My server was hacked - and used to send out spam.
I had not kept postfix updated, I think that might be where they came in, I'm not sure. I know, should have kept it updated.
It seems that just setting up a new virtualmin server and moving the domain and users over has worked fine. No more spam going out.
To be on the safe side, I change the admin password of course, but we were thinking about changing users passwords as well. The users only have email privileges, not ftp or sites.
Do you think that is a good idea? If so, is there a way to easily edit them all, or do they have to be done one at a time?
Question 2 - the organization I'm handling email for is asking if real-time backups of their email is a possibility (we lost about a day's worth as I was working on this). Is there anything feasible on that front?
thanks,
Chris
Uh-oh, multiple questions in one post. ;)
Alright, first of all, I have some doubts that Postfix was the culprit for you getting hacked. Even if you don't update that regularly, I so far never heard of a security issue in it that could be abused to send spam, and that was fixed with an update. (Of course, I certainly don't know everything.)
Most of the time, it is faulty web software (Joomla, Wordpress, the like) that's hijacked and used to do bad stuff. Don't get me wrong, I'm not saying that those softwares are "faulty" per se. It's just that they are way more prone to have security flaws than server software like Apache or Postfix, and indeed DOES need to be updated regularly.
So, when doing your anti-hack audit, you might want to severely check what web software your users have in place. It's also a good idea to use a tool like "Linux Malware Detect" (LMD) which is based on the ClamAV engine and scans specifically for web-based (PHP+co.) malware.
Setting up new Virtualmin serves and migrating - while also renewing/checking web software - is a good idea. Changing email user passwords also cannot hurt! If some of these are compromised, spammers can use them to send out their crap.
To change multiple passwords easily, you could use the Virtualmin command-line API, namely
virtualmin modify-user --domain DOM --user USER --pass NEWPASSAbout real-time email backup: I could think of several ways of doing that. Synchronizing users' Maildir using "rsync", triggered by "incron", for example. Or, adding a "Also forward to:" email address that's on another host to your users. It depends on how exactly the backup should be done, whether it should be accessible directly or is meant for restoration only, and whether it should be on a different host or on the same one.
Just a quick note to mention that I agree with Locutus, in that it seems unlikely Postfix was the culprit, even if it wasn't up to date.
It's possible that an email password was guessed, but the primary way we see breakins occurring is for spammers to find vulnerable web apps, and to break into them. Even a vulnerable plugin in a web app can cause problems like that.
You can usually determine the source of the problem by reviewing the email headers of the spam that's in the Postfix mail queue, if you still happen to have any of those laying around.
-Eric
Locutus, Eric,
Thank you both very much for the information and your thoughts on this.
The interesting thing is that there were no web apps running on the server, all the web stuff is routed to another server.
So.... now I'm thinking they probably did just hack a password and use that account to relay spam. Through when I shut off the account, and rebooted the server, the email kept going out... so I don't know.
Anyway, I moved users over to a new virtualmin install, deactivated the old server, and everything is working fine now (in the process of changing password for all email users (of course, changed admin passwords right away)).
It would have been nice to figure out exactly what happened, but I didn't want to keep paying for the server just to do that, and I don't have the expertise and time to really give it a good autopsy.
Thanks again to both of you - your helpfulness on the forum here is awesome (I am a mod on busy help forum myself, I know the dedication and time it takes!),
Chris