spammers using the mail server to send spam

6 posts / 0 new
Last post
#1 Wed, 05/01/2019 - 14:59
Bassem

spammers using the mail server to send spam

spammers using the mail server to send spam also i checked maillog file :

May  1 21:59:21 server1 postfix/bounce[26742]: 7AE7C58829C: sender non-delivery notification: 45D33581DD1
May  1 21:59:21 server1 postfix/smtp[23981]: connect to mx1.pangia.biz[216.163.176.38]:25: Connection timed out
May  1 21:59:21 server1 postfix/qmgr[23937]: 7AE7C58829C: removed
May  1 21:59:21 server1 postfix/qmgr[23937]: D8FB45A18A7: from=<luke.donald113@gmail.com>, size=4043, nrcpt=50 (queue active)
May  1 21:59:21 server1 postfix/smtp[23975]: connect to mx6.mail.icloud.com[17.57.8.133]:25: Connection timed out
May  1 21:59:21 server1 postfix/smtp[4486]: connect to mx.core.locaweb.com.br[177.153.23.241]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[4485]: connect to aspmx.l.google.com[173.194.76.26]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[4485]: connect to aspmx.l.google.com[2a00:1450:400c:c07::1a]:25: Network is unreachable
May  1 21:59:22 server1 postfix/smtp[4485]: connect to alt1.aspmx.l.google.com[2a00:1450:4010:c0e::1b]:25: Network is unreachable
May  1 21:59:22 server1 postfix/smtp[23973]: connect to mx2.pangia.biz[216.163.176.38]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[23945]: connect to liztex-com.mail.protection.outlook.com[104.47.32.36]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[4374]: connect to securemail-mx4.synaq.com[196.35.198.130]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[4374]: D752658853F: to=<engelruy@mweb.co.za>, relay=none, delay=436930, delays=436517/352/60/0, dsn=4.4.1, status=deferred (connect to securemail-mx4.synaq.com[196.35.198.130]:25: Connection timed out)
May  1 21:59:22 server1 postfix/smtpd[26865]: warning: unknown[45.125.66.100]: SASL LOGIN authentication failed: authentication failure
May  1 21:59:22 server1 postfix/smtpd[26865]: disconnect from unknown[45.125.66.100]
May  1 21:59:22 server1 postfix/smtp[4450]: connect to smtp.secureserver.net[72.167.238.29]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[23970]: connect to smtp.clix.pt[195.23.128.251]:25: Connection timed out
May  1 21:59:22 server1 postfix/smtp[23970]: D752658853F: to=<engenho@oninet.pt>, relay=none, delay=436930, delays=436517/353/60/0, dsn=4.4.1, status=deferred (connect to smtp.clix.pt[195.23.128.251]:25: Connection timed out)
May  1 21:59:23 server1 postfix/smtp[4370]: connect to mx.rainydayart.com.cust.a.hostedemail.com[216.40.42.4]:25: Connection timed out
May  1 21:59:23 server1 postfix/smtp[4370]: 7564F5849C1: to=<aida@rainydayart.com>, relay=none, delay=440507, delays=440094/383/30/0, dsn=4.4.1, status=deferred (connect to mx.rainydayart.com.cust.a.hostedemail.com[216.40.42.4]:25: Connection timed out)

what i did :

1- i enabled Spam filtering and Virus filtering in Virtualmin 2- sudo rkhunter -c

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chkconfig [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifdown [ OK ]
/usr/sbin/ifup [ OK ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/bash [ OK ]
/usr/bin/cat [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/chmod [ OK ]
/usr/bin/chown [ OK ]
/usr/bin/cp [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/date [ OK ]
/usr/bin/df [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/ls [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/mount [ OK ]
/usr/bin/mv [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/ping [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/ps [ OK ]
/usr/bin/pwd [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/rpm [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/telnet [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/numfmt [ OK ]
/usr/bin/kmod [ OK ]
/usr/bin/systemctl [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/mailx [ OK ]
/usr/lib/systemd/systemd [ OK ]

[Press <ENTER> to continue]


Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Diamorphine LKM [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Ebury backdoor [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
Jynx2 Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mokes backdoor [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

[Press <ENTER> to continue]


Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

[Press <ENTER> to continue]


Checking the network...

