LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-08-2012, 08:57 AM   #31
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17

Working on the components. It's a large task individually logging into each site to see which versions are installed and then what the newest version of the component is.

I have compressed all the logs you asked for (including the rotated logs). Same location, same credentials filename: logs.tgz
 
Old 11-08-2012, 09:02 AM   #32
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17
FYI -- I think the solution that Noway2 gave was the fix. I have checked my messages and my system has not sent out any spam for 3 days! YAY!

The most recent pattern was sending out every other day 100 emails (maximum on my server) on the odd number: 1st, 3rd, 5th, etc. There was nothing sent on the 6th or 7th and none yet today. It might be too early to tell, but I think it is fixed.
 
Old 11-08-2012, 06:58 PM   #33
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
I've looked at Exims mainlog and it's full of SMTP errors, the majority of which are linked to T="A comment has been posted" lines. A portion of these users managed to wedge in exactly the same amount of comments (and therefore errors) at exactly the same time and use email addresses that are in some cases linked to 1K IP addresses each. If Noway2's solution works then I'd be happy to leave it at that. You do have to put in some host hardening though.
 
Old 11-08-2012, 11:15 PM   #34
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by unSpawn View Post
I've looked at Exims mainlog and it's full of SMTP errors, the majority of which are linked to T="A comment has been posted" lines. A portion of these users managed to wedge in exactly the same amount of comments (and therefore errors) at exactly the same time and use email addresses that are in some cases linked to 1K IP addresses each. If Noway2's solution works then I'd be happy to leave it at that. You do have to put in some host hardening though.
I think Noway2's solution did work. I've now gone 3 full days without any spam messages.

What do you mean by host hardening. What do you suggest?
 
Old 11-09-2012, 07:26 AM   #35
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
- Disabling the com_mailto component (if that's what you did) was a good thing but wouldn't address other potentially problematic components.
- Using Captchas is a good thing too until somebody finds another way to exploit a vulnerability.
- Setting an email rate limit was a good thing too.

* Please review http://docs.joomla.org/Security_Checklist_7 and http://docs.joomla.org/Vulnerable_Extensions_List regularly.
* Research if there is a way to tap into PHPMailer / Joomla's JMail (in essence anything between PHP and the MTA) to generate an audit trail which in turn makes it easier to see who's doing what.
* Research anything that could help strengthen your MTA, after all most of the addresses used were known spam addresses.
* Have something alert you when the email volume goes up so you can take action immediately.
* Regularly scan the sites with tools like OpenVAS, LMD, the OWASP Joomla! Security Scanner or any equivalent tool.
* If you haven't use fail2ban or equivalent. Some services like Dovecot and SSH experienced quite a bit of probing.
 
Old 11-09-2012, 08:46 AM   #36
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by unSpawn View Post
- Disabling the com_mailto component (if that's what you did) was a good thing but wouldn't address other potentially problematic components.
- Using Captchas is a good thing too until somebody finds another way to exploit a vulnerability.
- Setting an email rate limit was a good thing too.

* Please review http://docs.joomla.org/Security_Checklist_7 and http://docs.joomla.org/Vulnerable_Extensions_List regularly.
* Research if there is a way to tap into PHPMailer / Joomla's JMail (in essence anything between PHP and the MTA) to generate an audit trail which in turn makes it easier to see who's doing what.
* Research anything that could help strengthen your MTA, after all most of the addresses used were known spam addresses.
* Have something alert you when the email volume goes up so you can take action immediately.
* Regularly scan the sites with tools like OpenVAS, LMD, the OWASP Joomla! Security Scanner or any equivalent tool.
* If you haven't use fail2ban or equivalent. Some services like Dovecot and SSH experienced quite a bit of probing.
Awesome, thank you so much for the help:
1. I did not disable com_mailto because it stops anyone from being able to send mail. I will look into another component but lately I have been trying not to install as many components on sites because I'm finding that it is a lot of work keeping up with all of the upgrades.
2. I did install the captcha and that seems to be doing the trick with the other tweaks made.
3. I set the email rate but I'm going to need to make it slightly higher than 100 because that is just too low.
4. Will subscribe to the joomla sites you mentioned.
5. By strengthening MTA, since this all happened I activated RBL's in DA. Is that what you mean or should I look into something else too?
6. Not sure exactly what you mean by tap into PHPMailer. Because I'm running suPHP in the headers of the emails it shows the script used (which was joomla's phpmailer.php) -- I found this out over the last day or so.
7. Is there anything that I can get that emails me everyday a summary of the emails that each user sent?
8. Will be setting up cron jobs for scanning.
9. I have apf & bfd running which through this process I tightened down. So, if there are more than 15 attempted logins for exim, dovecot, ftp, ssh, etc it will automatically ban the IP address. That is what fail2ban does, correct?
 
