Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unless you've done some serious checking into how your machine was compromised, you're just fooling yourself. None of the software on a compromised machine can be trusted. If you're counting on your logs to show you if spam is being sent, those may not be reliable. And by simply deleting the file you found, you may simply have tipped off the crackers that you were aware of them and they simply did a better job of hiding their tracks.
Quote:
I have also raised security level.
Just what does that mean? Have you actually taken any steps to find out if you were compromised and how?
Sorry if I'm coming across as harsh, but I'm seeing a ton of guesswork and handwaving here and precious few facts.
I also check if any mail is going out from my server and there is none, only the real one.
HangDog is right.
How are you "checking"?
As I said in post #2 you need a completely fresh install, with careful attention to security.
The fact that ps -al or any other commands you may try, don't return anything unexpected does NOT mean that there are unwelcome processes running. The attacker may have replaced the ps (or any other) command with a new one, that filters out any malicious activity.
There's a good possibility that you are still spamming the world (or worse), and have no idea that you are doing it
Please, get a grip, wake up, recognise the severity of the problem and deal with it properly. Yes, this will be a lot of (unwelcome) work for you, but you need to learn how to secure an accessible server so this cannot happen again.
Deleting the odd malicious file will not help in the long run. The spammers are laughing at you. You think you have "canceled" the user who caused this, but he probably has a backdoor by now, and is using your system as he likes.
To understand this better, please google for "root kit".
Meanwhile, you should take your server down, and disconnect it from the internet. The reason: You may be hosting child-porn, drug money laundering and a lot of other unpleasantness. When the police come knocking at your door (because all this came from your server) you will find it difficult to explain yourself, especially as we have already asked you to disconect it, and you have ignored these warnings.
you need a completely fresh install, with careful attention to security.
With all due respect but without auditing a reinstall only provides temporary and shallow "safety" because there's no lessons learnt. IMNSHO this should be the second step:
Quote:
Originally Posted by Hangdog42
work your way through the CERT checklist to help you get a handle on what has happened.
With all due respect but without auditing a reinstall only provides temporary and shallow "safety" because there's no lessons learnt.
Agreed - I asked him to remove the possibly compromised disk for later forensic analysis.
What he seems to be doing is attempting to "tidy up" by deleting files, and removing users. I do not think he realises that he cannot trust his computer anymore.
If you check back a few incidents in Linux Security you'll see that with all these vulnerable app versions still in use a spammer essentially doesn't need root to send spam. But if he however doesn't do any auditing then I agree he should reinstall from scratch.
Ok, I found out, that I have installed server from scratch, for nothing.
The server were never security comprimised.
All it was, is that someone upload on forum, a file, which is php executable, and that file was copying SPAM to mailqueue folder for mails.
I found out that when I installed server and copied forum to it, and mqueue was full with SPAM again, it makes me crazy.
But than I found out that script and delete it, after that I rise security of forum and uploading files.
I have also installed on forum security MOD ctracker which prevents that, but I enabled it, because I didn't know that this file is for spamming. Now I will be more carefull.
Ok, I found out, that I have installed server from scratch, for nothing.
No, you learned from it, or so I'd hope.
Quote:
Originally Posted by Blisk
The server were never security comprimised.
May be so, and besides I didn't say it was. But since you never returned to this thread to post audit info I'll take that as "just another statement", with all due respect of course.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.