Performing checks on the network ports
Checking for backdoor ports [ None found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not set ]
Checking for other suspicious configuration settings [ None found ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ None found ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
Files checked: 126
Suspect files: 0

Rootkit checks...
Rootkits checked : 486
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 4 minutes and 45 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

[root@server1 ~]#

[root@server1 opt]# lynis audit system

[ Lynis 2.7.4 ]

################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software.

2007-2019, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Checking profiles... [ DONE ]

---------------------------------------------------
Program version: 2.7.4
Operating system: Linux
Operating system name: CentOS
Operating system version: CentOS Linux release 7.6.1810 (Core)
Kernel version: 3.10.0
Hardware platform: x86_64
Hostname: server1
---------------------------------------------------
Profiles: /usr/local/lynis/default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
Plugin directory: /usr/local/lynis/plugins
---------------------------------------------------
Auditor: [Not Specified]
Language: en
Test category: all
Test group: all
---------------------------------------------------
- Program update status... [ NO UPDATE ]

[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...

[+] Plugins (phase 1)
------------------------------------
Note: plugins have more extensive tests and may take several minutes to complete

- Plugins enabled [ NONE ]

[+] Boot and services
------------------------------------
- Service Manager [ systemd ]
- Checking UEFI boot [ DISABLED ]
- Checking presence GRUB2 [ FOUND ]
- Checking for password protection [ OK ]
- Check running services (systemctl) [ DONE ]
Result: found 27 running services
- Check enabled services at boot (systemctl) [ DONE ]
Result: found 40 enabled services
- Check startup files (permissions) [ OK ]

[+] Kernel
------------------------------------
- Checking default runlevel [ runlevel 3 ]
- Checking CPU support (NX/PAE)
CPU support: PAE and/or NoeXecute supported [ FOUND ]
- Checking kernel version and release [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 89 active modules
- Checking Linux kernel configuration file [ FOUND ]
- Checking default I/O kernel scheduler [ FOUND ]
- Checking core dumps configuration [ DISABLED ]
- Checking setuid core dumps configuration [ DEFAULT ]
- Check if reboot is needed [ NO ]

[+] Memory and Processes
------------------------------------
- Checking /proc/meminfo [ FOUND ]
- Searching for dead/zombie processes [ OK ]
- Searching for IO waiting processes [ OK ]

[+] Users, Groups and Authentication
------------------------------------
- Administrator accounts [ OK ]
- Unique UIDs [ WARNING ]
- Consistency of group files (grpck) [ OK ]
- Unique group IDs [ OK ]
- Unique group names [ OK ]
- Password file consistency [ SUGGESTION ]
- Query system users (non daemons) [ DONE ]
- NIS+ authentication support [ NOT ENABLED ]
- NIS authentication support [ NOT ENABLED ]
- sudoers file [ FOUND ]
- Permissions for directory: /etc/sudoers.d [ OK ]
- Permissions for: /etc/sudoers [ OK ]
- PAM password strength tools [ OK ]
- PAM configuration file (pam.conf) [ NOT FOUND ]
- PAM configuration files (pam.d) [ FOUND ]
- PAM modules [ FOUND ]
- LDAP module in PAM [ NOT FOUND ]
- Accounts without expire date [ OK ]
- Accounts without password [ OK ]
- Checking user password aging (minimum) [ DISABLED ]
- User password aging (maximum) [ DISABLED ]
- Checking expired passwords [ OK ]
- Checking Linux single user mode authentication [ OK ]
- Determining default umask
- umask (/etc/profile and /etc/profile.d) [ SUGGESTION ]
- umask (/etc/login.defs) [ OK ]
- umask (/etc/init.d/functions) [ SUGGESTION ]
- LDAP authentication support [ NOT ENABLED ]
- Logging failed login attempts [ DISABLED ]

