cyberpanel email hacked — CyberPanel - WebHosting Control Panel for OpenLiteSpeed
CyberHosting

cyberpanel email hacked

Somewhere is open and we can't close it.
I have been using cyberpanel 2.0.1 spam email for 1 year.
There are spam submissions from the server that we could not block for 3 days.
Accessing home / vmail folder.
Trying to create and send domain folders that are not on the server.
I'm waiting for your urgent help.

Comments

  • Cyberpanel is security audited. If you have been hacked then its more likely from a script/plugin or simply even an easy to guess password.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.
    https://www.cyberhosting.org
    You can now earn with the Cyberhosting affiliate scheme. Join today
    https://www.cyberhosting.org/affiliates/
  • use phpmailer and check all our websites. But we couldn't find it clear.
    we are waiting for your help.
  • my postfix configuration
    ----------------------------------
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    mail_owner = postfix
    inet_protocols = all
    mydestination = localhost, localhost.localdomain
    unknown_local_recipient_reject_code = 550
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    debug_peer_level = 2
    debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix
    setgid_group = postdrop
    html_directory = no
    manpage_directory = /usr/share/man
    sample_directory = /usr/share/doc/postfix3-3.5.3/samples
    readme_directory = /usr/share/doc/postfix3-3.5.3/README_FILES


    myhostname = ******* my servername****
    mynetworks = 127.0.0.0/8
    message_size_limit = 52428800
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
    smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    virtual_transport = dovecot
    dovecot_destination_recipient_limit = 1
    inet_interfaces = all
    smtp_tls_security_level = may
    smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unknown_sender_domain
    reject_unknown_reverse_client_hostname
    reject_unknown_client_hostname
    smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept
    header_checks = regexp:/etc/postfix/header_checks
    mailbox_size_limit = 1024000000
    meta_directory = /etc/postfix
    shlib_directory = /usr/lib/postfix
  • You need to check what and who is sending spam you need to be actively looking at the maillog and using the tail command to see it in realtime.

    Postfix config really has nothing to do with it. If your server has been compromised or you have a user on the account sending spam then the system will simply process the mail.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.
    https://www.cyberhosting.org
    You can now earn with the Cyberhosting affiliate scheme. Join today
    https://www.cyberhosting.org/affiliates/
  • Jul 21 07:20:53 srv postfix/smtpd[15825]: connect from unknown[46.38.150.191]
    Jul 21 07:20:54 srv postfix/smtps/smtpd[19854]: warning: hostname hosted-by.rootlayer.net does not resolve to address 185.222.57.216
    Jul 21 07:20:54 srv postfix/smtps/smtpd[19854]: connect from unknown[185.222.57.216]
    Jul 21 07:20:54 srv postfix/smtps/smtpd[19861]: warning: hostname hosted-by.rootlayer.net does not resolve to address 185.222.57.216
    Jul 21 07:20:54 srv postfix/smtps/smtpd[19861]: connect from unknown[185.222.57.216]
  • This is not hacked this is connection attempts. You will see this on all servers
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.
    https://www.cyberhosting.org
    You can now earn with the Cyberhosting affiliate scheme. Join today
    https://www.cyberhosting.org/affiliates/
  • Account: lscpd
    Uptime: 240 seconds


    Executable:

    /usr/local/lscp/fcgi-bin/lsphp


    Command Line (often faked in exploits):

    lsphp:/usr/local/CyberCP/public/rainloop/index.php


    Network connections by the process (if any):

    tcp: 127.0.0.1:36054 -> 127.0.0.1:143


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /tmp/.ZendSem.6VPDTb (deleted)
    /dev/null


    this comment normal ?
  • Still waiting for you to provide solid evidence that your cyberpanel email has been hacked.

    Clearly you do not understand what logs and information you are reading.

    If you believe your server has been hacked then as I have stated before look at your scripts and website. That is where it would have occurred from.
    Cyberpanel Managed & Unmanaged Shared & VPS Hosting by Cyberpanel Experts.
    https://www.cyberhosting.org
    You can now earn with the Cyberhosting affiliate scheme. Join today
    https://www.cyberhosting.org/affiliates/
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!