Server hacked i think

pashaali · November 26, 2024, 2:48am

hello

i need help i think somebody using my server because im, received this email from hosting. can u please help me to find which domain is effective or how to find from where emails sending. or how to stop it.

thank you

============ email received

We have noticed a significant increase of outgoing connections from your server with IP 207.------- (vmirr—). The level of SMTP traffic on port 25/tcp is unusually high and at this pace you will hit the limit soon and all connections on this port will be blocked until the next day.

We do this to protect the reputation of our network and to make sure that your Ip’s, and all our customers, will not be blacklisted.

The most common explanation of such a spike in outgoing connections is that your server was hacked. If this is the case, we recommend reinstalling your server from scratch.

If these connections are initiated by you on purpose, please reply to this email and let us know what the expected traffic volume is and we will adjust the limits accordingly.

nboy · November 26, 2024, 4:58am

I’m not an expert.
But, Including your hestia version, os version, relevent logs will help you serve you faster and better.

Raphael · November 26, 2024, 5:49am

Start with check exim mainlog to identify the hacked user, suspend it and find out what happened.

pashaali · November 26, 2024, 6:21am

i have checked

/var/log/exim4/mainlog

and found the email i have suspended that domain for now.

but when im check the task monitor.

its still showing

Exim Usage

example:

after suspended domain
mail log
2024-11-26 07:10:47 no host name found for IP address 80.94…
2024-11-26 07:10:47 no host name found for IP address 109…
2024-11-26 07:10:55 dovecot_plain authenticator failed for (mail…) [109.1…]: 535 Incorrect authentication data (set_id=support)
2024-11-26 07:11:44 no host name found for IP address 141.1…
2024-11-26 07:11:47 dovecot_plain authenticator failed for (mail.domain) [141.11.24.143]: 535 Incorrect authentication data ([email protected])
2024-11-26 07:11:47 no host name found for IP address 141…
2024-11-26 07:11:54 dovecot_plain authenticator failed for (mail.domain.com) [141…]: 535 Incorrect authentication data (set_id=support)

what is i do next ? how to clean the domain please help

Raphael · November 26, 2024, 8:30am

empty the exim queue.

pashaali · November 26, 2024, 11:57am

how i do that can u please little explain me where i should go to clear exim

molero.renan · November 26, 2024, 12:34pm

How to Clear the Exim Mail Queue via Terminal

1. Stop Exim

Before clearing the mail queue, you need to stop the Exim service. To do this, run the following command:

sudo service exim4 stop

2. Clear the Mail Queue

The safest way to clear the mail queue is by using the command below. This command lists the emails in the queue and removes them one by one:

exim4 -bp | awk '{print $3}' | xargs exim -Mrm

3. Alternative Method (less recommended)

If you have a large number of emails in the queue and the previous command is not effective, you can manually clear the queue. This method is not the most correct, but it can be useful when dealing with a large volume of messages.

To do this, follow these steps:

Navigate to the directory where the emails are stored:

cd /var/spool/exim4/input

Remove all files in the folder:

sudo rm -f *

Note: This method should be used with caution, as it directly removes the files without going through Exim’s checks.

pashaali · November 26, 2024, 1:54pm

thank you guys for help. its done

was a 1 domain hacked so there is any way to found file/backdoor which was effected