[+] Shells
------------------------------------
- Checking shells from /etc/shells
Result: found 6 shells (valid shells: 6).
- Session timeout settings/tools [ NONE ]
- Checking default umask values
- Checking default umask in /etc/bashrc [ WEAK ]
- Checking default umask in /etc/csh.cshrc [ WEAK ]
- Checking default umask in /etc/profile [ WEAK ]

[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point [ SUGGESTION ]
- Checking /tmp mount point [ SUGGESTION ]
- Checking /var mount point [ SUGGESTION ]
- Query swap partitions (fstab) [ NONE ]
- Testing swap partitions [ OK ]
- Testing /proc mount (hidepid) [ SUGGESTION ]
- Checking for old files in /tmp [ OK ]
- Checking /tmp sticky bit [ OK ]
- Checking /var/tmp sticky bit [ OK ]
- ACL support root file system [ ENABLED ]
- Mount options of / [ NON DEFAULT ]
- Mount options of /boot [ NON DEFAULT ]
- Disable kernel support of some filesystems
- Discovered kernel modules: cramfs squashfs udf

[+] USB Devices
------------------------------------
- Checking usb-storage driver (modprobe config) [ NOT DISABLED ]
- Checking USB devices authorization [ ENABLED ]
- Checking USBGuard [ NOT FOUND ]

[+] Storage
------------------------------------
- Checking firewire ohci driver (modprobe config) [ NOT DISABLED ]

[+] NFS
------------------------------------
- Query rpc registered programs [ DONE ]
- Query NFS versions [ DONE ]
- Query NFS protocols [ DONE ]
- Check running NFS daemon [ NOT FOUND ]

[+] Name services
------------------------------------
- Checking default DNS search domain [ FOUND ]
- Searching DNS domain name [ FOUND ]
Domain name: vatoceweb.com
- Checking BIND status [ FOUND ]
- Checking BIND configuration file [ FOUND ]
- Checking BIND configuration consistency [ OK ]
- Checking BIND version in banner [ WARNING ]
- Checking /etc/hosts
- Checking /etc/hosts (duplicates) [ OK ]
- Checking /etc/hosts (hostname) [ OK ]
- Checking /etc/hosts (localhost) [ OK ]
- Checking /etc/hosts (localhost to IP) [ OK ]

[+] Ports and packages
------------------------------------
- Searching package managers
- Searching RPM package manager [ FOUND ]
- Querying RPM package manager
- YUM package management consistency [ OK ]
- Checking package database duplicates [ OK ]
- Checking package database for problems [ OK ]
- Checking missing security packages [ OK ]
- Checking GPG checks (yum.conf) [ OK ]
- Checking package audit tool [ INSTALLED ]
Found: yum-security
- Toolkit for automatic upgrades

[+] Networking
------------------------------------
- Checking IPv6 configuration [ ENABLED ]
Configuration method [ AUTO ]
IPv6 only [ NO ]
- Checking configured nameservers
- Testing nameservers
Nameserver: 127.0.0.1 [ OK ]
Nameserver: 213.136.95.11 [ OK ]
Nameserver: 213.136.95.10 [ OK ]
Nameserver: 2a02:c207::2:53 [ NO RESPONSE ]
- Getting listening ports (TCP/UDP) [ DONE ]
* Found 214 ports
- Checking promiscuous interfaces [ OK ]
- Checking status DHCP client [ NOT ACTIVE ]
- Checking for ARP monitoring software [ NOT FOUND ]

[+] Printers and Spools
------------------------------------
- Checking cups daemon [ NOT FOUND ]
- Checking lp daemon [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
- Postfix status [ RUNNING ]
- Postfix configuration [ FOUND ]
- Postfix banner [ WARNING ]
- Dovecot status [ RUNNING ]

