Spam mails and SSH security issue

[tleg]

Hello,

As inexperienced CLOUDVPS owner i have stumble to 3 problems. I received the following DirectAdmin warning:

Warning: 200 emails have just been sent by ***
The *** account has just finished sending 200 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/***.bytes file, it was found that the highest sender was ***@****.com, at 212 emails.

The most common path that the messages were sent from is /home/***/domains/***.com/public_html, at 201 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

this also happened with another account on my other account i host on my cloudVPS.

Problem nr. 2: This is my secure.log telling. Underneath a few lines but there are pages full of this.
Nov 24 16:02:10 vps1 sshd[24450]: Address 46.21.170.39 maps to default.technotop.nl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 24 16:02:10 vps1 sshd[24450]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=46.21.170.39 user=root
Nov 24 16:02:11 vps1 sshd[24450]: Failed password for root from 46.21.170.39 port 36829 ssh2
Nov 24 16:02:11 vps1 sshd[24451]: Received disconnect from 46.21.170.39: 11: Bye Bye

Problem 3: This started before problem 1 and 2. I believe someone hates me a lot

This is an automated message notifying you that the 5 minute load average on your system is 27.11.
This has exceeded the 10 threshold.

One Minute - 80.96
Five Minutes - 27.11
Fifteen Minutes - 9.96

top - 22:22:04 up 9 days, 9:40, 0 users, load average: 77.44, 27.27, 10.11
Tasks: 234 total, 31 running, 203 sleeping, 0 stopped, 0 zombie
Cpu(s): 10.1%us, 2.6%sy, 0.0%ni, 82.0%id, 5.1%wa, 0.0%hi, 0.0%si, 0.2%st
Mem: 4099296k total, 4069872k used, 29424k free, 13488k buffers
Swap: 4194296k total, 47872k used, 4146424k free, 50536k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7553 apache 20 0 190m 58m 6300 R 6.9 1.5 0:17.67 /usr/sbin/httpd -k start -DSSL
7566 apache 20 0 200m 68m 5964 R 6.9 1.7 0:17.91 /usr/sbin/httpd -k start -DSSL
7611 apache 20 0 189m 55m 5852 R 6.9 1.4 0:03.05 /usr/sbin/httpd -k start -DSSL
7623 apache 20 0 182m 50m 4964 R 6.9 1.3 0:02.83 /usr/sbin/httpd -k start -DSSL
7704 apache 20 0 183m 51m 4980 R 6.9 1.3 0:01.97 /usr/sbin/httpd -k start -DSSL
7810 apache 20 0 179m 47m 5024 R 6.9 1.2 0:01.43 /usr/sbin/httpd -k start -DSSL
7540 apache 20 0 195m 63m 6300 R 5.5 1.6 0:17.64 /usr/sbin/httpd -k start -DSSL
7599 apache 20 0 194m 60m 5580 S 5.5 1.5 0:02.72 /usr/sbin/httpd -k start -DSSL
7613 apache 20 0 192m 59m 5092 R 5.5 1.5 0:02.68 /usr/sbin/httpd -k start -DSSL
7662 apache 20 0 189m 56m 5092 R 5.5 1.4 0:02.40 /usr/sbin/httpd -k start -DSSL
7663 apache 20 0 194m 61m 5840 R 5.5 1.5 0:02.54 /usr/sbin/httpd -k start -DSSL
7665 apache 20 0 175m 43m 4940 R 5.5 1.1 0:02.36 /usr/sbin/httpd -k start -DSSL
7668 apache 20 0 187m 54m 5012 R 5.5 1.4 0:02.42 /usr/sbin/httpd -k start -DSSL
7669 apache 20 0 194m 61m 5836 R 5.5 1.5 0:02.61 /usr/sbin/httpd -k start -DSSL
7684 apache 20 0 184m 51m 5040 R 5.5 1.3 0:02.06 /usr/sbin/httpd -k start -DSSL
7695 apache 20 0 188m 55m 5076 R 5.5 1.4 0:01.98 /usr/sbin/httpd -k start -DSSL
7703 apache 20 0 183m 51m 4992 R 5.5 1.3 0:01.99 /usr/sbin/httpd -k start -DSSL
7706 apache 20 0 190m 57m 5092 R 5.5 1.4 0:01.93 /usr/sbin/httpd -k start -DSSL
7722 apache 20 0 183m 50m 4972 R 5.5 1.3 0:01.77 /usr/sbin/httpd -k start -DSSL
7744 apache 20 0 185m 52m 4972 R 5.5 1.3 0:01.63 /usr/sbin/httpd -k start -DSSL
7748 apache 20 0 152m 20m 4960 R 5.5 0.5 0:01.27 /usr/sbin/httpd -k start -DSSL
7751 apache 20 0 185m 51m 5808 R 5.5 1.3 0:01.57 /usr/sbin/httpd -k start -DSSL
7765 apache 20 0 198m 66m 5192 R 5.5 1.7 0:01.53 /usr/sbin/httpd -k start -DSSL

My situation: Both are Wordpress sites, all up to date. I changed passwords of my DirectAdmin and Database. But that didn't worked out.

My question is what can i do for problem nr.1/2 and 3? Please help.

 

[zEitEr]

Hello,

1. Search for malware. You might have spam software in directories of your web-sites.

2. Change SSH port from 22 to something less common, and enable BFM in directadmin. Set UseDNS to NO in sshd config.

3. Check apache server-status page and read apache logs. Your sites might be under ddos, spam-bot attacks

 

[tleg]

Thank but how?

Hello,

1. Search for malware. You might have spam software in directories of your web-sites.

2. Change SSH port from 22 to something less common, and enable BFM in directadmin. Set UseDNS to NO in sshd config.

3. Check apache server-status page and read apache logs. Your sites might be under ddos, spam-bot attacks

Hi thanks,

can you provide me links to tutorials how i can do 1 and 2? 3. I tried to read the logs but i have no knowledge how to read it. For me it's abracadabra.

ps: i logged into squirrelmail with the Main e-mail account which is my username. It has send mails and i have an inbox filled with e-mail address not exist(return mail).

 

[tleg]

Step 2 accomplished.

 

[tleg]

Step 1 checked.. I am clean.

step 3 : i see it is using email addresses that don't exist such as:

john@***.com
frank@***.com etc.

 

[defomaz]

Halo,
Install LMD https://www.rfxn.com/projects/linux-malware-detect/

Edit configuration /usr/local/maldetect/conf.maldet
change report email address to your email

then scan
/usr/local/sbin/maldet -a /home/users/public_html/