Compromised Server

[kamilramborosa]

Hi All,

I am running DA on a Linux VPS and my server is compromised. One email account for 1 of my domains is sending hundreds of emails a day. I have deleted that domain from DA but the emails are still going and still from that account. I don't know what to do to stop them.

Anybody have any ideas? I logged a ticket with DA support but it has been 8 hours and no response yet.

 

[Richard G]

I have deleted that domain from DA but the emails are still going and still from that account.

Maybe it's sending from another domain from that account or they were able to install a mailserver.
Login as root via SSH and use this command:
lsof -i:25
for example to see if only exim or also other mail daemons are running.

Best is to suspend the account so the mails will stop.

Check your logfiles (like Exim logs) and look in the mails with the mail queue manager to see exactly how the mails are send, via a php script or via smtp. Most likely via a php script.

You can also temporarily block non-smtp traffic in CSF then mails will be blocked and you can investigate which script is causing the issue.

Install maldetect (free) or another scanner like Immunify360 and scan the files of that account and others.

 

[mxroute]

Richard probably hit the nail on the head with the queue. The emails are likely still queued. Here's what I want you to do, if you're still experiencing this problem:

for i in $(exim -bp | awk '{print $3}'); do exim -Mrm $i; done
killall -9 exim && systemctl restart exim

The second line is to break active connections, it helps sometimes.