Open relay caused by Plesk 10.4.4 update
Another great shout out to the boys at Plesk. Installing patch 10.4.4 turned my box into an open relay that allowed spammers to use my host to send junk email.
I started to see the following appear in the process list. We were also finding that emails that were legitimately being sent were taking ages to come through. Logged in and checked the process list and I was very surprised to see:
... xinetd -stayalive -pidfile /var/run/xinetd.pid ... \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw ... \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw ... \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw ... \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw ... \_ /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw ... qmail-send ... \_ splogger qmail ... \_ qmail-lspawn | /usr/bin/deliverquota ./Maildir ... \_ qmail-rspawn ... | \_ /var/qmail/bin/qmail-remote.moved msa.hinet.net ljmbcc@yahoo.com.tw super.web1126@msa.hinet.net ... | \_ /var/qmail/bin/qmail-remote.moved pchome.com.tw ljmbcc@yahoo.com.tw 0929204890@pchome.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved ms3.hinet.net ljmbcc@yahoo.com.tw jacky.wu@ms3.hinet.net ... | \_ /var/qmail/bin/qmail-remote.moved live.co.uk co-operative.bank.plc.uk@co-op.account.aiert-wcc.cooperative4.host-8-coop.co ... | \_ /var/qmail/bin/qmail-remote.moved ms33.hinet.net ljmbcc@yahoo.com.tw aaba@ms33.hinet.net ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw s0925639306@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw t1014176@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw ce_0938468477@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved xuite.net ljmbcc@yahoo.com.tw dayaworks@xuite.net ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw moto231@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw a0932217273@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw a7824331@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw jolin1122kimo@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw mayeh888@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw sd1903@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw pink_ciw@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw kime20060719@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw eva7752@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw godhelll@yahoo.com.tw ... | \_ /var/qmail/bin/qmail-remote.moved yahoo.com.tw ljmbcc@yahoo.com.tw dunnini@yahoo.com.tw ... \_ qmail-cleanAnother symptom was that the
secure
log was registering loads of connects. You might get this on a busy server but ours isn’t.
tail -f /var/log/secure Oct 15 13:04:14 s15427035 tcp-env[19544]: connect from 62.193.50.2 (62.193.50.2) Oct 15 13:04:14 s15427035 tcp-env[19545]: connect from 177.0.160.130 (177.0.160.130) Oct 15 13:04:14 s15427035 tcp-env[19546]: connect from 184.77.96.103 (184.77.96.103) …To cut a really long boring story short, Plesks 10.4.4 update added extra services to the
/etc/xinetd.d
:
cd /etc/xinetd.d ls -l smtp* -rw-r–r– 1 root root 288 Oct 15 13:03 smtp_ok // switch off -rw-r–r– 1 root root 397 Oct 15 10:50 smtp_psa -rw-r–r– 1 root root 290 Oct 15 13:03 smtps_ok -rw-r–r– 1 root root 398 Oct 15 10:50 smtps_psa // switch offEdit
smtp_ok
and smtps_ok
and update the disable
line to “yes". If the line doesn’t exist then create it.
Edit smtp_psa
and smtps_psa
and update the disable
line to “no". If the line doesn’t exist then create it.
When you have made the changes, restart xinetd:
/etc/init.d/xinetd restartThe first thing to do is stop qmail so it can’t send any more junk mail.
/etc/init.d/qmail stopNow that we’ve sealed the hole left by the Plesk 10.4.4 patch, we’ll see how much mail we need to clean up.
/var/qmail/bin/qmail-qstat messages in queue: 7589 messages in queue but not yet preprocessed: 0I looked for ages tying to figure out how to delete mail from the qmail queue and there doesn’t seem to be a way in the standard qmail tool set! So on to the internet and I found Qmail-Remove. This tool deletes everything in the qmail queue. It has a couple of different options to only delete certain emails but I’ll leave that as an exercise for the reader. I knew that everything in the queue was junk so I could do a blanket delete:
qmail-remove -dCheck it’s all gone, then restart qmail:
/var/qmail/bin/qmail-qstat messages in queue: 0 messages in queue but not yet preprocessed: 0 /etc/init.d/qmail start
No feedback yet
Form is loading...