Eric at Lucii.org on 23 Feb 2012 15:57:46 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Hacked server - recovery |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll try running rkhunter although it appears to be a really simple php exploit that the hacker used to send spam. All the spam was from www-data@domain.com and I don't see any other evidence that they had any root privileges or acted to do anything other than send spam. Thanks! On 02/23/2012 06:42 PM, Tom Haines wrote: > You definitely want to run something like rkhunter to see what happened. My policy has always been to wipe the box and rebuild completely from backups. It's not worth risking that rkhunter missed something. > > On Thursday, February 23, 2012, Eric at Lucii.org wrote: > > I'm trying to recover an Ubuntu-based web server that was hacked. > It was/is running a 2.x version of OpenRealty that contains more > vulnerabilities than I could imagine. > > The hacker used it to send spam (no surprise.) I was in a hurry > so to stop it I just did apt-get remove postfix. That worked in > the same way that decapitation cures a headache. > > Now that I *believe* I've cleaned up the malicious code and I'd > like to re-install and turn on postfix again. Before I do, is > there a way to either throttle the email output (our expected > output is a couple of emails a day from the contact form) OR fire > off an alarm if there are more than <arbitrary low number> emails > being sent in a single hour? Perhaps there is yet another > alternative that I've not thought of? (So far, I've thought of: > not re-installing Postfix, replacing the web site code, and moving > to Tibet.) I don't have authorization to replace this code yet > and my wife won't move to Tibet so that's out too... for now. > > Eric ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug - -- # Eric Lucas # # "Oh, I have slipped the surly bond of earth # And danced the skies on laughter-silvered wings... # -- John Gillespie Magee Jr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9G0mQACgkQ2sGpvXQrZ/4TGgCeMGOm74UPOj3FwbmdL1yu6pjN yHwAoPvjtIwvLcSLUq0b4Gv36AeFpEv2 =RHMH -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug