smtp auth spam problems with qmail on plesk?

by WanderingTechy June 14, 2014

Recently I have been getting quite a few spam problems where the spammers were using valid smtp auth accounts on my server.  They have either dictionary attacked the account or the password has leaked.

After quite a bit of hacking about I have come up with this single command (long one) which will list any smtp_auth login that has been authorised from more than 10 different IP addresses.  My logs rotate every 24 hours so I didn’t need to filter by date.

THIS WORKS ON:  Centos 6.5 with Plesk 10.x installed using qmail.   Your usage may vary.

cat /usr/local/psa/var/log/maillog | grep "smtp_auth" | awk '/logged in from/ {print $8"\t"$14}' | sort -u -k1 | awk '{ print $1 }' | sort | uniq -c |  sed -e 's/^[ \t]*//' | awk '$1 >= 10'

Before anyone comments that I have unecessary cats and there are better ways to do this.  I want it done in clear easy to understand stages so that when I come back to it later it is still readable.  Don’t use it if you don’t like it :)

First section  cats the maillog and filters for lines with smtp_auth in.  This gets us both fails and successes.

We then use awk to filter for sucessful logins (logged in from)  and extract the username and IP.

We then sort by column 1 and filter for uniqueness.

I then use awk to extract just the usernames with each login from each IP represented once.

I then sort and filter by unique usernames adding a count to the front.

Sed to get rid of leading white spaces

Awk to only list those usernames that have more than 10 IP addresses.

I will probably come back and explain this better at a later date and clean it up.  but need to get back to cleaning up.

mod_fcgid: HTTP request length 132330 (so far) exceeds MaxRequestLen (131072)

by WanderingTechy May 27, 2014

If you get unusual errors when uploading a file via http check the error log.  If you see this error message

[Tue May 27 17:55:15 2014] [warn] [client 254.50.232.53] mod_fcgid: HTTP request length 132330 (so far) exceeds MaxRequestLen (131072), referer: http://www.example.com/

Add this to your /etc/httpd/conf.d/fcgid.conf

MaxRequestLen 15728640

This works on Centos 6.X and should work on others.  This can cause problems in software such as forums, WordPress and MediaWiki.

how to extract a list of domains from a plesk server

by WanderingTechy May 7, 2014

I need a list of domains to use in a script for rebuilding a DNS server.

This did the job.

mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -Ns -e "select name from domains" > domains.txt

Track down an SMTP user login on plesk 9 Qmail install.

by WanderingTechy April 23, 2014

A client contact me today to say he had received an email from his dedicated hosting provider stating that his server was sending out masses of spam.

To track down the smtp user responsible for this use the following command.

grep smtp_auth /usr/local/psa/var/log/maillog

Valid for qmail on plesk 9 installs at least may work for qmail installs on other servers.

Unusual hack. WordPress htaccess redirect for search engines only.

by WanderingTechy September 19, 2013

I had a couple of clients complaining that their wordpress sites had been hacked.

I went to their site and saw nothing out of place.  A quick check of their index.php file and database didn’t show anything up which is where they usual strike.

I requested further information at which point the clients finally mentioned that it was google that was saying the sites were compromised and showing pharmacy links.

With this new information a quick look at all the files in the site looking for the most recently modified.

ls -lat

is your friend here.

This showed that the most recently modified files were
.htaccess
session.php
common.php

A quick look in the files showed the cause and the problem.

# Apache search queries statistic module
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond %{DOCUMENT_ROOT}/common.php -f
RewriteRule ^.*$    /common.php [L]
</IfModule>

The two php files were encrypted using

eval(base64_decode(...........))

As you can see the .htaccess file is checking to see if it is a search engine visiting and if so redirect to common.php  which pumps the pharma pages/links.
If is is a normal visitor ie you or me it returns the proper page.

The effect of this is to push the targeted sites up the search rankings by appearing more popular than they actually are.  Google have caught onto this ploy and now tag the sites as compromised.

To fix this simply delete all three files and reset the ftp password.

In case you are wondering the users were compromised because they used weak FTP passwords.   They have been educated on this now and a new password difficulty test has been put in place with respect to choosing new passwords.

To do a server wide test for this hack use the following command.

find /var/www/vhosts/*/httpdocs/.htaccess -print | xargs grep -l "common.php"

Obviously change the path if it is different on your server (this one is for a plesk/Centos server)

Small Script to delete 1 or more emails from postfix queue

by WanderingTechy August 6, 2013

#!/usr/bin/perl

$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";

@data = qx</usr/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)(\*|\!)?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}

#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;

foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);

I have this stored out of the system path in a file called “delfromq

Some examples

./delfromq "domainname.com"
./delfromq "MAILER-DAEMON"
./delfromq "full-email-address@domainname.com"

Sorry I can’t give credit for this script as I have had it for so long I forgot where I got it from.

Problem with php mail function bouncing emails back to postmaster.

by WanderingTechy August 6, 2013

A server I manage hosts around 200 sites each owned by different webmasters.  A number of these have form to mail style scripts.  A small problem is that the mailserver appears to be receiving emails from these scripts as anonymous@hostname.co.uk.   When an invalid email address is given on the form these bounces are going back to postmaster@hostname.co.uk.

I was asked to fix the scripts to ensure that the bounces go back to the $from field.  Here is a quick fix.

Append -f $to to the mail() line…  For example change

This

mail($to, $subject, $message, $headers);

To this

mail($to, $subject, $message, $headers, '-f $bounceto');

protect wp-login.php and wp-admin using htaccess on a dynamic IP

by WanderingTechy January 2, 2013

Please note, I did this using a linux client on a linux server.  My desktop is linux mint and the server is Centos.  You can do it on Windows and OS/X but I can’t advise sorry.  This is quick and dirty tutorial aimed at those familiar with command lines and server operation.   You need SSH access to the server you are running your blog from.

The Problem:

My wordpress blog is getting blitzed with attempts on my wp-login.php file and wp-admin folder.  I want to block all access to these areas unless it is coming from my computer.

I tried a number of methods,  including but not limited to logging all attempts and adding them to my firewall or htaccess file.  This is an ongoing task and not suitable for long term use.

I am on a dynamic IP that changes each time I log into the computer.  So blocking by IP was not practical.  However….

I now use a combination of SSH to create a proxy, foxyproxy to only use this proxy when navigating to my wordpress install and htaccess to block all ip’s except the servers IP.

The Solution:

Read the rest of this entry »

Quick manual install of WordPress on Linux Mint.

by WanderingTechy December 24, 2012

This is just a quick run through.  I assume you have configured any vhosts and know your way around the command line.  It is written for a local install on Linux Mint.

cd to your working directory.
wget http://wordpress.org/latest.tar.gz
tar xvzf latest.tar.gz
mv wordpress/* .

The file ownerships are likely to be wrong so.
chown username.groupname * -R

Now setup the database;

mysql -p
create database wordpress
GRANT ALL PRIVILEGES ON wordpress.* TO “wordpressuser”@”localhost” IDENTIFIED BY “Uvh786sAx$”;
FLUSH PRIVILEGES;

Obviously change the directory, databasename, username and password to your own settings.

now go to the vhost/folder in your browser where you have saved your wordpress install to and click on create a configuration file.  fill in the details as per the mysql setup. Copy and paste the generated file into wp-config.php.

Follow the rest of the wizard.  That’s it.

Deleting emails from the postfix mailq by email address

by WanderingTechy July 6, 2012

To clean out some spam from the postfix mailq

mailq | tail -n +2 | gawk 'BEGIN { RS = "" } /email@domain.com/ { print $1 }' | tr -d '*!' | postsuper -d -