Old 11-09-2012, 10:11 AM   #37
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by jim.thornton View Post
Awesome, thank you so much for the help
You're welcome. BTW, if you don't mind me asking, what are the odds of you becoming a Contributing Member after this?


Quote:
Originally Posted by jim.thornton View Post
3. I set the email rate but I'm going to need to make it slightly higher than 100 because that is just too low.
Maybe you can look into (I mean do research about) ways to have more fine-grained control. For instance a business mainly sending out invoices is going to have different mail volume compared to say a sports team would generate with its fan site, management, mailing list, etc.


Quote:
Originally Posted by jim.thornton View Post
5. By strengthening MTA, since this all happened I activated RBL's in DA. Is that what you mean or should I look into something else too?
Yes, that's what I mean.


Quote:
Originally Posted by jim.thornton View Post
6. Not sure exactly what you mean by tap into PHPMailer. Because I'm running suPHP in the headers of the emails it shows the script used (which was joomla's phpmailer.php) -- I found this out over the last day or so.
That's OK as long as its application isn't tied into one CMS product or module and as long as whatever it logs wherever it logs makes it easier to trace back activity.


Quote:
Originally Posted by jim.thornton View Post
7. Is there anything that I can get that emails me everyday a summary of the emails that each user sent?
Either some of the tools Exim provides itself, Logwatch' Exim module or an MTA-agnostic reporting tool (see repo's like EPEL, Sourceforge, Nongnu, Berlioz or The-Site-Formerly-Known-As-Freshmeat).


Quote:
Originally Posted by jim.thornton View Post
9. I have apf & bfd running which through this process I tightened down. So, if there are more than 15 attempted logins for exim, dovecot, ftp, ssh, etc it will automatically ban the IP address. That is what fail2ban does, correct?
It does except it doesn't come with advertising-like blurbs that make claims I would have doubts about and it doesn't require a gazillion processes and configuration files. But if it works for you, OK, cool.
 
Old 11-09-2012, 10:23 AM   #38
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by unSpawn View Post
You're welcome. BTW, if you don't mind me asking, what are the odds of you becoming a Contributing Member after this?
I would say at least a 20% chance... LOL --- I just contributed. That is the cheapest computer diagnostic fees I think I will every experience.

Quote:
Originally Posted by unSpawn View Post
Maybe you can look into (I mean do research about) ways to have more fine-grained control. For instance a business mainly sending out invoices is going to have different mail volume compared to say a sports team would generate with its fan site, management, mailing list, etc.
I don't know if DA offers this capability. I will look into it. There may be a way to set it on a per-user basis as well.

Quote:
Originally Posted by unSpawn View Post
That's OK as long as its application isn't tied into one CMS product or module and as long as whatever it logs wherever it logs makes it easier to trace back activity.
The suPHP is run on the server. This locks the users to their own directories for running scripts and things. The suphp has been running all the way along so if you feel that I need to setup better logging then I will look into that.

Quote:
Originally Posted by unSpawn View Post
Either some of the tools Exim provides itself, Logwatch' Exim module or an MTA-agnostic reporting tool (see repo's like EPEL, Sourceforge, Nongnu, Berlioz or The-Site-Formerly-Known-As-Freshmeat).
Will look into it.



Quote:
Originally Posted by unSpawn View Post
It does except it doesn't come with advertising-like blurbs that make claims I would have doubts about and it doesn't require a gazillion processes and configuration files. But if it works for you, OK, cool.
 
Old 11-09-2012, 11:20 AM   #39
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Thanks!

Quote:
Originally Posted by jim.thornton View Post
I would say at least a 20% chance... LOL --- I just contributed.
From me and on behalf of LQ: thanks!
 
Old 11-09-2012, 11:21 AM   #40
jim.thornton
Member
 
Registered: May 2007
Posts: 326

Original Poster
Rep: Reputation: 17
Glad to support the site!

Question: How come my profile wasn't updated?
 
Old 11-09-2012, 01:00 PM   #41
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
I think you would get an email from Jeremy.
 
Old 11-13-2012, 09:48 AM   #42
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,311

Rep: Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611Reputation: 2611
Quote:
Originally Posted by jim.thornton View Post
Glad to support the site!

Question: How come my profile wasn't updated?
Much appreciated. Your profile has been updated.

--jeremy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
my server is spamming users cant send out. kdnyazema Linux - Server 1 09-06-2012 04:57 AM
How to block email spamming coming from my server? TheOnlyQ Linux - Newbie 7 06-28-2011 11:45 AM
linux how to check if email server machine doing spamming salimshahzad Linux - Server 3 04-28-2010 03:39 AM
my mail server is spamming????? Linux Fan Linux - Server 5 11-13-2008 09:32 PM
My server is being used for spamming - Help! soaked Linux - Security 12 10-21-2007 04:45 PM


All times are GMT -5. The time now is 07:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration