Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a website that I'm getting a lot of smtp traffic from.
Quote:
Originally Posted by /var/log/mail.info
Jan 12 12:26:35 mccrystal postfix/cleanup[57378]: EB60066211: hold: header Received: by mccrystal (Postfix, from userid 33)??id EB60066211; Tue, 12 Jan 2016 12:26:35 +0000 (UTC) from local; from=<adrienne_norris@mccrystal.co.za>
Jan 12 12:26:35 mccrystal postfix/cleanup[57378]: EB60066211: message-id=<49d0e2c45cfc2b4c03e3137bc7b597b2@mccrystal.co.za>
Jan 12 12:26:35 mccrystal postfix/pickup[57236]: EFACF66212: uid=33 from=<adrienne_norris@mccrystal.co.za>
Jan 12 12:26:35 mccrystal postfix/cleanup[57431]: EFACF66212: hold: header Received: by mccrystal (Postfix, from userid 33)??id EFACF66212; Tue, 12 Jan 2016 12:26:35 +0000 (UTC) from local; from=<adrienne_norris@mccrystal.co.za>
Jan 12 12:26:35 mccrystal postfix/cleanup[57431]: EFACF66212: message-id=<371220b3c366429d29fb198cfb7e2c6e@mccrystal.co.za>
I have been advised to shut it down and start afresh from backups.
How can I be sure that the new installation won't have just the same problems? Can I restore it on the same server? The server IP has been blacklisted and I'm reluctant to just make it somebody else' problem.
There are 2 websites on the server, one a Joomla 2.5 installation and the compromised website is a Joomla 3.0 site.
Is the domain itself blacklisted, or just the IP address? Getting rid of a blacklist infraction is harder than it's worth. I agree that you shut it down and start over again to be honest. And buy an SSL certificate for the new site.
I was able to locate the model43.php file which was in ~/public_html/wp-content/plugins/cache
I removed the 'wp-content' directory and it's contents (this is a Joomla installation). I also found thousands of html files in the root directory with names like "001320-Cartier-watches-xxxx.html", etc which I also removed.
I then rebooted.
I had expected that running the mailq command would show an empty queue, but it doesn't appear that there is any let up in the spam coming through.
However, the calling script is no longer referenced.
postcat -vq 73DC12BB17 gives:
Quote:
postcat: name_mask: all
postcat: inet_addr_local: configured 2 IPv4 addresses
postcat: inet_addr_local: configured 2 IPv6 addresses
*** ENVELOPE RECORDS active/73DC12BB17 ***
message_size: 691 625 2 0 691
message_arrival_time: Mon Jan 4 21:04:16 2016
create_time: Mon Jan 4 21:04:16 2016
named_attribute: log_ident=73DC12BB17
named_attribute: rewrite_context=local
sender: parrots@ca-pc.com
named_attribute: log_client_name=localhost
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=42576
named_attribute: log_message_origin=localhost[127.0.0.1]
named_attribute: log_helo_name=awcabcfb
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost
named_attribute: reverse_client_name=localhost
named_attribute: client_address=127.0.0.1
named_attribute: client_port=42576
named_attribute: helo_name=awcabcfb
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;xxxxxxx@yahoo.com
original_recipient: xxxxxxx@yahoo.com
recipient: xxxxxxx@yahoo.com
*** MESSAGE CONTENTS active/73DC12BB17 ***
regular_text: Received: from awcabcfb (localhost [127.0.0.1])
regular_text: by mccrystal (Postfix) with ESMTP id 73DC12BB17
regular_text: for <xxxxxxx@yahoo.com>; Mon, 4 Jan 2016 21:04:16 +0000 (UTC)
regular_text: Message-ID: 001a01c4f069$5535cf96$3916bb3a@parrots@ca-pc.com
regular_text: From: "Levitra Last" <parrots@ca-pc.com>
regular_text: To: xxxxxxx@yahoo.com
regular_text: Subject: Cialis Generic Levitra conventional
regular_text: Date: Mon, 4 Jan 2016 23:04:16 +0200
regular_text: MIME-Version: 1.0
regular_text: Content-Transfer-Encoding: quoted-printable
regular_text: Content-Type: text/plain; charset="UTF-8"
regular_text:
regular_text: http://zgjazb.com/sirree
regular_text: Cialis!
regular_text: Generic Levitra
regular_text: Generic Levitra is an FDa-approved oral prescription medication for the tre=
regular_text: atment of erectile dysfunction (ED) in men.
regular_text: Levitra Last
regular_text:
*** HEADER EXTRACTED active/73DC12BB17 ***
named_attribute: notify_flags=1
original_recipient: mailarch@localhost
done_recipient: mailarch@localhost
*** MESSAGE FILE END active/73DC12BB17 ***
I removed the 'wp-content' directory and it's contents (this is a Joomla installation). I also found thousands of html files in the root directory with names like "001320-Cartier-watches-xxxx.html", etc which I also removed.
I then rebooted.
I had expected that running the mailq command would show an empty queue, but it doesn't appear that there is any let up in the spam coming through.
That is why you MUST take that server offline!
There is not a single file that can be cleaned or removed. There are likley thousands and others which you have not yet identified which are capable of writing yet more...
So long as that machine remains online you will never clean it up and it will continue to delive SPAM.
Shut it down. If you need to do forensics then do them with it off line. Otherwise wipe it down, reinstall from the OS up and be sure that it is properly configured and uppdated before returning it to servce.
When you reinstall be sure to use and keep updated the Joomla frameworks, do not reuse backups until you have verified them to be clean (also somewhat difficult to do with certainty), and be sure the VPS is adequately protected by firewall and well considered configuration.
Wish there was another way but the advantage is to the SPAMMERS on today's internet.
THis identified 2 php scripts which I have removed.
I've brought the server back up and so far the mailq is within acceptable limits.
I'm going to keep a close eye on it, but it seems to be behaving. I'm not sure if this will obviate a need for a complete wipe, but so far it looks very hopeful.
THis identified 2 php scripts which I have removed.
I would be very surprised if that solves the problem, but do not want to seem overly negative.
Quote:
Originally Posted by cov
I've brought the server back up and so far the mailq is within acceptable limits.
I'm going to keep a close eye on it, but it seems to be behaving. I'm not sure if this will obviate a need for a complete wipe, but so far it looks very hopeful.
Define "acceptable limits"... is it still sending SPAM, but less than before? The only acceptable limit for a spambot is zero.
Just because it's not sending via your mail server doesn't mean it's not still sending spam (or being used for other purposes).
Without being VERY sure when/how it was compromised and EXACTLY what changes were made and that you have undone ALL of them and closed the original vector(s) I would still be VERY suspect of it.
One might imagine an insurance company not being pleased to discover the server their clients interact with is owned by "someone else".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
