RackNerd has received an abuse complaint concerning your service racknerd-a7be7b

This is a Hail Mary type question. I have been receiving Abuse emails from my ISP (RackNerd) regarding my VPS which has been running Hestia CP 1.18.11 under Ubuntu 22.04 without problems for some months. And now this! If anyone can please suggest how I should begin investigation or problem resolution I would be very grateful.
I have installed and run ClamAV across all filesystems with no negative signs.
Surely there is a rogue process or hidden app that is doing this? Or is it coming from outside of the network?
Thank you,
Edward

An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.

Host of attacker: 107.172.72.125 => 107.172.72.125 => 107.172.72.125
Responsible email contacts: [email protected]
Attacked hosts in our Network: 85.158.181.18, 178.250.14.12, 85.158.177.45, 178.250.10.56, 85.158.181.17, 85.158.176.21, 178.250.15.192, 37.228.155.87, 85.158.181.30, 77.75.250.14, 85.158.181.22, 37.228.153.9, 178.250.9.49, 85.158.181.31, 81.88.33.57, 77.75.249.30, 37.228.154.221, 178.250.10.243, 85.158.176.135, 37.228.155.230, 178.250.14.171, 178.250.10.199, 85.158.183.41, 178.250.14.181, 81.88.33.88, 178.250.9.72, 85.158.181.26, 194.34.225.14, 185.39.220.213, 77.75.253.227, 37.228.154.28, 37.228.159.20, 77.75.250.34, 85.158.181.29, 178.250.10.67, 37.228.154.59, 85.158.181.57, 37.228.159.168, 77.75.253.48, 37.228.159.102, 178.250.9.165, 194.34.225.60, 178.250.10.118, 37.228.156.197, 37.228.153.14, 37.228.158.32, 178.250.15.206, 85.158.181.19, 178.250.12.42, 185.39.221.190, 85.158.181.16, 178.250.9.163, 77.75.249.119, 178.250.10.189, 178.250.14.40, 178.250.12.166, 178.250.15.208, 37.228.153.6, 77.75.249.69, 85.158.181.28, 85.158.181.27, 185.39.221.55, 178.250.10.116, 37.228.1
53.11, 185.39.221.6, 178.250.10.88, 37.228.154.45, 37.228.154.25, 37.228.159.86, 77.75.253.135, 178.250.14.65, 85.158.181.10, 37.228.156.199, 37.228.159.107, 77.75.254.99, 77.75.253.143, 178.250.9.208, 85.158.181.11, 178.250.9.157, 85.158.181.80, 77.75.249.49, 37.228.153.4, 178.250.9.178, 178.250.9.177, 85.158.181.13, 194.34.225.62, 178.250.12.17, 37.228.156.233, 77.75.249.170, 185.39.221.52, 77.75.250.63, 77.75.251.119, 85.158.181.15, 85.158.181.14, 85.158.181.25, 37.228.159.165, 85.158.181.24, 37.228.155.25, 178.250.12.96, 77.75.249.241, 185.39.221.29, 185.39.220.51, 85.158.183.141, 178.250.10.90, 85.158.181.46, 178.250.10.201, 37.228.156.195, 37.228.159.161, 37.228.155.196, 81.88.33.188, 85.158.181.23, 37.228.154.37, 85.158.183.177, 185.39.221.116, 178.250.10.202, 178.250.9.119, 77.75.250.12, 37.228.154.13, 77.75.254.183, 77.75.250.23, 37.228.155.65, 85.158.181.5, 85.158.181.21, 37.228.156.44, 185.39.220.245, 77.75.254.60, 85.158.181.20, 77.75.250.151

