Problem with Abuseat blacklisting

[ioDaniel]

Hi
I am a newbie to both DirectAdmin and this forum. My apologies if this is the wrong place to post this.

We have a problem with a hacker (who / they) has infected our nameserver IP with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans and our IP has been blacklisted by Abuseat.

I am trying to clean up and have 3 questions below which will help me resolve this problem.

We are located in Chiang Mai, and we rent rack space in a data center located in Bangkok. Tech Support in Bangkok say they cannot help...so its back to me and my very small team.

We only have access to the server using DirectAdmin.

Abuseat recommend:
First: minimize FTP access. Secure/change all passwords. If you can do your customer uploads some other way, turn off FTP, or prevent FTP from writing directly into the web server's document directory.

Ok we will change passwords...thats easy enough to do (12 character alpha numeric + symbol if possible). I will test this in a few minutes.

But how can I prevent FTP from writing directly into the web servers documents directory?


Second: Find the infection. If it's the second version ("cgi"), you can find it, remove it and kill any running copies.

I will have to download all user sites to my PC and search all of them for any cgi files and open and check - once I find anything, I can search for the process using DirectAdmin and kill.


Third: Configure your system to absolutely prohibit any userid except root or your mail server's userid (often "mailman" or something like that) from getting access to outbound port 25. In this way, even if you do get infected, the spamware can't get email out to the Internet.

The question here is how can I do that with DirectAdmin?

Each user has their own email address...so not so easy to restrict access to Port 25.


Your help and advice genuinely appreciated.

Sincerely

Daniel
Admin IO Wow

 

[nobaloney]

We have a problem with a hacker (who / they) has infected our nameserver IP with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans and our IP has been blacklisted by Abuseat.

...

We only have access to the server using DirectAdmin.

If you do not have root access to the server then there's really nothing you can do except find another provider; you can't even update critical software components without root access.

I'm making the following recommendations based on the supposition that you have root access.

Abuseat recommend:
First: minimize FTP access. Secure/change all passwords. If you can do your customer uploads some other way, turn off FTP, or prevent FTP from writing directly into the web server's document directory.

Most likely you've got a problem with an older version of Roundcube mail. If you're running PHP4, then the only option is to remove Roundcube from the server. If you're running PHP5, then you should update Roundcube to the latest version. You should remove any of the worms hidden in any of the /tmp directories (search these forums for more information); then kill them (the easiest way for you may be to restart your server) and check all the domains on your server for hidden iFrame attacks by running this in your browser for each domain on your server:

http://www.google.com/safebrowsing/diagnostic?site=http://EXAMPLE.COM

where of course you replace the EXAMPLE.COM with the name of each domain name on your server, in turn.
If you find any, remove the code as shown here; this page should be very helpful in explaining the rest of the cleanup whether or not you find any hidden iFrames on your server.

Ok we will change passwords...thats easy enough to do (12 character alpha numeric + symbol if possible). I will test this in a few minutes.

But how can I prevent FTP from writing directly into the web servers documents directory?

Actually you can, but it's not trivial. And personally I don't think it's critical.

All below needs to be done for EACH site.

First you have to change the proftpd configuration so your users do NOT have access to upload, edit, or create new files, or to overwrite old files.

Then you create a new destination directory outside of public_html (for example, you could call it safe_upload), and a new upload ftp account for that directory, which does allow uploading of new files.

For each site you have to create a new directory outside of public_html. Then make changes to your proftpd configuration so logins will go to that directory.

Then write a program that will, file by file, for each file in that directory, parse it carefully to make sure there's nothing dangerous in it, and then, if it's clean, move it to the public_html directory, overwriting files as necessary. Your program must also handle subdirectory navigation as required. As I've said, it's nowhere near trivial. The program can run on a cronjob, or you can write a plugin to DirectAdmin to give the user a button to press to sweep newly uploaded files into the public_html directory. Of course that's not trivial either.