[+] Software: firewalls
------------------------------------
- Checking iptables kernel module [ FOUND ]
- Checking iptables policies of chains [ FOUND ]
- Checking chain INPUT (table: nfilter, policy ACCEPT) [ ACCEPT ]
- Checking for empty ruleset [ OK ]
- Checking for unused rules [ FOUND ]
- Checking host based firewall [ ACTIVE ]

[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/httpd) [ FOUND ]
Info: Configuration file found (/etc/httpd/conf/httpd.conf)
Info: Found 126 virtual hosts
* Loadable modules [ FOUND (103) ]
- Found 103 loadable modules
mod_evasive: anti-DoS/brute force [ NOT FOUND ]
mod_reqtimeout/mod_qos [ FOUND ]
ModSecurity: web application firewall [ NOT FOUND ]
- Checking nginx [ NOT FOUND ]

[+] SSH Support
------------------------------------
- Checking running SSH daemon [ FOUND ]
- Searching SSH configuration [ FOUND ]
- SSH option: AllowTcpForwarding [ SUGGESTION ]
- SSH option: ClientAliveCountMax [ SUGGESTION ]
- SSH option: ClientAliveInterval [ OK ]
- SSH option: Compression [ SUGGESTION ]
- SSH option: FingerprintHash [ OK ]
- SSH option: GatewayPorts [ OK ]
- SSH option: IgnoreRhosts [ OK ]
- SSH option: LoginGraceTime [ OK ]
- SSH option: LogLevel [ SUGGESTION ]
- SSH option: MaxAuthTries [ SUGGESTION ]
- SSH option: MaxSessions [ SUGGESTION ]
- SSH option: PermitRootLogin [ SUGGESTION ]
- SSH option: PermitUserEnvironment [ OK ]
- SSH option: PermitTunnel [ OK ]
- SSH option: Port [ SUGGESTION ]
- SSH option: PrintLastLog [ OK ]
- SSH option: StrictModes [ OK ]
- SSH option: TCPKeepAlive [ SUGGESTION ]
- SSH option: UseDNS [ SUGGESTION ]
- SSH option: VerifyReverseMapping [ NOT FOUND ]
- SSH option: X11Forwarding [ SUGGESTION ]
- SSH option: AllowAgentForwarding [ SUGGESTION ]
- SSH option: UsePrivilegeSeparation [ OK ]
- SSH option: AllowUsers [ NOT FOUND ]
- SSH option: AllowGroups [ NOT FOUND ]

[+] SNMP Support
------------------------------------
- Checking running SNMP daemon [ NOT FOUND ]

[+] Databases
------------------------------------
- MySQL process status [ FOUND ]

[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance [ NOT FOUND ]

[+] PHP
------------------------------------
- Checking PHP [ FOUND ]
- Checking PHP disabled functions [ FOUND ]
- Checking expose_php option [ ON ]
- Checking enable_dl option [ OFF ]
- Checking allow_url_fopen option [ ON ]
- Checking allow_url_include option [ OFF ]

[+] Squid Support
------------------------------------
- Checking running Squid daemon [ NOT FOUND ]

[+] Logging and files
------------------------------------
- Checking for a running log daemon [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking systemd journal status [ FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NOT FOUND ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ FILES FOUND ]

[+] Insecure services
------------------------------------
- Installed inetd package [ NOT FOUND ]
- Installed xinetd package [ OK ]
- xinetd status [ NOT ACTIVE ]
- Installed rsh client package [ OK ]
- Installed rsh server package [ OK ]
- Installed telnet client package [ OK ]
- Installed telnet server package [ FOUND ]

[+] Banners and identification
------------------------------------
- /etc/issue [ FOUND ]
- /etc/issue contents [ WEAK ]
- /etc/issue.net [ FOUND ]
- /etc/issue.net contents [ WEAK ]

[+] Scheduled tasks
------------------------------------
- Checking crontab and cronjob files [ DONE ]

