Compromised server, help diagnose source

Discussion in 'Server Operation' started by labsy, Nov 6, 2020.

  1. labsy

    labsy Member

    Hi,
    my old Ubuntu 12.04 seems being compromised and used as MAIL RELAY or SPAM SOURCE. In mail log see a lot of outgoing (and incoming) mail, but most of them FROM and TO one of ISPConfig web users:
    Code:
    from=<[email protected]>.........
    Now, one very weird thing is, that I do not remember ever setting up SMTP server. I always gave instructions to my WEB customers on this server to use SMTP method of sending mail out, rather than default php sendmail, because it is not configured here for security reasons. But now I can see SMTP process listening on port 25:
    Code:
    lsof -i:25
    COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    master  6989 root   12u  IPv4  21159      0t0  TCP *:smtp (LISTEN)
    master  6989 root   13u  IPv6  21160      0t0  TCP *:smtp (LISTEN)
    [email protected]:/# ps 6989
      PID TTY      STAT   TIME COMMAND
     6989 ?        Ss     8:45 /usr/lib/postfix/master
    
    Is this the expected location of postfix in /var/lib/postfix directory?
    Ok, I blocked port 25 on firewall to prevent being blocked by ISP, but what to look for?
    How to find compromised files under user web285?
    I am not master of Linux, but still I can copy-paste quite well. Ideas?
     
  2. ahrasis

    ahrasis Well-Known Member

    Of course. 12.04 is too old and has not been in support for more than 3 years.

    And about your problem, please do OS upgrade to a supported version before asking for help because any support given may only be really useful if your server OS is fully supported.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    As a first step, you can use the free trial version from ISPProtect https://ispprotect.com/ to scan the whole /var/www directory.
     
    Th0m likes this.
  4. labsy

    labsy Member

    @till, thank you, very usefull tool, will consider buying if possible. Found a lot of malware, hacked PHP files, injected code...
    @ahrasis, no way to update this server. Tried at least twice, spent whole weekend with my hacked Linux geek friend, but too many things were not working, messed up settings, web sites...have over 300 customers there, and this would cause uncontrolable number of phone calls early monday morning...upgrade is no avail.
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If you are responsible for 300 customers, it is very irresponsible to run a system that old. Consider setting up a new ISPConfig system and migrate to that with the migration tool: https://www.ispconfig.org/add-ons/ispconfig-migration-tool/
    You can also use paid support to setup a new setup and help with migration ofcourse.
     
  6. ahrasis

    ahrasis Well-Known Member

    I understand the constraints to upgrade for some but do consider it thoroughly.
     

Share This Page