Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I saw you were wondering why he is using squirel mail.
I'am thinking of setting up webmail for a corporate environment and i don't know what to use. Is there any problem with squirel mail? Are there better options for webmail?
well as I said both nodes were sending spam I could switch from one to another all day long but because they share the /home directory where our users are stored they both sent spam. I have already rebuilt the first machine and am getting ready to cut over to the next one. You have to remember that the way you think is far from the way an average person thinks...all they care about is that they aren't getting mail and thats an issue add 15k people complaining and then you'll get my situation.
I think you'll find a lot of people here can sympathize with your situation, but as an IT professional, you occasionally have to distinguish between what is right and what is expedient. And many of us recognize that the Big Boss Man can get in the way as well. Certainly having 15K people yelling about their email is a gigantic pain, and very unpleasant. But compare that to having to explain to 15K people that it is going to be a few weeks before their email is really back to normal because you've been blacklisted for spamming the planet and you have to try and get those blacklistings lifted.
I think more than anything, this highlights some shortcomings in how that system is set up. You might want to put a plan together for the Big Boss Man that outlines any tools needed and processes that need to be put in place so that the next time this happens, you're in a much better position to take care of it quickly.
Oh, and you did identify the hole that allowed the user account to be cracked, didn't you?
But what happens when those 15000 people find that there emails are being rejected because your mail servers are blacklisted?
How much business is lost by that?
Your boss does not seem to appreciate the level of things. Surely you could have dropped the mail servers for an hour and stuck up an urgent maintenance notice on your company website, or taken one down, restored your main OS backup, brought it back online and then done the same for the other server.
Ask your boss whether he'd be happy if the company had a name for being hackable and a good easy target for spammers. The company name is actually worth something, and will win or lose its owner business in todays world.
heh yeah I did actually find the security hole redhat came in to setup the server clusters and left our host.allow file blank and the old administrator had an account called test with pass as test.... I know I should of saw this but it was overlooked but 2 of us that are admins here and wont happen again.
You have to remember that the way you think is far from the way an average person thinks...all they care about is that they aren't getting mail and thats an issue add 15k people complaining and then you'll get my situation.
I know how such users think. I worked at Time Warner long ago, think about having your 15k users expanded to 400k thousand plus users with cable tv thrown on top of their internet access, I know how such things worked and I wouldn't have hesitated to yank that plug right when the issue was found or cuaght, trust me I know all about making customer happy.
Yeah, it's not fun to be responsible for a server that has been compromised so your pain is felt.
If your user "test" was allowed ssh access from the world it is more than likely that you suffered from an automated brute force attack. Be sure to tighten down (on the fresh server) sshd (using PAM and sshd_config) so that only trusted users with good passwords are allowed access. That's a good start if you haven't already done or considered that.
I just wanted to go back over what others have said.
You will have to rebuild this server
There is no way to keep using it without a complete rebuild.
I've seen this happen before, with people not wanting to rebuild or whatever after a hack. There is no way to 100% know everything that the hacker(s) did to the machine.
Agreed 100%
If the system has been compromised you may never know what all has been changed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.