[+] Accounting
------------------------------------
- Checking accounting information [ NOT FOUND ]
- Checking sysstat accounting data [ NOT FOUND ]
- Checking auditd [ ENABLED ]
- Checking audit rules [ SUGGESTION ]
- Checking audit configuration file [ OK ]
- Checking auditd log file [ FOUND ]

[+] Time and Synchronization
------------------------------------
- NTP daemon found: chronyd [ FOUND ]
- Checking for a running NTP daemon or client [ OK ]

[+] Cryptography
------------------------------------
- Checking for expired SSL certificates [0/9] [ NONE ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ FOUND ]
- Checking SELinux status [ ENABLED ]
- Checking current mode and config file [ OK ]
Current SELinux mode: permissive
- Checking presence TOMOYO Linux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
- Checking for implemented MAC framework [ OK ]

[+] Software: file integrity
------------------------------------
- Checking file integrity tools
- Checking presence integrity tool [ NOT FOUND ]

[+] Software: System tooling
------------------------------------
- Checking automation tooling
- Automation tooling [ NOT FOUND ]
- Checking presence of Fail2ban [ FOUND ]
- Checking Fail2ban jails [ ENABLED ]
- Checking for IDS/IPS tooling [ FOUND ]

[+] Software: Malware
------------------------------------
- Checking Rootkit Hunter [ FOUND ]
- Checking ClamAV scanner [ FOUND ]

[+] File Permissions
------------------------------------
- Starting file permissions check
/root/.ssh [ OK ]

[+] Home directories
------------------------------------
- Checking shell history files [ OK ]

[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile
- fs.protected_hardlinks (exp: 1) [ OK ]
- fs.protected_symlinks (exp: 1) [ OK ]
- fs.suid_dumpable (exp: 0) [ OK ]
- kernel.core_uses_pid (exp: 1) [ OK ]
- kernel.ctrl-alt-del (exp: 0) [ OK ]
- kernel.dmesg_restrict (exp: 1) [ DIFFERENT ]
- kernel.kptr_restrict (exp: 2) [ DIFFERENT ]
- kernel.randomize_va_space (exp: 2) [ OK ]
- kernel.sysrq (exp: 0) [ DIFFERENT ]
- kernel.yama.ptrace_scope (exp: 1 2 3) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.all.bootp_relay (exp: 0) [ OK ]
- net.ipv4.conf.all.forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (exp: 0) [ OK ]
- net.ipv4.conf.all.proxy_arp (exp: 0) [ OK ]
- net.ipv4.conf.all.rp_filter (exp: 1) [ OK ]
- net.ipv4.conf.all.send_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv4.conf.default.accept_source_route (exp: 0) [ OK ]
- net.ipv4.conf.default.log_martians (exp: 1) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (exp: 1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (exp: 1) [ OK ]
- net.ipv4.tcp_syncookies (exp: 1) [ OK ]
- net.ipv4.tcp_timestamps (exp: 0 1) [ OK ]
- net.ipv6.conf.all.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (exp: 0) [ OK ]
- net.ipv6.conf.default.accept_redirects (exp: 0) [ DIFFERENT ]
- net.ipv6.conf.default.accept_source_route (exp: 0) [ OK ]

[+] Hardening
------------------------------------
- Installed compiler(s) [ FOUND ]
- Installed malware scanner [ FOUND ]

[+] Custom Tests
------------------------------------
- Running custom tests... [ NONE ]

[+] Plugins (phase 2)
------------------------------------

================================================================================

-[ Lynis 2.7.4 Results ]-

Warnings (4):
----------------------------
! Multiple accounts found with same UID [AUTH-9208]
https://cisofy.com/lynis/controls/AUTH-9208/

! Found BIND version in banner [NAME-4210]
https://cisofy.com/lynis/controls/NAME-4210/

! Nameserver 2a02:c207::2:53 does not respond [NETW-2704]
https://cisofy.com/lynis/controls/NETW-2704/

! Found some information disclosure in SMTP banner (OS or software name) [MAIL-8818]
https://cisofy.com/lynis/controls/MAIL-8818/

Suggestions (43):
----------------------------
* Run pwck manually and correct any errors in the password file [AUTH-9228]
https://cisofy.com/lynis/controls/AUTH-9228/

* Configure minimum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/

* Configure maximum password age in /etc/login.defs [AUTH-9286]
https://cisofy.com/lynis/controls/AUTH-9286/

* Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328]
https://cisofy.com/lynis/controls/AUTH-9328/

* To decrease the impact of a full /home file system, place /home on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

* To decrease the impact of a full /tmp file system, place /tmp on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

* To decrease the impact of a full /var file system, place /var on a separate partition [FILE-6310]
https://cisofy.com/lynis/controls/FILE-6310/

* Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
https://cisofy.com/lynis/controls/STRG-1840/

* Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
https://cisofy.com/lynis/controls/STRG-1846/

* The version in BIND can be masked by defining 'version none' in the configuration file [NAME-4210]
https://cisofy.com/lynis/controls/NAME-4210/

* Consider using a tool to automatically apply upgrades [PKGS-7420]
https://cisofy.com/lynis/controls/PKGS-7420/

* Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP). [NETW-2704]
https://cisofy.com/lynis/controls/NETW-2704/

* Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
https://cisofy.com/lynis/controls/NETW-3032/

* You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (/etc/postfix/main.cf) [MAIL-8818]
https://cisofy.com/lynis/controls/MAIL-8818/

* Disable the 'VRFY' command [MAIL-8820:disable_vrfy_command]
- Details : disable_vrfy_command=no
- Solution : run postconf -e disable_vrfy_command=yes to change the value
https://cisofy.com/lynis/controls/MAIL-8820/

* Check iptables rules to see which rules are currently not used [FIRE-4513]
https://cisofy.com/lynis/controls/FIRE-4513/

* Install Apache mod_evasive to guard webserver against DoS/brute force attempts [HTTP-6640]
https://cisofy.com/lynis/controls/HTTP-6640/

* Install Apache modsecurity to guard webserver against web application attacks [HTTP-6643]
https://cisofy.com/lynis/controls/HTTP-6643/

* Consider hardening SSH configuration [SSH-7408]
- Details : AllowTcpForwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : ClientAliveCountMax (3 --> 2)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : Compression (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : LogLevel (INFO --> VERBOSE)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : MaxAuthTries (6 --> 3)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : MaxSessions (10 --> 2)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : PermitRootLogin (YES --> (NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : Port (22 --> )
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : TCPKeepAlive (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : UseDNS (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : X11Forwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Consider hardening SSH configuration [SSH-7408]
- Details : AllowAgentForwarding (YES --> NO)
https://cisofy.com/lynis/controls/SSH-7408/

* Turn off PHP information exposure [PHP-2372]
- Details : expose_php = Off
https://cisofy.com/lynis/controls/PHP-2372/

* Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
https://cisofy.com/lynis/controls/PHP-2376/

* Check what deleted files are still in use and why. [LOGG-2190]
https://cisofy.com/lynis/controls/LOGG-2190/

* Removing the 1 package and replace with SSH when possible [INSE-8322]
https://cisofy.com/lynis/controls/INSE-8322/

* Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
https://cisofy.com/lynis/controls/BANN-7126/

* Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
https://cisofy.com/lynis/controls/BANN-7130/

* Enable process accounting [ACCT-9622]
https://cisofy.com/lynis/controls/ACCT-9622/

* Enable sysstat to collect accounting (no results) [ACCT-9626]
https://cisofy.com/lynis/controls/ACCT-9626/

* Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/

* Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
https://cisofy.com/lynis/controls/FINT-4350/

* Determine if automation tools are present for system management [TOOL-5002]
https://cisofy.com/lynis/controls/TOOL-5002/

