Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First thing you should do is disconnect it from the internet. Please do that NOW, by unplugging the network cable(s).
Shut down your server.
Then you should put that disk aside for forensic analysis later (only mount it as read only and noexec)
Reinstall from scratch, to a new disk. Make sure you have applied all security updates.
Make sure you are not running any unnecessary services. Make sure passwords are strong.
Make sure ssh is secured with key-based authentication only.
Read up on security - many books, and lots on the web.
Rebuild everything, very carefully.
Try and find out what your mistake was, and do not repeat it.
You'll get more specific help to specific questions in the Security forum.
There's a slight difference between a server being (ab)used for spamming and a breach of security. I think the OP first should check if the SMTP service is configured to be a FFA relay where it shouldn't. Check your SMTP daemons docs for relay settings and search for "spam relay check". You'll find a gazillion sites that can help you check like http://www.abuse.net/relay.html.
I found that there was hidden file like BOGUS.amavis and something in folder /var/mail
This was some script, after I delete it spams stops to get in to mqueue.
You should check your webmail software for updates, because most likely this is what spammers used to send spam. If you look at your logs you'll see that sender is apache@povej.net (I guess povej.net is your domain).
to see if there is a script running as apache user and delete it.
Then take a look at the scripts you're running in your webserver (webail or any other php, perl scripts) and see if there are any known vulnerabilites and how to patch them.
Taking a look at the apache logs will help you also to identify the offending script.
If you're finding new files being created on your machine, it seems highly likely you've been compromised and may not have any control over it anymore.
First, unplug it from the network. Please, for all of us, pull the network cable.
Second, work your way through the CERT checklist to help you get a handle on what has happened.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.