0

looks like a spammer got into my server. I am new to LAMP and don't know how to find where my vulnerability is, not sure if SMTP, scripts, or where. My server was working fine for over a year but now it's compromised.

Do you know of any good manual ( for dummies or newbies) on how to secure my server?

Just today (in 12 hours) I have received close to 3,000 "failure" emails. My ip has been banned now...

Any help is appreciated

  • Would be the same thing as asking for a manual to build a nuclear bomb. – Vick Vega May 04 '11 at 17:31
  • 3
    Security isn't a manual or checklist. It's a process. – Bart Silverstrim May 04 '11 at 17:35
  • 2
    Unplug the host from the network, assess the intrusion, read: http://serverfault.com/questions/120345/secure-lamp-server-for-production-use and see what you missed, and assess where you are with this system (most-likely at a re-install state). Also might be helpful to read CERT's old "How to recover from a compromise" tutorial for pointers on how to better secure your system for future attacks: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html – l0c0b0x May 04 '11 at 17:39

2 Answers2

2

It's quite possible that the server hasn't actually been compromised but you are just running an open relay.

As a first step, check that SMTP (TCP port 25) is blocked in bound on your firewall (assuming you are not receiving mail on this server, only sending it. If you are receiving as well then make sure you are authenticating users)

Also check any webforms you have for sending emails -these can often be abused to send mail to anywhere rather than just the address you intended.

Jon Reeves
  • 438
  • 2
  • 7
1

First you need to know if they've actually compromised your server or are just spoofing your mail server's address. Did you look in the logs? Are you seeing unusual activity in your database server, web server, mail server? Are you seeing unusual network activity?

If the server has been compromised, you need to take it offline and will probably have to wipe and reinstall from known-good backups, and apply updates to all your components and frameworks. Have you been keeping up to date on those?

Have you run any intrusion detection software? Something like Tripwire, taking MD5's of your files so you can tell what's been changed? Did you run any rootkit-detection programs to find out how someone could have gotten in, or what may be installed?

If your server was compromised, if someone else got root, they could easily have replaced system binaries so you can't trust anything. Not even ls or ps or top, which could have been replaced with rootkit stuff to hide malware processes. The only thing you could really do is connect another known-clean system to the network and look to see what unusual activity is originating from your server.

There's a decent chance that you can find some activity in the log files if the intruder didn't cover his or her tracks. But again, you can't trust them fully if it was a compromise. You can only get around that by configuring your logging daemon to mirror logs to another server whose sole purpose is to aggregate logs from systems.

So determine if your server has indeed been compromised, and if you have any indication of it, take it offline and clean it by reinstalling from known good backups. Make a forensic copy of your drives if you want to try figuring out what happened.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87