Hello gents,
So today our server was shut down by Linode due to the quantity of spam mail it was sending out. We have many WordPress dev sites up on this server along with one client site and I know that WordPress can be an attack vector.
I checked mailq and I see tons of stuff trying to go out and constantly getting "temporarily suspended"- I presume this is, in fact, the spam script.
Seen here:
Code:
E097F5A77BA 8721 Mon Jul 1 23:42:45 MAILER-DAEMON(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E21905A5E1F 8977 Mon Jul 1 14:17:36 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E44EB5A76D9 8725 Mon Jul 1 18:52:34 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
ECFD95A7022 8625 Mon Jul 1 14:27:49 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
EA8F65A64E0 4167 Mon Jul 1 18:47:27 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E0FCB5A6E65 4151 Mon Jul 1 14:17:51 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E71C95B7D41 8592 Mon Jul 1 22:33:54 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
EB38E5A7691 8671 Mon Jul 1 15:10:06 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E22125A7B52 8684 Mon Jul 1 18:47:28 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
EC2D05B541A 8609 Mon Jul 1 19:52:41 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
EAC785A809C 8692 Mon Jul 1 23:42:41 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
E4A4A5B56BF 8567 Mon Jul 1 20:34:27 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
EDA0B5B5955 8504 Mon Jul 1 21:24:05 MAILER-DAEMON
(delivery temporarily suspended: connect to madmonkdev.com[50.116.40.178]:25: Connection refused)
"apache2@no-reply"@madmonkdev.com
A few things I should tell you guys. I've only been working at this place 3 days, the lead developer quit on a dime just before I got here, and I'm the only person here (entry level front end web dev, 22) who is even remotely qualified to deal with this so the owner gave this to me to fix. I have had -some- experience with Linux, I had Ubuntu on my desktop in a separate partition for awhile and I had academic training in college with linux CLI.
So I'm not totally unexposed, but please treat me like a novice here so that I don't screw anything up.
..So how would I go about zeroing in on the spam source and terminating it? Afterwards... How would I go about hardening our security?
Bookmarks