server sending authenticated spam - anu suggestions how?

R

roly

Verified User
Joined
Nov 9, 2006
Messages
182
hi

my server is suddenly sending loads of spam - i'm the only user of this server. from the exim logfile it says P=esmtpa A=login:[email protected] (which is an active email account on my server) which from what i can gather means that the email has been sent after succesfully entering my password. my password is a random 8 character alpha/numeric and i use csf and lfd to prevent bruce force attacks so there's very little chance it could be guessed. i've scanned my home pc for viruses and its clean. has anyone got any suggestions on how they've managed to send these emails? i've changed the password and it has stopped for now.

any advice greatfully appreciated
 
They only way is that something managed to either bruteforce or get your password another way.

In that case it's mostly a trojan and scanning your pc with a virus scanner is often not enough. I don't know which tools you used for scanning, but changing your password is a good thing.
If you see it starting again, then first scan your pc again, but then use Malware bytes, ADWCleaner (only download from bleepingcomputre.com just to be save) and use the clean button, then the pc needs to be rebooted and after that scan again with Malware Bytes.
If all is oke, several trojans will be removed. After that change your password again and you should probably be fine.

You might also consider to install Maldet (see elsewhere on this forum) on your server, just to prevent trojans being installed on your system by leaks in Wordpress or other things.
 
hi richard

thanks for the advice. yes that's what i suspected. i had already used malware bytes and also ran adwcleaner that you suggested. they both showed up a few things but nothing very serious - which is perhaps a bit more worrying than if i was infected with an obvious trojan a least i would know how they got the password. i've just installed maldet - looks good, thanks for the suggestion - and that's running as i type. so all i can do after that is hope for the best after a password change. as it stands the original password change i made yesterday has prevented anymore being sent for the time being which is promising.

thanks again

roland
 
Hello Roland.

Sometimes it's just little trojans which don't look suspicious which still do the trick.
If it happens again, you can also consider using Combofix, but best is to post the problem on a specialized forum like bleepingcomputer, because they can also let you do several checks on for example hidden rootkits.
However, you used the right tools for now and I think you will be fine now.

You're welcome.
 
You must log in or register to reply here.
Back
Top