Logfile entries (time is CE(S)T):
Sat Jun 15 11:34:45 2024: user: s.aumueller service: smtp target: 37.228.158.32 source: 107.172.72.125
Sat Jun 15 11:34:21 2024: user: office service: smtp target: 178.250.12.42 source: 107.172.72.125
Sat Jun 15 11:34:12 2024: user: mail service: smtp target: 77.75.254.60 source: 107.172.72.125
Sat Jun 15 11:33:39 2024: user: [email protected] service: smtp target: 178.250.10.118 source: 107.172.72.125
Sat Jun 15 11:33:30 2024: user: roman.list service: smtp target: 85.158.181.11 source: 107.172.72.125
Sat Jun 15 11:31:18 2024: user: personals service: smtp target: 85.158.176.21 source: 107.172.72.125
Sat Jun 15 11:29:23 2024: user: info service: smtp target: 178.250.9.177 source: 107.172.72.125
Sat Jun 15 11:23:16 2024: user: scheibitz service: smtp target: 85.158.183.177 source: 107.172.72.125
Sat Jun 15 11:19:06 2024: user: markus.rottenkolber service: smtp target: 37.228.154.59 source: 107.172.72.125
Sat Jun 15 11:17:40 2024: user: [email protected] service: smtp target: 77.75.253.135 source: 107.172.72.125
Sat Jun 15 11:06:57 2024: user: [email protected] service: smtp target: 85.158.181.10 source: 107.172.72.125
Sat Jun 15 11:03:33 2024: user: pb service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 11:03:16 2024: user: rj service: smtp target: 178.250.14.65 source: 107.172.72.125
Sat Jun 15 11:00:41 2024: user: [email protected] service: smtp target: 77.75.253.48 source: 107.172.72.125
Sat Jun 15 10:59:45 2024: user: [email protected] service: smtp target: 178.250.10.202 source: 107.172.72.125
Sat Jun 15 10:59:11 2024: user: david.gold service: smtp target: 37.228.154.28 source: 107.172.72.125
Sat Jun 15 10:47:51 2024: user: info service: smtp target: 77.75.250.63 source: 107.172.72.125
Sat Jun 15 10:47:26 2024: user: [email protected] service: smtp target: 185.39.220.51 source: 107.172.72.125
Sat Jun 15 10:43:39 2024: user: noreply_8ruyjtwfxkzmybgh5 service: smtp target: 178.250.12.166 source: 107.172.72.125
Sat Jun 15 10:43:10 2024: user: [email protected] service: smtp target: 85.158.181.80 source: 107.172.72.125
Sat Jun 15 10:40:30 2024: user: [email protected] service: smtp target: 85.158.181.30 source: 107.172.72.125
Sat Jun 15 10:36:39 2024: user: [email protected] service: smtp target: 85.158.181.17 source: 107.172.72.125
Sat Jun 15 10:36:04 2024: user: [email protected] service: smtp target: 77.75.249.241 source: 107.172.72.125
Sat Jun 15 10:26:50 2024: user: [email protected] service: smtp target: 81.88.33.88 source: 107.172.72.125
Sat Jun 15 09:56:45 2024: user: mike.huebner service: smtp target: 178.250.10.202 source: 107.172.72.125
Sat Jun 15 08:37:12 2024: user: ma service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 08:28:51 2024: user: office service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 08:24:31 2024: user: to service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 08:23:01 2024: user: office service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 08:12:38 2024: user: [email protected] service: smtp target: 85.158.181.17 source: 107.172.72.125
Sat Jun 15 08:07:48 2024: user: [email protected] service: smtp target: 178.250.12.166 source: 107.172.72.125
Sat Jun 15 07:55:57 2024: user: randolf.brugger service: smtp target: 37.228.154.221 source: 107.172.72.125
Sat Jun 15 07:44:24 2024: user: seese service: smtp target: 178.250.10.199 source: 107.172.72.125
Sat Jun 15 07:40:27 2024: user: office service: smtp target: 85.158.181.30 source: 107.172.72.125
Sat Jun 15 07:37:08 2024: user: [email protected] service: smtp target: 178.250.12.166 source: 107.172.72.125
Sat Jun 15 06:49:08 2024: user: [email protected] service: smtp target: 85.158.181.17 source: 107.172.72.125
Sat Jun 15 06:22:06 2024: user: weingut service: smtp target: 85.158.181.30 source: 107.172.72.125
Sat Jun 15 05:49:37 2024: user: noreply_jrze99buuvn service: smtp target: 178.250.12.166 source: 107.172.72.125
Sat Jun 15 05:17:59 2024: user: [email protected] service: smtp target: 85.158.181.29 source: 107.172.72.125
Sat Jun 15 05:17:09 2024: user: flugmodelle service: smtp target: 85.158.181.80 source: 107.172.72.125
Sat Jun 15 04:47:56 2024: user: noreply_6jevt6eohgd7ix7d service: smtp target: 178.250.12.166 source: 107.172.72.125
Sat Jun 15 04:05:55 2024: user: scheibitz service: smtp target: 85.158.183.177 source: 107.172.72.125
Sat Jun 15 03:36:55 2024: user: scheibitz service: smtp target: 85.158.183.177 source: 107.172.72.125
Sat Jun 15 03:33:54 2024: user: admin service: ssh target: 81.88.33.188 source: 107.172.72.125
Sat Jun 15 02:24:57 2024: user: instanz11 service: smtp target: 85.158.181.11 source: 107.172.72.125
Sat Jun 15 02:23:16 2024: user: alle-mitarbeiter service: smtp target: 85.158.181.17 source: 107.172.72.125
Sat Jun 15 02:21:34 2024: user: [email protected] service: smtp target: 178.250.10.118 source: 107.172.72.125
Sat Jun 15 02:15:16 2024: user: [email protected] service: smtp target: 85.158.181.17 source: 107.172.72.125
Sat Jun 15 02:15:00 2024: user: david.gold service: smtp target: 37.228.154.28 source: 107.172.72.125
...

