We have found (thanks to CSF warning us) in /tmp 4 suspicious files. One is a perl script (probably a backdoor) and the other 3 files are binaries. They were probably uploaded by some vulnerability a customer's website (now suspended) because they are under his ownership.
The server seems ok, nothing out of the ordinary (the root logins are disabled, we su - from another account).
We have run rkhuner and chkrootkit (fresh installs) and found nothing.
One of the binaries contained this (retrieved with strings): chown root:root /tmp/suid; chmod +s /tmp/suid (suid being one of the other binaries). This /tmp/suid has no suid set and is not under root ownership:
-rw-r--r-- 1 user user 759 Jan 25 2008 dc.pl -rwxr-xr-x 1 user user 2404 Nov 4 22:10 libno_ex.so.1.0* -rwxr-xr-x 1 user user 4945 Nov 4 22:10 suid* -rwxr-xr-x 1 user user 6209 Nov 4 22:10 udev*
dc.pl seems to be from January but it's apparently fake:
I got an email saying that there was a security breach at steadfast. At the same time I got an email saying that my account was suspended because I am sending spam from one of my domains. I NEVER SEND SPAM. I opened a support ticket and they apologized saying it's not my fault and they restored my account. Apparently spam was sent by a php script but they don't want to give me details. The next day they suspended my account again on the same reason.
I found a random proxy site running out of /var/www/temp. It seems to have been created yesterday, and I found about it via a DMCA notice from the planet. Is this apache's temporary directory? There was even an entry for it in the apache configuration and was running as a perl script out of its own cgi bin. I killed it and chmod'd it to 0. In the future, would setting permissions on this directory to non executable prove to be effective? Any idea if this type of breach is serious enough to warrant an OS reinstall?
I just received a fairly scary WHMCS notice, you can view the details here:
<<please don't paste the file names, there are accounts that may have these on them>>
What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.
I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.
Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.
I got this email earlier today, surprised to see there isn't already a 10-page thread about it. Did anyone else get this from The Planet?
In the course of the last two days, our Computer Security Incident Response Center team has identified suspicious activity in our customer management portal. Through their vigorous investigation, we have identified what appears to be a security breach that may have affected your customer portal account and server passwords. We have identified the methods by which the systems were compromised and have closed those holes. In addition to those actions, we will be implementing additional security measures to further strengthen the infrastructure and systems.
We are taking this action to alert you to this potential malicious activity. At this juncture, we are aware of only two incidents whereby log-in and server passwords were accessed. Based upon our security review of access logs, we do not believe any credit card information was compromised. We have contacted the authorities and are working with them to identify the perpetrator and to pursue appropriate legal action.
We are taking a proactive approach by contacting you directly, which we believe is the best course of action. We strongly suggest you implement a security best-practices approach by immediately taking four steps to mitigate risk:
1) Change your Orbit log-in passwords immediately and do so again every 60 days.
2) Change your server passwords and do so again every 60 days.
3) Be alert to any suspicious activity on your account.
4) If you suspect any unusual activity, please retain your access logs along with
I'm having difficulty sending an email to another email address (with a different domain) which is on the same VPS.The trouble is, on the other domain's VPS control panel, within the DNS settings, the MX records have been pointed externally (to an exchange server). Their email is turned off. But bizarrely, their mailbox is full.
It seems as though Plesk is ignoring the MX records, and sending MY email internally to the OTHER domain's mailbox on the same VPS.How do I get Plesk to send my mail to the correct EXTERNAL MX records?
so my website is working perfectly fine for a few months now, and im looking to use Roundcube instead of Google Apps.What are the DNS settings i need to change to for my domain registrar?Currently i have the following records, and it can only send email, and not receive.
A Records @ IP Address A Records webmail IP Address
Basically I am trying to configure Plesk to send out email without being black listed. My emails are safe but I am currently blacklisted due to my set up.I have Plesk 12.0.18 and am using Qmail. The problem is I have one ip address right now and am using it for multiple domains. This is not ideal but was an issue with 1and1 not rendering ips at the time. I am not sure how to do reverse mapping with multiple domains on a single ip address.
Because my current ip address just got black listed is it possible to get 2 more ip addresses just for email and use those 2 for 2 domains so each domain would have a separate ip address? How would I set this up to be email safe meeting the spam requirements? spf, reverse mapping, etc?
Minutes after this microupdate auto-installed, I am unable to login to POP and IMAP on this server. None of the accounts are able to login. The logs indicate hundreds of login failures, accompanying a new record I've never seen in these logs:
I have an individual that has moved there "sent box" to the deleted items and yes, has deleted them.
I have not used the restoration feature of plesk so i have a couple of questions before proceeding.
1. Can I restore a specific mail box folder "sent items"
2. If so will it overwrite all the items and only restore whats on the backup, because he has only just noticed and he has about 500 emails from the point he deleted it? or will it merge the items - e.g the 500 he has now + all the others from the back up.
3. If i cant restore a specific folder, does it overwrite all of the current mail from the backup.
I've just upgraded from Plesk 11.something to 12.0.18 on Centos 6. And I've seen that Horde has stopped displaying HTML email again. editing psa-horde/imp/config/mime_drivers.php. I've made that same fix on my new Horde installation, but it doesn't seem to have worked this time. Is there anything different that I need to do on this version of Horde?
I am skeptical of running mchk on my server and messing something up. I am having an issue with one domain hosted on my server getting 100's of duplicates from certain domains. My MagicSpam logs show that the email is sent to my server anywhere from every 15 minutes to 1 hour. It started out as one domain sender to my server to my client, now it is happening to a bunch of sending domains.