* One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
- Solution : Change sysctl value or disable test (skip-test=KRNL-6000:<sysctl-key>)
https://cisofy.com/lynis/controls/KRNL-6000/

* Harden compilers like restricting access to root user only [HRDN-7222]
https://cisofy.com/lynis/controls/HRDN-7222/

Follow-up:
----------------------------
- Show details of a test (lynis show details TEST-ID)
- Check the logfile for all details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

Lynis security scan details:

Hardening index : 68 [############# ]
Tests performed : 235
Plugins enabled : 0

Components:
- Firewall [V]
- Malware scanner [V]

Lynis modules:
- Compliance status [?]
- Security audit [V]
- Vulnerability scan [V]

Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat

================================================================================

Lynis 2.7.4

Auditing, system hardening, and compliance for UNIX-based systems
(Linux, macOS, BSD, and others)

2007-2019, CISOfy - https://cisofy.com/lynis/
Enterprise support available (compliance, plugins, interface and tools)

================================================================================

[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /usr/local/lynis/default.prf for all settings)
Wed, 05/01/2019 - 15:15
adamjedgar

Hi, I haven't read all of your logs above, i am on my mobile phone at present, however I can offer some sound advice that is applicable to any mail services...use a mail relay service such as sendgrid and route all server mail through that service.

You can link non standard mail ports from your server too. So by not allowing port 25 (ie it's blocked in your firewall), most of the sending of spam emails from your system via port 25 will immediately come to a stone wall! So the object of the exercise is your system email links to sendgrid via a non standard port, and then sendgrid spam filters sort the crap from the good and send out on standard mail ports for you so that mail is still recieved at the other end on standard ports. You can do this with all your outgoing mail ports.

This policy is enforced by some cloud service providers (eg Google Cloud) and although initially a bit frustrating as they block all mail ports except 2525, its a good idea as eventually if you keep having the problem you have currently, your IP address will get blacklisted and then you're really stuffed when it comes to email deliverability.

I realise a lot of us are here because we want to do everything ourselves with vps, however sometimes it gets a bit overwhelming. This is a solution just to reduce that load and worry a bit.

Sendgrid offer daily emails up to a certain limit for free. Check them out at sendgrid.com

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 05/01/2019 - 17:29
Bassem

please check :

maldet -a /
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(4595): {scan} signatures loaded: 15519 (12707 MD5 | 2035 HEX | 777 YARA |    0 USER)
maldet(4595): {scan} building file list for /, this might take awhile...
maldet(4595): {scan} setting nice scheduler priorities for all operations: cpuni   ce 19 , ionice 6
maldet(4595): {scan} file list completed in 76s, found 648170 files...
maldet(4595): {scan} found clamav binary at /usr/bin/clamscan, using clamav scan   ner engine...
maldet(4595): {scan} scan of / (648170 files) in progress...
/usr/local/maldetect/internals/functions: line 934:  5490 Killed                     $nice_command $clamscan $clamopts --infected --no-summary -f $find_results > $   clamscan_results 2>> $clamscan_log
maldet(4595): {clean} could not find clean rule for hit php.gzbase64.inject or f   ile /usr/local/maldetect/quarantine/maldetect-current.tar.gz.1.1498429332 no lon   ger exists.
maldet(4595): {scan} processing scan results for hits: 1 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/   local/maldetect/quarantine/maldetect-current.tar.gz.21822298 no longer exists.
maldet(4595): {scan} processing scan results for hits: 2 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit Safe0ver_Shell__Safe_Mod_Bypass_B   y_Evilc0der_php or file /usr/local/maldetect/quarantine/md5v2.dat.2905318601 no    longer exists.
maldet(4595): {scan} processing scan results for hits: 3 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit Safe0ver_Shell__Safe_Mod_Bypass_B   y_Evilc0der_php or file /usr/local/maldetect/quarantine/rfxn.hdb.2124823755 no l   onger exists.
maldet(4595): {scan} processing scan results for hits: 4 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/   local/maldetect/quarantine/rfxn.yara.735028957 no longer exists.
maldet(4595): {scan} processing scan results for hits: 5 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit Safe0ver_Shell__Safe_Mod_Bypass_B   y_Evilc0der_php or file /usr/local/maldetect/quarantine/md5.dat.1940619033 no lo   nger exists.
maldet(4595): {scan} processing scan results for hits: 6 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit Safe0ver_Shell__Safe_Mod_Bypass_B   y_Evilc0der_php or file /usr/local/maldetect/quarantine/hex.dat.177736417 no lon   ger exists.
maldet(4595): {scan} processing scan results for hits: 7 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit Safe0ver_Shell__Safe_Mod_Bypass_B   y_Evilc0der_php or file /usr/local/maldetect/quarantine/rfxn.ndb.2735620310 no l   onger exists.
maldet(4595): {scan} processing scan results for hits: 8 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit php.gzbase64.inject or file /usr/   local/maldetect/quarantine/gzbase64.inject.unclassed.1054818870 no longer exists   .
maldet(4595): {scan} processing scan results for hits: 9 hits 0 cleanedmaldet(45   95): {clean} could not find clean rule for hit r57shell_php_php or file /usr/loc   al/maldetect/quarantine/chkrootkit.tar.gz.271783410 no longer exists.
maldet(4595): {scan} processing scan results for hits: 10 hits 0 cleaned
maldet(4595): {scan} scan completed on /: files 648170, malware hits 10, cleaned    hits 0, time 1243s
maldet(4595): {scan} scan report saved, to view run: maldet --report 190502-0005   .4595
Wed, 05/01/2019 - 18:59
Glock24

The most common reason spam is coming out of a server is because some user had a weak password and the spambots guessed or cracked it, and then they use that account to sense spam.

Check the mail queue with mailq and see how many messages are there from a single account, then disable the offending account or change its password. Also empty the queue of the messages coming from the hijacked account.

Thu, 05/02/2019 - 05:01
Bassem

this results but the spam is still try to sendemails :

10 infected files were moved to the following location:

{HEX}php.gzbase64.inject.452 : /root/maldetect-current.tar.gz.1 => /usr/local/maldetect/quarantine/maldetect-current.tar.gz.1.1498429332
{HEX}php.gzbase64.inject.452 : /root/maldetect-current.tar.gz => /usr/local/maldetect/quarantine/maldetect-current.tar.gz.21822298
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /root/maldetect-1.6.4/files/sigs/md5v2.dat => /usr/local/maldetect/quarantine/md5v2.dat.2905318601
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /root/maldetect-1.6.4/files/sigs/rfxn.hdb => /usr/local/maldetect/quarantine/rfxn.hdb.2124823755
{HEX}php.gzbase64.inject.452 : /root/maldetect-1.6.4/files/sigs/rfxn.yara => /usr/local/maldetect/quarantine/rfxn.yara.735028957
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /root/maldetect-1.6.4/files/sigs/md5.dat => /usr/local/maldetect/quarantine/md5.dat.1940619033
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /root/maldetect-1.6.4/files/sigs/hex.dat => /usr/local/maldetect/quarantine/hex.dat.177736417
{YARA}Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php : /root/maldetect-1.6.4/files/sigs/rfxn.ndb => /usr/local/maldetect/quarantine/rfxn.ndb.2735620310
{HEX}php.gzbase64.inject.452 : /root/maldetect-1.6.4/files/clean/gzbase64.inject.unclassed => /usr/local/maldetect/quarantine/gzbase64.inject.unclassed.1054818870
{YARA}r57shell_php_php : /root/chkrootkit.tar.gz => /usr/local/maldetect/quarantine/chkrootkit.tar.gz.271783410
Thu, 05/02/2019 - 07:30
Bassem

I disabled all of my accounts on the server (domains) using Virtualmin control panel and spam still working .. this mean that this account files is fine ? or the spam script work in all account status ?

Topic locked