#1  
Old 1st March 2013, 14:36
msp msp is offline
Member
 
Join Date: Aug 2011
Posts: 41
Thanks: 2
Thanked 2 Times in 2 Posts
Default RATS - remote admin tools

Hi

I have a few sites running on my ISPConfig3 (latest version to date) which have recently become infected with rats.

The rats have tried using postfix to send thousands of spam mails per hour. I have temporarily stopped postfix until I solve this problem.

So far it has been possible to remove the rats by hand, using a variety of methods. This is taking up a huge amount of time / brain space.

I have the ISPConfig manual, however I need more info about recommended file permissions.

My infected sites are running ModX Evo which I believe has had security issues which have been resolved, and I've updated to the latest version - but I'm still having problems.

The rats aren't doing anything malicious except spam attempts - AFAIK - but they are making me nervous.

My sites are using SuExec (set in ISPConfig web interface).

Permissions look like this:

Web root directories: 755
Web root files: 644

The above permissions are recursive, except there are a handful of directories that require write permissions by ModX e.g.

/web/assets/cache: 775
/web/assets/galleries: 775
/web/assets/images: 775

What should I be doing?
Reply With Quote
Sponsored Links
  #2  
Old 2nd March 2013, 11:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

If your system has really been infected, do a reinstall.

Did you check your system with chkrootkit and rkhunter?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 3rd March 2013, 02:42
msp msp is offline
Member
 
Join Date: Aug 2011
Posts: 41
Thanks: 2
Thanked 2 Times in 2 Posts
 
Default

Thanks Falko

I have checked the rkhunter log files and couldn't find anything in the whole log file except for right at the end where it says:
System checks summary
=====================

File properties checks...
Files checked: 132
Suspect files: 1

Rootkit checks...
Rootkits checked : 244
Possible rootkits: 0

Applications checks...
All checks skipped
I can reinstall, but how do I prevent this from happening in the first place?

(Or is that a naive question?!)
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
haproxy with stunnel problem abubin Server Operation 6 10th April 2012 15:08
[Info] Remote Desktop Solutions for Linux mar.and65 Desktop Operation 0 27th April 2011 07:05
Polish translation lucani Developers' Forum 0 17th September 2010 21:35
remote framework - is it customer or admin side? alipanick Developers' Forum 2 8th October 2009 20:35
Rename folder -> create new folder equals contents of old folder BlueStream General 20 15th December 2006 03:32


All times are GMT +2. The time now is 11:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.