Server compromised through old Joomla install and sending spam

Discussion in 'Server Operation' started by tjbcham, Dec 11, 2015.

  1. tjbcham

    tjbcham Member

    A user who never updated their Joomla 1.7 install was recently compromised and mysql basically shut down from the amount of spam trying to be sent from that domain. The server Ip has been blacklisted. The page at http://www.abuseat.org/ after doing a lookup for the ip gives some indications.
    I stopped Postfix
    I installed Linux Malware Detect and found 2 files that were quarantined by LMD from the Joomla install.
    I then used postsuper -d ALL which deleted 9000+ messages, but mailq was already accumulating 100s of messages seconds later.
    Any other suggestion about how to find the malware? Is it in the database for the domain?
    Anyway to block postfix for that domain so I can turn postfix back on?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to scan your server with ISPProtect as well, it finds Malware that Maldetect can't find.

    Code:
    cd /tmp
    wget http://www.ispprotect.com/download/ispp_scan.tar.gz
    tar xzf ispp_scan.tar.gz
    ./ispp_scan
    Just enter "trial" when it asks for the license key.

    That's possible but in most cases only the files are affected.

    That's not that easy as the mails were probaly send trough localhost and blocking localhost will block all sites on this server. Just keep an eye on the mailqueue the next days.
     
  3. tjbcham

    tjbcham Member

    Thanks for a fast rely.

    I installed and ran ISSProtect and it has found 32 hits for malware in the Joomla install. I am going through them now.

    I also saw in the email header of a queued email from the offending domain X-PHP-Originating-Script: 5009:list.php
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    In case that a file with this nae has not been found by the scan, try to find it by name. e.g.:

    cd /var/www/yourdomain.tld/web
    find . | grep list.php

    and then check the files with that name for suspect code.
     
  5. tjbcham

    tjbcham Member

    Again thanks for the quick help.
    It seems like I found the offending script... buried in plugins/editors/jckeditor/jckeditor/plugins/link/images/list.php
    It was installed or modified yesterday.
    Removing it and the mailq has remained empty.
    ISPProtect also picked up that file as suspect.
    Unfortunately LMD did not pick it up and quarantine it.

    As a side note it looks like form the quarantined lists and from the ISPProtect scan on other domains that people look like they are getting plenty of malware in templates and theme files (perhaps downloading free templates?). However, it is a bit scary if they are not all being picked up and quarantined.

    I think in this case it is a very outdated Joomla install. I just checked the user table for the domain in the database and see there are a bunch of fake admins in there with .ru email addresses. I removed them.
     
  6. SamTzu

    SamTzu Active Member

    We disabled all Joomla 1.x sites on our servers if the customer did not upgrade them. Too much trouble for little or no money. I'm wondering when to do that for all 2.x sites? There have not been any patches for that for a while.
     

Share This Page