Hello, my friend. How are you?

Let’s go, I’ll guide you step by step to help identify the origin of the problem. I believe the issue may be related to a user on one of your websites who may have inadvertently fallen victim to a phishing scam and shared their password with a spammer.

Here are some steps for you to follow, both to address the immediate issue and to prevent future incidents:

1. First Step: Cleaning the Sending ListCreate a bash script to clean your email sending list during times when there is generally low email activity.Example script:

#!/bin/bash

# Command to clean the Exim email list
exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

1.Schedule this script to run twice, for instance, in the early evening and early morning, times when there is typically less activity. These times are commonly chosen because they are periods when fewer people are monitoring email traffic.

This step is crucial because it prevents your Exim email queue from being flooded with spam emails, which can overwhelm the server and significantly delay the delivery of legitimate emails. Spammers often exploit off-peak hours, such as late at night, when monitoring is minimal. It’s important to implement this script as a precautionary measure since there’s a risk that a spammer could flood the server’s outbound mailbox with millions of spam emails during these unsupervised hours.

2. Second Step: Monitoring the Sending QueueSet up a simple monitor to check the sending queue every 30 seconds. If the number of emails in the queue exceeds a safe limit, for example, 100, you will be notified via email. Then, you can investigate using the following Exim commands:

• exim -Mvl to check for undelivered emails.
• exim -bpc to list messages in the queue.
• exim -bp to check the total number of messages in the queue.

Upon detecting suspicious activity, pause Exim and examine the logs to identify the specific issue. After identifying it, contact the affected user to change their password and explain the importance of not sharing it.

3. Third Step: Setting Sending LimitsDefine limits for sending both per user and per domain. For example, limit the number of emails sent per user to 50 per hour. This is crucial, especially if you share the same IP among multiple domains.

4. Fourth Tip: Distributing Domains by IPAvoid placing too many domains on a single IP, as this may be seen by providers as an attempt to send spam. It is recommended to limit to about 20 domains per IP and, if necessary, consider acquiring additional IPs as your sending volume grows.Ensure that your RDNS, DKIM, and SPF settings are correctly configured to ensure the authenticity and good reputation of your emails.

By implementing these measures, you will be better equipped to manage and protect your email infrastructure against spam and phishing issues. Additionally, educate your users on security best practices and the dangers of sharing passwords indiscriminately.

Another tip is to take note of the time when the abuse occurred and check your logs at that specific time.

Your logs are likely located at:

/var/log/exim4/mail.log

Reviewing these logs will help you pinpoint the exact details surrounding the abuse incident.

Dear molero.renan. Thank you for your prompt and helpful advice. I am now working my way through each step. I have added/enabled the CRON job.
I do not understand how to setup the SSH monitor.
I only have 4 domains on the IP. And I am the only user on the server. I access the server via ssh.
I have checked the /var/log/exim4/mainlog and there is much suspicious activity in there. (my bad if I am exposing critical data).

