Is my server hacked? Please help!

cohomology

I signed up with wholesaleinternet a few days ago and this morning, I got this abuse warning, which is quite surprising! I have no idea what happened. I have checked auth.log and exim4's main.log, but don't see anything suspicious at all.

For now, I have the exim4 service shutdown, but is this enough? Thanks for looking and please help! I'm on Debian 8 64bit BTW.

Server Suspended For Abuse Incident 3932
We have yet to receive a response. Please investigate, take any necessary actions, and reply back to this email with full resolution details within 24 hours to avoid termination of service for TOS violation.

Logs of emails:

28-Oct-2017 04:12:11 ACTION REQUIRED Incident ID: 3932 Abuse From: 173.208.XXX.XXX Client: 28008 Service: 119036
27-Oct-2017 04:11:55 Incident ID: 3932 Abuse From: 173.208.XXX.XXX Client: 28008 Service: 119036
27-Oct-2017 03:15:32 Spam complaint from UOL [1M0Ot5O1eF05g2r06Bx]

Copy of complaint:

Subject: Spam complaint from UOL [1M0Ot5O1eF05g2r06Bx]
Body:
This is an email abuse report for an email message received from IP 173.208.XXX.XXX on 11 Oct 2017
Arrival-Date: 11 Oct 2017
Source-IP: 173.208.XXX.XXX
Version: 1.0
User-Agent: UOL Feedback Loop 1.0
Feedback-Type: abuse

Received: from outbound-bu1.dca.untd.com (supportmail01.dca.untd.com [10.171.43.24])
by spamdesk02.dca.untd.com with SMTP id AABN9F4RFAPUNEYA
for eow-spam@livespamdesk.prod.untd.com (sender scanmail_failures@mua.nyc.untd.com);
Fri, 27 Oct 2017 01:10:13 -0700 (PDT)
Received: (qmail 32057 invoked by uid 514); 27 Oct 2017 08:10:13 -0000
X-Issue-Tag: .catch_spam_mail
Delivered-To: [email protected]
Received: from outbound-mail.dca.untd.com (webmail06.dca.untd.com [10.171.12.146])
by supportmail01.dca.untd.com with SMTP id AABN9F4NGABQHN4J
for spamdesk-spam@support.netzero.com (sender );
Fri, 27 Oct 2017 01:08:38 -0700 (PDT)
X-EOW-USER-IP: 68.201.35.9
Received: from mx05.vgs.untd.com (mx05.vgs.untd.com [10.181.44.35])
by maildeliver03.dca.untd.com with SMTP id AABN76NMDAHCVYYA
for (sender bounce-ckvdahkydlqbyhjjxbfzvlahwpvlcncbxshizigdlplbycqcgqlt@fax.todoingzoom.com);
Wed, 11 Oct 2017 07:57:39 -0700 (PDT)
Authentication-Results: mx05.vgs.untd.com; DKIM=PASS
Received-SPF: Pass
Received: from fax.todoingzoom.com (fax.todoingzoom.com [173.208.XXX.XXX])
by mx05.vgs.untd.com with SMTP id AABN76NMCAP4MB7J
for (sender bounce-ckvdahkydlqbyhjjxbfzvlahwpvlcncbxshizigdlplbycqcgqlt@fax.todoingzoom.com);
Wed, 11 Oct 2017 07:57:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=selector1; d=fax.todoingzoom.com;
h=from:Subject:Date:Message-ID:MIME-version:To:Content-type; [email protected];
bh=XswxefcbhCDEAUmAd9P4dLQHBzk=;
b=ak1/R3pbE3WkuHqWQQpX0EuDjJsrOi9zsUnDMVvso7VY/XG7fNNCsTfNPYpPkBLweePjkgVarGn7
LcfWOnkJRtI6Qd+7u4ihpxr2qDPuiEeiDiyhp+Nn1Xn0PPh04AKJACQhBMT6rbCAF4nzXaQpo5b7
AWN7YLoqD+aB7jETYp8=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=selector1; d=fax.todoingzoom.com;
b=IdofvlQusLGKar0ZcETu5QJiMhMinDwF+2jMBWgnWywI2QfqjLJVRcKFXOdYZU5MfUWUK50UXPr1
L7tyY35zH6N6qz50S3RsyK0L81pyMLWpacn2pwFpAz0E8aerqRDkpXjfbtDuR7R6tUllMRUlow9/
Zy6YjHRHMxEu8u6RfrA=;
from: =?utf-8?Q?=20=05=05=01=06=20=50=72=6f=4c=6f=6e=67=7a=20=03=05=06=04=20?= MustView-kpbmib@fax.todoingzoom.com
Date: Wed, 11 Oct 2017 10:56:41 -0400
X-Mailer: 242344851
Message-ID: ksViJqJ7NUXVZQpVMV_242344851@fax.todoingzoom.com
MIME-version: 1.0
To: X
Content-type: text/html
X-UNTD-BPF: 5543a71f3b3e2e02babae35aba871f3f8737cf332e7ef7bb2a7e2a87ab2ad3f7d37797abdf1adb139ab73acbfacaab6a8a5bb75bde133fdf8b9e1e8b5f1e6e1e8ea3aea36e6eeb
X-UNTD-BodySize: 135922
X-UNTD-SPF: Pass
X-UNTD-DKIM: PASS
X-ContentStamp: 85:42:2561338207
X-UNTD-Peer-Info: 173.208.201.214|fax.todoingzoom.com|fax.todoingzoom.com|bounce-ckvdahkydlqbyhjjxbfzvlahwpvlcncbxshizigdlplbycqcgqlt@fax.todoingzoom.com
X-UNTD-UBE:-1
Subject: Ref # [17dP95Tv0M1a22r]
X-Juno-Message-Id: 17dP95Tv0M1a22r06Bw
X-Other-threads: No
X-Thread-Count: 1
X-UNTD-SPAMDESK-TYPE: EOW-SPAM

emperor

Are fax.todoingzoom.com and todoingzoom.com your domains ? If they are, you are probably hacked, or open relay.

Maounique

This might be a script in your sites if they allow upload or you run old versions of the scripts. They can be used as relays not only for spam but for other god knows what illegal stuff. It can also be a relay some other way exploiting other things which allow execution or a rootkit but those are much less frequent than open relays and infected sites.

clarity_64

What day did you sign up? It looks the email was originally sent on the 11th. Did you have service then? If not, it was probably the previous owner.

cohomology

Thank you all for chiming in. Turns out, after reading the complaint more carefully, I had nothing to do with this bull$hit. The spam email was created on Oct 11 but I did not sign up with their service until Oct 24! They suspended my service b/o the previous owner's illegal activities. I was super mad about this suspension since my users were complaining about service being unavailable all day but I could not do anything because I was stuck in a camping ground with no wifi during the weekend. I just made a bid complaint to WSI and will see what they will do.

I feel very lucky because I am able to prove my innocence this time. Had I had signed up before Oct 11, I'd be screwed!

cohomology

Yeah I figured this out and filed a big complaint to WSI!

@clarity_64 said:
What day did you sign up? It looks the email was originally sent on the 11th. Did you have service then? If not, it was probably the previous owner.

jooja

@cohomology said:
I signed up with wholesaleinternet

Apparently, they did not even check if you were the abuser before suspending your service, btw thanks for your post i almost bought 2 dedicated servers with them.
Now I'll stay away from them.

MikeA

I think I saw somewhere (maybe LET, maybe WHT) that someone else had this same exact problem before, abuse from previous client.

Maounique

It can happen with automated tools.

mikho

The suspension is probably automated. Hetzner has a similar system where abuse reports are only handled by a human when you report back with what you have done to prevent it in the future.

Clouvider

@Maounique said:
It can happen with automated tools.

Awesome way to open up huge liability. Automated or not, OP can very likely demand damages paid in this scenario.

That wouldn’t likely be limited by max SLA claim since it would be likely interpreted as negligence on their part.

AnthonySmith

They instantly suspended you on first complaint? seems a bit harsh?

Maounique

Clouvider said: Awesome way to open up huge liability.

Sometimes they have to take up risks. I doubt they would do this on business plans if they have such thing, I am sure their ToS is worded as such that regular plans are for personal use and blah-blah...

AnthonySmith said: They instantly suspended you on first complaint? seems a bit harsh?

It depends, in case of hacking it is the reasonable thing to do, also, the customer had only days of history so it looked like a spammer in need of an IP.
The more i think about it, the more I think this is somewhat automated with only minimal human supervision, such as you get the report and have a button, suspend, open a ticket, etc Suspending might have looked easier for someone, int he idea, the customer will open a ticket unless they knew they were spamming, the report was not read thoroughly either... Well, shit happens, people make mistakes, in "wholesale" it is the volume and percentage that matters...