be an alias of peng.es

There is nothing in this here telling everybody that that is the case:

$ttl 38400 photosgrancanaria.com. IN SOA ns1.penghosting.nl. root.ns1.penghosting.nl. ( 1385376454 10800 3600 604800 38400 ) photosgrancanaria.com. IN NS ns1.penghosting.nl. photosgrancanaria.com. IN NS ns2.penghosting.nl. photosgrancanaria.com. IN A 88.208.193.146 www.photosgrancanaria.com. IN A 88.208.193.146 ftp.photosgrancanaria.com. IN A 88.208.193.146 m.photosgrancanaria.com. IN A 88.208.193.146 localhost.photosgrancanaria.com. IN A 127.0.0.1 webmail.photosgrancanaria.com. IN A 88.208.193.146 admin.photosgrancanaria.com. IN A 88.208.193.146 mail.photosgrancanaria.com. IN A 88.208.193.146 photosgrancanaria.com. IN MX 5 mail.photosgrancanaria.com. photosgrancanaria.com. IN TXT "v=spf1 a mx a:photosgrancanaria.com ip4:88.208.193.145 ip4:88.208.193.146 ?all" autoconfig.photosgrancanaria.com. IN A 88.208.193.146

How is it supposed to work?

27

About not being able to see virtualmin:
over links (in a terminal) it does work and asks me to login.

28

Which got me thinking, and yes, I needed to do this:

iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT

Now I’m in.

29

Ok, if via virtualmin I ‘preview’ the website, I get to see the sitre that I’m supposed to see.

https://88.208.193.145:10000/virtual-server/link.cgi/88.208.193.146/http://www.photosgrancanaria.com/

In the real world however, I still ge to see the ‘default domain for this ip’ (88.208.193.146) which is a complete different website.

What what you guys and girls do now?

(out of ideas)

30

Alias-servers get their own BIND zone too, so it’s not incorrect that your “photosgrancanaria.com” has one. Are you seeing any problems with it? You need to be more specific in what problems you have precisely, as opposed to making post after post, telling us what stuff you do and try.

At some point, if you can’t get your machine working again, it might be easier to restore a backup. Trying to remotely fix all problems that arose due to your deleting part of /var is probably beyond the scope of this forum.

31

Ok thanks Locutus,

I don’t have a good backup, as I didn’t know what exactly to backup. I’ll learn that after this all working again.

By the way, I might be over-posting :), but I’m doing that so if somebody else ever has a similar problem they might find something they’re looking for.

Ok, so I’m left with this main problem:

servers that are aliases of other servers, are not showing the site they should but in stead they show the main server for that ip. If I change the main server for that ip, then that’s the site shown.

The same goes for sites, in which I created a custom username. For example, the site www.hollandsenieuwe.com shows the default website for that ip address as well, and for that site I created the custom username: hn (what normally would have been hollandsenieuwe) when I set it up.

Sorry if I haven’t been very clear…

32

Easiest solution might be, if it’s not too many, to delete and re-create the alias servers. Since they don’t have many settings to configure, that should go quite quickly.

33

Good thinking, thanks!

Same thing happens. So the deleted stuff (early in the var partition) must have to do with it, but it became only obvious after restarting bind9, or at least, after rebooting.

Which is going to make this more complicated I guess.

In /var/bind I have now all the hosts files. Is there something near, that I’ve deleted too and that’s necessary for these aliases to work?

I really am sorry for all the help I’m asking. I’ll make sure I’ll start to learn about how to best backup this kind of stuff.

34

And here everything seems as it should be: the hollandsenieuwe.com.conf in /etc/apache2/sites-available looks as it should do to me, with the “hn” in stead of the “hollandsenieuwe”.

35

What is the output of this command:

grep -i virtualhost /etc/apache2/sites-enabled/*.conf

That will show the IP/port used for the various Apache configs… maybe something in there will stick out as a problem.

-Eric

36

Thanks Eric, looks all pretty normal. Shows all the “real” domains (not the aliases), with either one of the two ip’s I use on the server, like this:

/etc/apache2/sites-enabled/peng.es.conf: /etc/apache2/sites-enabled/peng.es.conf:

But then all of them…

37

Ok, I didn’t do anything, but everything works all of a sudden. I don’t know what caused that, some dns caching going on or so? (I did restart bind and apache all the time, but hey)

Anyway, I’m not complaining.

First of all, before going to bed: THANKS A LOT everybody! It really is good to know there’s a place where I can come with my silly server problems.

I was just checking up backing up in the cloud plans, and they are really cheap, but then they have little statements that if they find out you’re a business you have to take a business plan…

But if somebody wants 35% discount from justcloud, here you go:
https://secure.justcloud.com/?scoup=35off#ic

Tomorrow I’ll try and see if I can do something about the original subject here, the spammers.