jim.thornton
Verified User
- Joined
- Jan 1, 2008
- Messages
- 334
I've been running my DA server for quite a while now. However, a short time ago I decided to start using Google Apps for business and I setup my domain to use an external mail server. I haven't been as diligent maintaining the email server on the DA box as I should and now I'm having more issues.
First, a while ago I noticed that someone was sending thousands of spam messages from another account that I had. It was tracked down to an old version of Joomla that was running that seems to have been compromised and was sending mail through the com_mailto exploit. I couldn't figure out how to stop Joomla from doing this. I upgraded to the newest version, I tried installing new components, nothing worked. Eventually I just deleted the account.
Now another Joomla site is going through the same thing (the one setup with an external mail server). I've completely deleted the Joomla version again, but I'm still getting random files showing up in my directory structure. The files are .php files with a very long base64 encode string in there. I delete the files and then other ones re-appear days later. I tried changing the permissions to the directory structure to only RX not RWX thinking that would stop new files from being written, but it didn't work.
I have turned off SSH access, so I know someone isn't getting in through SSH. The passwords on my root account are randomly generated with lower, upper, numbers and special characters, so I don't think someone has gotten in there. Not to mention, I have CSF firewall installed and it emails me when someone logs into root, and no one has.
I have scanned the directory structure with maldet and it is not detecting anything.
I'm at a loss what I should do next. I don't see how these files are getting into the directories anymore. How can I figure this out.
Also... In a related issue, I have a forwarder setup on this same account. It forwards my old email address that was on the server, to my new email address which is on Google Apps server. When people are sending emails to this address, instead of forwarding, the server is rejecting it and not giving a reason in the email. I looked in the logs and it is showing as "authentication required" and rejecting it.
Can someone please help me figure this out?
First, a while ago I noticed that someone was sending thousands of spam messages from another account that I had. It was tracked down to an old version of Joomla that was running that seems to have been compromised and was sending mail through the com_mailto exploit. I couldn't figure out how to stop Joomla from doing this. I upgraded to the newest version, I tried installing new components, nothing worked. Eventually I just deleted the account.
Now another Joomla site is going through the same thing (the one setup with an external mail server). I've completely deleted the Joomla version again, but I'm still getting random files showing up in my directory structure. The files are .php files with a very long base64 encode string in there. I delete the files and then other ones re-appear days later. I tried changing the permissions to the directory structure to only RX not RWX thinking that would stop new files from being written, but it didn't work.
I have turned off SSH access, so I know someone isn't getting in through SSH. The passwords on my root account are randomly generated with lower, upper, numbers and special characters, so I don't think someone has gotten in there. Not to mention, I have CSF firewall installed and it emails me when someone logs into root, and no one has.
I have scanned the directory structure with maldet and it is not detecting anything.
I'm at a loss what I should do next. I don't see how these files are getting into the directories anymore. How can I figure this out.
Also... In a related issue, I have a forwarder setup on this same account. It forwards my old email address that was on the server, to my new email address which is on Google Apps server. When people are sending emails to this address, instead of forwarding, the server is rejecting it and not giving a reason in the email. I looked in the logs and it is showing as "authentication required" and rejecting it.
Can someone please help me figure this out?