On Mon, Jan 8, 2018 at 2:22 PM, Knurpht - Gertjan Lettink <knurpht@opensuse.org> wrote:
Op maandag 8 januari 2018 20:09:34 CET schreef Greg Freemyer:
On Mon, Jan 8, 2018 at 2:01 PM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
On Mon, Jan 8, 2018 at 1:46 AM, Per Jessen <per@computer.org> wrote:
Greg Freemyer wrote:
All,
I have VM on the internet that for the last day or so is sending out 10's of thousands of malicious emails.
openSUSE 42.2
Fully updated with security patches. I know I need to update to 42.3, but at least for now it is still getting security patches.
I assume the bad guys are somehow using it as a relay site, but I'm not sure. The server has a GUI on it I think, but I rarely, if ever use it. Almost all admin is via ssh.
Check the mail logs, Greg. /var/log/mail will tell you everything.
Agreed, but they are huge as of the last couple days. I need some hints of what to look for.
Look for e.g. "smtpd.*connect" to see servers connecting to deliver mails. If you see lots of unknown ones, you have identified the source.
As noted in other emails, I think I found the method of relay used. Any I made an effort to block it.
I note in the last 12 hours my server has sent several emails from "wwwrun" to zobugtel@gmail.com.
wwwrun is almost certainly your apache server, any chance some application has been compromised?
Whatever it is, it seems unrelated, so I will attack that problem separately. I mostly have just a few static pages on this server. a Where do you get it's unrelated.
Apparently a false hope on my part. I'm now seeing emails with a from address of av153.intelligentavatar.net. That was a test website I created a couple years ago. Only a malicious user that can see my apache setup would know that exists.
I've seen dozens of occasions where outdated Joomla/Wordpress/Drupal etc. sites got hacked, a simple php mailer got installed and off the spammers went.
That seems like what is happening. I setup Wordpress as a test a couple years ago. There are php files in there with datestamps of Dec 28,2017 or newer. I haven't looked at that stuff since 2016 it seems. The WP stuff is not in use, so I think I can just wipe it out. Done. Let's see what happens now. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org