Website smtp compromised: what steps to take?
I have a website that I'm getting a lot of smtp traffic from.
Quote:
How can I be sure that the new installation won't have just the same problems? Can I restore it on the same server? The server IP has been blacklisted and I'm reluctant to just make it somebody else' problem. There are 2 websites on the server, one a Joomla 2.5 installation and the compromised website is a Joomla 3.0 site. The server is a VPS running Debian 7. |
Is the domain itself blacklisted, or just the IP address? Getting rid of a blacklist infraction is harder than it's worth. I agree that you shut it down and start over again to be honest. And buy an SSL certificate for the new site.
If you want to try, here is a concise guide to get it unblocked: http://whatismyipaddress.com/blacklist-removal Good luck! |
|
If I type 'mailq' I get a list of mail coming through:
Quote:
Quote:
I removed the 'wp-content' directory and it's contents (this is a Joomla installation). I also found thousands of html files in the root directory with names like "001320-Cartier-watches-xxxx.html", etc which I also removed. I then rebooted. I had expected that running the mailq command would show an empty queue, but it doesn't appear that there is any let up in the spam coming through. However, the calling script is no longer referenced. postcat -vq 73DC12BB17 gives: Quote:
|
Quote:
There is not a single file that can be cleaned or removed. There are likley thousands and others which you have not yet identified which are capable of writing yet more... So long as that machine remains online you will never clean it up and it will continue to delive SPAM. Shut it down. If you need to do forensics then do them with it off line. Otherwise wipe it down, reinstall from the OS up and be sure that it is properly configured and uppdated before returning it to servce. |
I've shut the postfix server down.
I don't want to stop the apache server down as it has other sites running on it. |
Quote:
It will be very difficult to reinstall the OS and all software while keeping apache running. |
Yes. It will, won't it? :(
Ok. I suppose it has to be done. |
Sorry to be the bearer of bad news...
When you reinstall be sure to use and keep updated the Joomla frameworks, do not reuse backups until you have verified them to be clean (also somewhat difficult to do with certainty), and be sure the VPS is adequately protected by firewall and well considered configuration. Wish there was another way but the advantage is to the SPAMMERS on today's internet. |
The site in question has a backup from early last year which I'm pretty certain is clean and I suspect it's the last time any changes were made.
The other sites *seem* to be clean without any suspicious files. |
Ok, I've downloaded and installed maldet:
https://www.rfxn.com/projects/linux-malware-detect/ THis identified 2 php scripts which I have removed. I've brought the server back up and so far the mailq is within acceptable limits. I'm going to keep a close eye on it, but it seems to be behaving. I'm not sure if this will obviate a need for a complete wipe, but so far it looks very hopeful. |
Quote:
Quote:
Please do monitor it closely and keep us updated. |
Just because it's not sending via your mail server doesn't mean it's not still sending spam (or being used for other purposes).
Without being VERY sure when/how it was compromised and EXACTLY what changes were made and that you have undone ALL of them and closed the original vector(s) I would still be VERY suspect of it. One might imagine an insurance company not being pleased to discover the server their clients interact with is owned by "someone else". |
All times are GMT -5. The time now is 02:25 PM. |