RATS - remote admin tools

Discussion in 'Installation/Configuration' started by msp, Mar 1, 2013.

  1. msp

    msp Member


    I have a few sites running on my ISPConfig3 (latest version to date) which have recently become infected with rats.

    The rats have tried using postfix to send thousands of spam mails per hour. I have temporarily stopped postfix until I solve this problem.

    So far it has been possible to remove the rats by hand, using a variety of methods. This is taking up a huge amount of time / brain space.

    I have the ISPConfig manual, however I need more info about recommended file permissions.

    My infected sites are running ModX Evo which I believe has had security issues which have been resolved, and I've updated to the latest version - but I'm still having problems.

    The rats aren't doing anything malicious except spam attempts - AFAIK - but they are making me nervous.

    My sites are using SuExec (set in ISPConfig web interface).

    Permissions look like this:

    Web root directories: 755
    Web root files: 644

    The above permissions are recursive, except there are a handful of directories that require write permissions by ModX e.g.

    /web/assets/cache: 775
    /web/assets/galleries: 775
    /web/assets/images: 775

    What should I be doing?
  2. falko

    falko Super Moderator ISPConfig Developer

    If your system has really been infected, do a reinstall.

    Did you check your system with chkrootkit and rkhunter?
  3. msp

    msp Member

    Thanks Falko

    I have checked the rkhunter log files and couldn't find anything in the whole log file except for right at the end where it says:

    System checks summary

    File properties checks...
    Files checked: 132
    Suspect files: 1

    Rootkit checks...
    Rootkits checked : 244
    Possible rootkits: 0

    Applications checks...
    All checks skipped

    I can reinstall, but how do I prevent this from happening in the first place?

    (Or is that a naive question?!)

Share This Page