Second: Find the infection. If it's the second version ("cgi"), you can find it, remove it and kill any running copies.

I've noted this above.

I will have to download all user sites to my PC and search all of them for any cgi files and open and check - once I find anything, I can search for the process using DirectAdmin and kill.

As I've written above, to do all this you absolutely must have root access to your server through the shell.

Third: Configure your system to absolutely prohibit any userid except root or your mail server's userid (often "mailman" or something like that) from getting access to outbound port 25. In this way, even if you do get infected, the spamware can't get email out to the Internet.

Your mailserver is exim. That's a firewall issue that I don't know from memory; perhaps someone else will reply. However if you do this than many legitimate email programs on your server may fail to run.

The question here is how can I do that with DirectAdmin?

With root access and firewalling expertise.

Each user has their own email address...so not so easy to restrict access to Port 25.

It's the outgoing email that must be denied outgoing access to destination port 25 on other servers. The only problem is that some users may have to modify any outgoing email systems they use to send email through your exim processes instead of themselves.

Jeff

 

[ioDaniel]

Abuseat blacklist problem

Hi Jeff

There's a lot there and I really do appreciate your time to reply.

We are off the Abuseat blacklist last night, but that doesn't mean the hacker/spam problem has been resolved.

I also started researching Firewalls for Appache / DirectAdmin, but theres a lot to read there.

I will have to check out how to give myself root access. I didn't see anything in the DirectAdmin CP so assume I have to set up something like Putty (more research).

I don't see why I can't set that up. After all we own the server and only rent rack space at the Data Center.

I really do appreciate your advice and your time

If I have any more questions after all the reading I have to do, I will come back to this forum.

(Just in explanation, the person who set up our server unfortunately died after his heart failed. Very sad and it distressed me very much. He was only 31 and left a 2mnth old baby daughter. Everyone else in the company is either a programmer or graphic artist (all 5 of us) and my skills are more about management than etc etc...so the team look after the project work, and I had to pick up the additional load of managing our hosting plans and try to rebuild the team).

Anyway, just thought you would like to know..

thanks again

Daniel

 

[nobaloney]

I'm sorry to hear about the gentleman who died. That's always traumatic to both families and businesses.

I and others who post on these forums are available as systems administrators if hiring a contract administrator is within your budget.

Jeff

 

[ioDaniel]

Abuseat blacklist problem

Hi Jeff

Thanks again for your reply and time. I have been reading several threads here and can see you are more than actively involved. It has been an interesting learning curve for me.

I have installed and been able to login as Root (using WINSCP). I tried Putty but was locked into the Super Admin user we created when setting up DirectAdmin (I could only see the user home directory).

I can now see the Root Folder and although I have rarely used Unix Commands, can now move forward to make some of the changes I need to protect the server.

I also appreciate your offer but our Budget is very tight at the moment (the global financial crisis has hit every where and although we have work in hand, we need a graphic artist more (it can sometimes take up to 6 months to find the right person here because of language problems). Most of us long term expats here end up letting out the occaisonal expletive and claim that its "TIT" which means "this is thailand". I will just have to wear this additional hat for now.

I can see several posts in this forum about CSF and APF and a couple of threads which specifically refer installing CSF for DA. So will follow that one up.

Just one last question. What do you think about Firewalling DA? Do you protect your own servers? (Sorry thats 2 questions).

I will close this thread after you reply because the main issues on how to resolve issues are clear now. If I have any more questions or help/support requests, I will open a new thread in the appropriate forum here.

Thanks sincerely again.

Daniel

 

[nobaloney]

While security by obscurity can be debated ad infinitum, we don't give out a lot of details on our firewalling.

Here's what I will tell you:

We change ports on certain processes which attract a lot of hack attempts, such as ssh. We do NOT use an external firewall, we prefer KISS to the firewalls you've mentioned because (a) it's easier to set up, and (b) it doesn't inundate you with emails; checking to see how it's doing is something YOU do.

Jeff