Apparently my server has been sending spam
| 2:17 pm on May 30, 2011 (gmt 0)|
I have a dedicated server that my hosting company today informed me they've received spam alerts from. I had an old installation of Elgg that I have now removed, but I was wondering if anyone knows of what steps I can take to investigate this further. Unfortunately I can't seem to locate my mail.log, but in a control panel (plesk) I have found a mail queue with a long list of failed emails. Some of them referenced the domain that had the Elgg installation, but lots of others just show MAILER-DAEMON@default-server-domain.com (default-server-domain here just references a default domain that came with the server).
A lot of these seem to be to the same address, I have googled the address but found nothing of interest. Does anyone know what else I can check to try and narrow this down? Or perhaps a way to create better logging (and/or move the logs to a new directory?)
If it helps I'm on Fedora
| 2:25 pm on May 30, 2011 (gmt 0)|
Had this happen once because of an old MailMan install, ugliness.
It's also possible you've been hacked, I would get off the box ASAP.
Not to mention sending email from your IP is now going to suck for weeks or months.
I'd get a new server ASAP, new IP, move your Plesk accounts over and make sure all your other software installed is updated like WordPress, Joomla, any of that hackable junk, and not waste time trying to do forensics on what happened.
| 2:55 pm on May 30, 2011 (gmt 0)|
Although I do have another server I can move my sites to, I would also like to try and find out what caused this issue. I am generally very security concious, and I would much rather identify a vulnerability and learn from it, then sweep it under the rug as it were. Thanks for taking the time to get back to me though. Sounds like if something has been compromised it's going to be a right royal pain.
On the flip side of this though, there were issues with the mail server at my hosts, and when it got fixed I did receive a massive influx of old emails, so it may be a false positive as it were
| 3:09 pm on May 30, 2011 (gmt 0)|
|On the flip side of this though, there were issues with the mail server at my hosts, and when it got fixed I did receive a massive influx of old emails, so it may be a false positive as it were |
I'm a security freak too but when push comes to shove, if I think I know what happened it's just easier to start fresh, clean slate, than scavenge a server looking for all the backdoors that a hacker could install. Fought that crap once, after a couple of days it was obvious there was something I couldn't find, so I just picked up and moved, been clean 5 years now.
Something you could've looked for upfront with netstat was the live connection feeding your server email, I would've blocked that IP range ASAP to stop them.
Did you check your history files? If you were hacked those are usually erased.
| 8:36 pm on May 30, 2011 (gmt 0)|
I would also suggest running a check at abuse.net to see if your mail server is open (I assume there is a mail server on the machine?).
Also check if FTP access has been compromised - viruses etc can be uploaded that way, especially if you allow third-party FTP access.
Other web-based virus entry points include SQL-injection - a major attack has been going on (again!) recently. Worth checking logs for this and seeing what the actions are. Also several php attacks going on, looking for virus injection/entry points (plesk is probably a target).
| 9:22 pm on May 30, 2011 (gmt 0)|
Check your server's IP on http://www.mxtoolbox.com/blacklists.aspx [mxtoolbox.com] (checks 147 block lists) to see what is out there as present blocks.
Some will disclose details of the source of the issue (helping in narrowing the compromise) and offer to recheck your IP and then de-list it. A few ask a fee for delisting or faster removal. This may be a consideration if you plan to reuse that IP in the future. If this is shared IP common to many virtual servers at that host the alert they received may be a small portion of the queue of spam. There may be multiple domains involved on that IP.
| 6:53 pm on May 31, 2011 (gmt 0)|
Thanks for all the tips. MxToolBox shows my server isn't blacklisted on any of those listed sites.
Lots of the mails seem to be failure messages from my own default mail account to the default account. There's still 1 address I'm not sure on but google isnt returning much, i'm hoping this isnt as bad as i first thought but will continue to monitor