2024-06-16 05:15:42 1sIiEw-005OI3-RZ <= [email protected] U=admin P=local S=731
2024-06-16 05:15:43 1sIiEw-005OI3-RZ H=gmail-smtp-in.l.google.com [172.253.115.27] TLS error on connection (recv): The TLS connection was non-properly terminated.
2024-06-16 05:15:43 1sIiEw-005OI3-RZ H=gmail-smtp-in.l.google.com [172.253.115.27] TLS error on connection (recv): The specified session has been invalidated for some reason.
2024-06-16 05:15:43 1sIiEw-005OI3-RZ ** [email protected] R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [172.253.115.27] X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes: SMTP error from remote mail server after pipelined end of data: 550-5.7.26 Your email has been blocked because the sender is unauthenticated.\n550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.\n550-5.7.26\n550-5.7.26  Authentication results:\n550-5.7.26  DKIM = did not pass\n550-5.7.26  SPF [hcp.shopmyapps.com] with ip: [107.172.72.125] = did not pass\n550-5.7.26\n550-5.7.26  For instructions on setting up authentication, go to\n550 5.7.26  https://support.google.com/mail/answer/81126#authentication d75a77b69052e-441f2fbacc1si71404661cf.392 - gsmtp
2024-06-16 05:15:43 1sIiEx-005OI8-DY <= <> R=1sIiEw-005OI3-RZ U=Debian-exim P=local S=3258
2024-06-16 05:15:43 1sIiEw-005OI3-RZ Completed
2024-06-16 05:15:43 1sIiEx-005OI8-DY remote host address is the local host: hcp.shopmyapps.com
2024-06-16 05:15:43 1sIiEx-005OI8-DY == [email protected] R=dnslookup defer (-1): remote host address is the local host
2024-06-16 05:15:43 1sIiEx-005OI8-DY ** [email protected]: retry timeout exceeded
2024-06-16 05:15:43 1sIiEx-005OI8-DY [email protected]: error ignored
2024-06-16 05:15:43 1sIiEx-005OI8-DY Completed

Here is the script, just configure it in your cron. The only thing you need to do is replace the email where you want to receive the notification

#!/bin/sh

# Check the number of emails in Exim queue
queue_count=$(exim -bpc)

# Set the threshold for the alert
limit=100

# Check if the number of emails in the queue exceeds the limit
if [ "$queue_count" -gt "$limit" ]; then
    # Send an email alert (replace with your email sending configuration)
    echo "Warning: The number of emails in the Exim queue is greater than $limit." | mail -s "Alert: Excessive emails in Exim queue" [email protected]
fi

Here is the current tail of exim4 mainlog:

root@hcp:/var/log/exim4# tail mainlog
2024-06-16 06:28:52 TLS error on connection from [127.0.0.1] (gnutls_handshake): The TLS connection was non-properly terminated.
2024-06-16 06:29:42 no host name found for IP address 193.32.162.89
2024-06-16 06:30:06 Start queue run: pid=1304670
2024-06-16 06:30:06 End queue run: pid=1304670
2024-06-16 06:31:01 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data ([email protected])
2024-06-16 06:32:29 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data ([email protected])
2024-06-16 06:32:37 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data
2024-06-16 06:32:43 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data ([email protected])
2024-06-16 06:33:02 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data ([email protected])
2024-06-16 06:33:45 dovecot_login authenticator failed for ([107.172.72.125]) [127.0.0.1]: 535 Incorrect authentication data ([email protected])

Is this IP address yours? 107.172.72.125

Yes. That is my IP

One thing you can do is improve your fail2ban configuration; this will help prevent multiple attempts to guess passwords for your emails. When there are 5 failed attempts, fail2ban will ban the IP.

Edit

/etc/fail2ban/jail.local

[exim-iptables]
enabled = true
filter = exim
action = hestia[name=MAIL]
logpath = /var/log/exim4/mainlog
maxretry = 5
findtime = 1200
bantime = 1200

[dovecot-iptables]
enabled = true
filter = dovecot
action = hestia[name=MAIL]
logpath = /var/log/dovecot.log
maxretry = 5
findtime = 1200
bantime = 1200

After making these changes, restart fail2ban and update all your email passwords. Then, monitor to see if the issue improves

I hope that helped. This kind of issue typically requires more investigation, haha.

Renan. Again, I thank you. I have more than enough I hope to attempt to not get my server ‘de activated’ by RackNerd. Wish me luck my friend. Edward

This year i have noticed an uptake if attacks or attempts on my network and have started to use wazuh to help secure my network.

You can also setup wazuh actions to drop traffic from the firewall when an attempt is identified on your services on that vm.

It is good to identify any issues on a device or OS and how to fix them.

If your using ubuntu you can subscribe to ubuntu pro and get 5 decices for free, so any critical security updates are patched as soon as an update is available.

I only host my own and friends websites and one of there email accounts where bruite forced because of a simple password.

You can install MailHog between PHP and Exit to capture which site/user is sending mail.

I use Maldetect to scan the users files. Linux Malware Detect – R-fx Networks
One of my users had an old version of Joomla that was abused, and send lots of emails (backdored).

You have all been so kind and supportive and I thank you sincerely. However, after implementing all of the above recommendations and tools, scripts, etc I am still being nagged by my ISP RackNerd due to ongoing brute force account passwords over SSH/FTP and they a threatening to delete my VPS.

Is there something else I must be missing? Something I can do?

Thank you,

Edward

An attempt to brute-force account passwords over SSH/FTP by a machine in your domain or in your network has been detected. Attached are the host who attacks and time / date of activity. Please take the necessary action(s) to stop this activity immediately. If you have any questions please reply to this email.

Host of attacker: 107.172.72.125 => 107.172.72.125 => 107.172.72.125
Responsible email contacts: [email protected]
Attacked hosts in our Network: 85.158.181.18, 37.228.159.101, 85.158.181.78, 178.250.10.56, 85.158.181.17, 37.228.155.87, 77.75.250.59, 85.158.181.30, 77.75.250.14, 37.228.153.9, 178.250.9.49, 77.75.249.30, 37.228.154.221, 77.75.253.32, 85.158.183.41, 81.88.33.88, 37.228.159.20, 77.75.250.34, 85.158.181.29, 178.250.15.229, 178.250.10.67, 81.88.33.142, 185.39.221.51, 185.39.221.90, 77.75.251.49, 37.228.153.14, 85.158.181.16, 178.250.14.44, 77.75.251.201, 77.75.254.117, 77.75.249.119, 85.158.182.207, 37.228.153.6, 85.158.181.28, 85.158.181.27, 37.228.153.11, 178.250.10.88, 37.228.159.117, 77.75.251.58, 37.228.159.86, 85.158.183.160, 185.39.220.163, 77.75.254.99, 77.75.253.143, 81.88.33.170, 178.250.9.157, 77.75.250.123, 85.158.181.80, 185.39.221.68, 37.228.153.4, 77.75.251.59, 85.158.181.13, 85.158.181.84, 77.75.250.165, 85.158.181.15, 85.158.181.36, 37.228.159.165, 37.228.159.143, 77.75.249.241, 77.75.255.150, 85.158.183.131, 85.158.183.214, 37.228.154.104, 85.158.183.141, 37.
228.159.161, 85.158.181.23, 77.75.250.219, 77.75.251.62, 85.158.181.5, 77.75.252.115, 91.151.20.23, 85.158.176.116, 37.228.154.183, 85.158.181.20, 77.75.253.152

Logfile entries (time is CE(S)T):
Fri Jun 28 02:08:23 2024: user: [email protected] service: smtp target: 77.75.251.49 source: 107.172.72.125
Fri Jun 28 02:03:36 2024: user: list-glcolumn-help service: smtp target: 77.75.249.119 source: 107.172.72.125
Fri Jun 28 01:52:44 2024: user: [email protected] service: smtp target: 85.158.181.20 source: 107.172.72.125
Fri Jun 28 01:51:09 2024: user: laden service: smtp target: 85.158.183.131 source: 107.172.72.125
Fri Jun 28 01:46:26 2024: user: [email protected] service: smtp target: 37.228.154.183 source: 107.172.72.125
Fri Jun 28 01:41:13 2024: user: [email protected] service: smtp target: 37.228.153.9 source: 107.172.72.125
Fri Jun 28 01:34:16 2024: user: [email protected] service: smtp target: 85.158.181.15 source: 107.172.72.125
Fri Jun 28 01:29:40 2024: user: 111111 service: ssh target: 81.88.33.142 source: 107.172.72.125
Fri Jun 28 01:26:10 2024: user: office service: smtp target: 85.158.181.27 source: 107.172.72.125
Fri Jun 28 01:24:00 2024: user: tscherne service: smtp target: 85.158.181.28 source: 107.172.72.125
Fri Jun 28 01:23:41 2024: user: service service: smtp target: 37.228.159.161 source: 107.172.72.125
etc  etc
...

107.172.72.125 is your server ip?

Yes that is my server IP

Then you need to scan your server for malware as outgoing requests are the issues to other servers… It has 0 reasons to do with incoming requests… So Iptables won’t help

Thank you. I have and am running maldet -a /home again. I have hardened my fail2ban settings. And honestly, I do not know what to look out for. Hope that maldet will raise any issues.

Yes, I also have clamscan available. And avoiding double negatives.