[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need help securing mail server: already got hacked.

On Fri, 1 Jul 2005 08:35:49 -0500
John Foster <jfoster@augustmail.com> wrote:

> I have exim4 using the heavy daemon set up and it runs fine. I am
> setting it  up to serve mail for 5 sites (all my own) that I have on a
> single box using  Apache2 and as virtual sites. All is working fine .
> I was advised that I  should set up a pop3 server in order to allow
> access from a remote system to  these mail sites. Again (I used
> popa3d)  everything worked fine. The problem  is, I got hacked almost
> immediately and my mail system was used to send a  load of spam all
> over the place. The result is that I have had to shut down  the
> servers until I get my system hardened enough to do the job & quit 
> getting hijacked by spammers. I have been reading the docs but time is
> not my  friend here I need to get this done ASAP so I can get these
> servers turned  back on. My ISP will shut me down if I leave the
> system up in its current  state. All tips greatly appreciated.
> Thanks!

[Note: hacking is what knowledgeable sys-admins do when they can't find
a program that perfectly meets their need. Cracking is what bad guys do
to break into your server. Hacking is good, cracking is bad.]

Are you sure it got hacked or did you have exim4 setup as an open relay?
An open relay is much easier to fix than a cracked server.

To have your server tested to see if it is an open relay and have the
results e-mailed to you, go to www.ordb.org.

If your server was really cracked, you are best doing a full re-install.
But first, you might try to analyze how they got in and what they used
to gain root (or if they even got root). Run chkrootkit to see what
it can find and maybe use a Fire[1] cd to do some forensics on the
server. Then make sure you are using the latest versions of all of your
packages and setup an iptables firewall on the machine. 

As an aside, I sometimes wonder if Nationwide would even notice that you
got cracked. August's service has gone down quite a bit since they were
bought out. :-(


[1] http://fire.dmzs.com/

Reply to: