lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9sNM6oMuL9IWuCYpGUXyRI6hQRHS_k8vbQxZyCT1bADW4vLQnc62qA0weSH-NlAMmkcln9rhCMPmKepeQUOKAU69ihyfEIr-MxuEySzHTWg=@protonmail.com>
Date: Thu, 18 Dec 2025 15:42:19 +0000
From: Turritopsis Dohrnii Teo En Ming <teo.en.ming@...tonmail.com>
To: Linux Networking <netdev@...r.kernel.org>
Cc: "ceo@...-en-ming-corp.com" <ceo@...-en-ming-corp.com>
Subject: Re: Advanced Persistent Threat (APT) hackers had hacked into my Virtualmin Linux Virtual Private Server (VPS) on 15 Dec 2025 Monday around noon time

Hi guys,

It appears that my /etc/postfix/virtual configuration file was modified. I have no idea whether it was Advanced Persistent Threat (APT) hackers who modified it or something else on my Linux server modified it. But if it were Advanced Persistent Threat (APT) hackers, I am nowhere as smart and intelligent as them, for they are extremely good in hiding their tracks. I am clearly no match at all for Advanced Persistent Threat (APT) hackers. Apparently my /etc/postfix/virtual was modified to a breaking point after I had created a new email account "alerts@...-en-ming-corp.com" on 15 Dec 2025 Monday at around 12.29 PM Singapore Time. I was helping my client to configure email alerts in their Lenovo ThinkSystem SR530 server XClarity Controller when Gmail and their corporate email don't work.

Now, here is what I have done on my Virtualmin Linux VPS to solve the problem (as advised by the community and generative AI).

Edit /etc/postfix/main.cf

I have removed the domains teo-en-ming.com and teo-en-ming-corp.com from the mydestination directive.

Now my FINAL mydestination looks like:

mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com

Save the changes to /etc/postfix/main.cf

Since my present /etc/postfix/virtual is not working, I have renamed it.

# cd /etc/postfix

# mv virtual virtual.notworking

I have decided to restore virtual.rpmsave which has a timestamp of 14 Dec 2022 (3 years ago).

# cp virtual.rpmsave virtual

# postmap /etc/postfix/virtual

# systemctl restart postfix

Now I have managed to solve the problem with the help and assistance of the folks at Virtualmin community and elsewhere. Their help and assistance is deeply appreciated. Many thanks.
Now all of my email accounts hosted in Virtualmin Linux VPS are able to receive emails.

Before solving the problem tonight / this evening, GMail used to send me Delivery Staus Notification (Failure).

[QUOTE]
Message not delivered

Your message couldn't be delivered to ceo@...-en-ming-corp.com because the remote server is misconfigured. See the technical details below for more information.

The response from the remote server was:
554 5.7.1 : Relay access denied
[/QUOTE]

Thank you for all the help and advise guys! The cause of the problem is with /etc/postfix/virtual and not /etc/postfix/main.cf. But I still have no idea who or what modified /etc/postfix/virtual that caused my Linux mail server to go down. I am no forensic expert.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Extremely Democratic People's Republic of Singapore
18 Dec 2025 Thursday 11.02 pm Singapore Time






On Thursday, December 18th, 2025 at 12:51 PM, Turritopsis Dohrnii Teo En Ming <teo.en.ming@...tonmail.com> wrote:

> 
> 
> Subject: Advanced Persistent Threat (APT) hackers had hacked into my Virtualmin Linux Virtual Private Server (VPS) on 15 Dec 2025 Monday around noon time
> 
> Good day from Singapore,
> 
> Today 17 Dec 2025 Wednesday around 12.30 PM, I was trying to use GMail (Google Mail) to send email to my email accounts hosted in Virtualmin Linux Virtual Private Server (VPS) (aka web hosting control panel). GMail reported the error "554 5.7.1 Relay access denied". Which means all of my email accounts hosted in Virtualmin Linux VPS could no longer receive emails.
> 
> Advanced Persistent Threat (APT) hackers must have hacked into my Virtualmin Linux VPS and changed my server configuration.
> 
> Webmin version: 2.520
> Virtualmin version: 7.50.0 GPL
> Operating system: AlmaLinux 9.6
> Usermin version: 2.420
> Authentic theme version: 25.20
> Linux Kernel and CPU: Linux 5.14.0-570.51.1.el9_6.x86_64 on x86_64
> 
> When I logged in to Roundcube Webmail, I noticed that I had stopped receiving emails with the email accounts hosted in Virtualmin Linux VPS since 15 Dec 2025 Monday around 12 noon Singapore Time.
> 
> When I checked /var/log/maillog in Virtualmin Linux VPS, I observed that I had started getting "554 5.7.1 Relay access denied" errors since 15 Dec 2025 Monday around 12.28 PM (for my email accounts hosted in Virtualmin Linux VPS).
> 
> Advanced Persistent Threat (APT) hackers must have hacked into my Virtualmin Linux VPS and changed my server configuration.
> 
> When I checked /etc/postfix/main.cf on my Virtualmin Linux VPS, Advanced Persistent Threat (APT) hackers had changed the following line to:
> 
> mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com
> 
> I had to change the above line back to:
> 
> mydestination = $myhostname, localhost.$mydomain, localhost, ns1.turritopsis-dohrnii-teo-en-ming.com, teo-en-ming.com, teo-en-ming-corp.com
> 
> And then restart Postfix daemon/service (systemctl restart postfix).
> 
> For Virtual Server teo-en-ming-corp.com in Virtualmin Linux VPS:
> 
> Advanced Persistent Threat (APT) hackers had changed my email account user's Login access to Database, FTP and SSH. I had to change it back to Database, Email, FTP and SSH.
> 
> Advanced Persistent Threat (APT) hackers had also changed "Primary email address enabled" to No. I had to change it back to Yes.
> 
> For Virtual Server teo-en-ming.com in Virtualmin Linux VPS:
> 
> Advanced Persistent Threat (APT) hackers had changed my email account user's Login access to FTP and SSH. I had to change it back to Email, FTP and SSH.
> 
> Advanced Persistent Threat (APT) hackers had also changed "Primary email address enabled" to No. I had to change it back to Yes.
> 
> After making all of the above changes, I am able to start receiving emails with my email accounts hosted in Virtualmin Linux VPS since 1.15 PM today 17 Dec 2025 Wednesday.
> 
> When I checked OpenSSH server logins and Virtualmin logins, only public IPv4 addresses belonging to me were present. There were no traces of Advanced Persistent Threat (APT) hackers gaining unauthorized entry into my Virtualmin Linux VPS at all. Of course, if they are Advanced Persistent Threat (APT) hackers, they must be very smart and intelligent (their intelligence quotient IQ sure way above me) to remove all traces of their unauthorized intrusions into my Virtualmin Linux VPS.
> 
> How can I make a request to Advanced Persistent Threat (APT) hackers so that they will stop playing pranks on my Android (Linux) phones, home desktop computer, laptops, Virtualmin and Webmin Linux servers and other various numerous online accounts not secured with 2FA / MFA?
> 
> Please advise.
> 
> Thank you very much.
> 
> Regards,
> 
> Mr. Turritopsis Dohrnii Teo En Ming
> Extremely Democratic People's Republic of Singapore
> 17 Dec 2025 Wednesday 3.50 PM Singapore Time
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