Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: Postfix compromised

  1. #11
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Postfix compromised

    Quote Originally Posted by kevdog View Post
    I'm not sure how you figure his webserver was compromised.
    How?

    Postfix accepts local mail traffic on the machine (based on the logs).

    Postfix is not accepting any connections from the internet email open relay testing tools.

    The OP has a LAMP server and is running Wordpress. That means that wordpress and php are both loaded, which are highly likely to be compromised. OP also claims that emails should be going only to WP admins.

    To me, that all adds up to a hacked webserver. Is there some other explanation?

  2. #12
    Join Date
    Nov 2006
    Beans
    197

    Re: Postfix compromised

    Wiping the server?

    My wordpress sites have all data, not to easy to wipe it out.

  3. #13
    Join Date
    Nov 2006
    Beans
    197

    Re: Postfix compromised

    These are the files

    Code:
    root@ns3XXX5:/var/www/woXXX.com/public_html# ls
    4rr1su1v.php  index.php                 wp-comments-post.php  wp-load.php
    azl5r89j.php  license.txt               wp-config.php         wp-login.php
    ck1ymks5.php  readme.html               wp-config-sample.php  wp-mail.php
    cy.php        seo_script.php.suspected  wp-content            wp-settings.php
    fnog1zfm.php  wp-activate.php           wp-cron.php           wp-signup.php
    ftzk7jbh.php  wp-admin                  wp-includes           wp-trackback.php
    hko9oxxe.php  wp-blog-header.php        wp-links-opml.php     xmlrpc.php

  4. #14
    Join Date
    Nov 2006
    Beans
    197

    Re: Postfix compromised

    Gonna try ISPProtect, it seems to be the best one right now in the market.

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Postfix compromised

    Quote Originally Posted by fernandoch View Post
    Wiping the server?

    My wordpress sites have all data, not to easy to wipe it out.
    Wiping a server is really easy.

    Do you think that your data isn't already corrupted?
    A compromised server can NEVER be trusted again. Wipe and start over is the only viable answer.

    If there are backups from before the compromise, starting with the data from those would be reasonable. Otherwise, until all the data is proven to be reasonable, not compromised, then it cannot be trusted.

  6. #16
    Join Date
    Nov 2006
    Beans
    197

    Re: Postfix compromised

    How do you wipe a server if all your Wordpress files are compromised?

    I think first you need to fix them...

  7. #17
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    2,021
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: Postfix compromised

    Quote Originally Posted by fernandoch View Post
    Wiping the server?

    My wordpress sites have all data, not to easy to wipe it out.
    where are your backups?
    Mask wearer, Social distancer, System Administrator, Programmer, Linux advocate, Command Line user, Ham radio operator (KA9WGN/8, tech), Photographer (hobby), occasional tweetXer

  8. #18
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    2,021
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: Postfix compromised

    Quote Originally Posted by fernandoch View Post
    How do you wipe a server if all your Wordpress files are compromised?

    I think first you need to fix them...
    there is no reliable way to fix a compromised server. even the kernel binary can be compromised. start over by erasing the partition table and install the latest Ubuntu server.

    anything and everything you think you want to save could be compromised.

    boot from media that has never been attached to that server or is read-only media.
    Mask wearer, Social distancer, System Administrator, Programmer, Linux advocate, Command Line user, Ham radio operator (KA9WGN/8, tech), Photographer (hobby), occasional tweetXer

  9. #19
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,689
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Postfix compromised

    When you do re-install, don't setup the server the exact same way you did before...or it will happen again.

    If done right, not even wordpress can update itself. I use two accounts for wordpress. One is production mode and has just enough rights to function but cannot update itself. Another account is an installer account that I will switch to when wordpress or plugins need to be updated.

    If the website does not need users registering and logging in, be sure to disable registration too.

    LHammonds

  10. #20
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Postfix compromised

    I set the permissions in WordPress to block the server from doing anything to the installation. That means that the software cannot update itself automatically, but it also blocks lots of attacks on WordPress itself. I simply wrote two little scripts to manage the permissions:

    Run before the update

    cd /path/to/wordpress

    Code:
    #!/bin/sh
    chmod g+w wp-admin wp-includes wp-content -R
    chmod g+w *
    echo "Run update now"
    The Apache pseudo-user, www-data on Ubuntu, is in the group that owns the WordPress installation.

    After I perform the update I run this script
    Code:
    #!/bin/sh
    chmod u+rwx,g+rx wp-admin wp-includes wp-content -R
    chmod g-w *
    echo "Permissions reset!"
    In my case, the owner of the wordpress directory is not the www-data user, but another user I set up to own all the websites.
    Last edited by SeijiSensei; November 25th, 2019 at 08:03 PM.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 2 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •