Re: [PLUG] Hacked server

On Thu, Feb 23, 2012 at 9:52 PM, Walt Mankowski <waltman@pobox.com> wrote:

On Thu, Feb 23, 2012 at 06:37:08PM -0500, Eric at Lucii.org wrote:
> I'm trying to recover an Ubuntu-based web server that was hacked.
> It was/is running a 2.x version of OpenRealty that contains more
> vulnerabilities than I could imagine.
>
> The hacker used it to send spam (no surprise.) I was in a hurry
> so to stop it I just did apt-get remove postfix. That worked in
> the same way that decapitation cures a headache.
>
> Now that I *believe* I've cleaned up the malicious code and I'd
> like to re-install and turn on postfix again. Before I do, is
> there a way to either throttle the email output (our expected
> output is a couple of emails a day from the contact form) OR fire
> off an alarm if there are more than <arbitrary low number> emails
> being sent in a single hour? Perhaps there is yet another
> alternative that I've not thought of? (So far, I've thought of:
> not re-installing Postfix, replacing the web site code, and moving
> to Tibet.) I don't have authorization to replace this code yet
> and my wife won't move to Tibet so that's out too... for now.

If you can forward the mail somewhere else, you might want to look at
using nullmailer instead of postfix. All nullmailer does is relay all
the messages it receives to a smart relay somewhere else.

Walt

___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug