With servers sending spam

0 like 0 dislike
4 views
In the logs munin noticed that the spool accumulates a lot of emails, and sendmail naciet frantically to send the analysis showed that we are sending spam. Now being saved by the fact that clear the queue and restarted sendmail + kill the perl process.

Passwords changed, anti-virus walked rkhunter like anything special not see any suspicious files on view there. What to do don't know eradicate the infection is not obtained.

How much more can be done to find the ill-fated shell?
image
image

Server Centos
by | 4 views

7 Answers

0 like 0 dislike
OOO And I had a story when I in point of hacking servers found left file, he began to look around.
Found "Irc Daemon" was digging through its settings, there was a login password to log on to the irc channel.
Came in 2 days hanging, and then gave signs of life, I was kicked, but then in the PM I wrote, like how did I get on this channel?
I said that a friend told... I got kicked from the server, the next day I again came, this man gave the command to bots, they say all the Achtung !die all piled up and I was left, he began to talk more details, I said what came to IRK the demon, he told that sells the server to the spammers, at 50-100 bucks a pop.
he is from Malaysia, told us how they got on my server... said I'm right all removed. we said good-bye :)
\r
And so it was fun to watch as he gives commands to the irc bot...
\r
PS in the channel had a maximum of 250 "servers"
by
0 like 0 dislike
The same situation was half a year ago on a Debian server at home. Even provider get banned for "viruses". Sendmail then I got down and put only recently. While there is no problem, maybe some update decided, and when he bore all the bad rubbed.
\r
By IP, by the way, it was Google's server somewhere closer to Australia, which is very surprising OO
by
0 like 0 dislike
It was necessary to enlist the support of your system administrator.
\r
Not necessarily to take a man in the state there are many suggestions about outsourcing. Cheerful and inexpensive, but such situations will be insured.
\r
There is nothing stopping to turn to him now, and to audit the server. Google to help and good luck!
by
0 like 0 dislike
The administrator was, but did not meet expectations, so now we have a little without him. One of the friends of the staff while the problem could not solve.
by
0 like 0 dislike
by
0 like 0 dislike
Usually put a limit on sending messages per day, these hosting bots rapidly losing interest.
by
0 like 0 dislike
First, it is necessary to determine where sending spam. Or you have an open relay or using a vulnerability in the scripts. Try to look at the sendmail logs or the http logs/nginx. The logs of nginx it is convenient to analyze by sorting the query string like this:
cat nginx_log | awk '{print $7}' | sort | uniq -c |egrep 'http|ftp'
\r
egrep is because when vulnerabilities in scripting queries can look like index.php?f=http://anydomain.tld/somefile.txt
by

Related questions

0 like 0 dislike
2 answers
0 like 0 dislike
2 answers
110,608 questions
257,186 answers
0 comments
28,882 users