Just wanted to ask you all for some advice about what to do about something that I noticed this morning. When checking my emails this morning I noticed that I had 20 or so permanent delivery failures to mails from myself as www-data to another email address saying:
I went on my server and looked at this xml.php because i didn't recognise it and saw that it's ownership was different from the other file ownership within this folder. I also noticed that the permissions were much more open than I hoped. xml.php actually turned out to be a binary file and a quick google search shows that Fx29Shell is backdoor shell program for getting entry into systems. From what I can read, it seems as though they wanted to use my box for mail spamming.Boss, there was an injected target on cj13579.dyndns-server.com/blog/wp-admin/css/xml.php?x=ls&d=/var/www/blog/wp-admin/css/.ccs/&sort=0a by 18.104.22.168
My checks to see if they had succeeded were pretty rudenmentary. My server can send mails via the mail command and I use my gmail stuff as the gateway thing. A check of my sent mails showed all of the mails that had delivery folders. I *think* i might has escaped...
I have deleted the xml.php file and closed the permissions on these folders and others in my webserver directory. I also saw that I was running a relatively old version of Apache so I have upgraded this in case they exploited a vunerability in that to get in.
Additionally, I have updated ClamAV and have done a clamscan on the webserver idrectory which came back with no infected files. I am currently running a scan on the rest of the box to confirm that nothing else is elsewhere.
Apart from these things, I would be interested to get peoples opinions on what else I could do to tighten up security and/or ensure that nothing else on my system is infected.
I would also be interested to hear if anyone else has come across this issue.
Thanks in advance.