-1

I have 2 domains on my dedicated server running debian.

One of them is linked to a wordpress site, mydomain.com.

I've noticed that on both my sites, lately, the performances were horrible so I started to look for a reason.

I noticed that in the last few days, my daily syslogs were as big as 800mb, filled with notices of deferred emails coming from emails looking like name_surname@mydomain.com, obviously programmaticaly generated.

I updated my wordpress, deleted the deferred queue (all 130 000 deferred mails making it) of postfix, and waited 10mn.

After 10mn, the queue is filled with 4000 mails and counting, and can't locate any fishy script anywhere.

I can't find any information about such an exploit, so I'd like to know what I could do get rid of that spam that is killing my server.

If that can help, it seems that every address sends batches of 20 emails.

Jay Zus
  • 131
  • 1
  • 6
  • 1
    Have you tested to see if your postfix is open to the internet? Try this tool and see what it says -- you probably don't want it open to the internet at all, but if you do you need it behind authentication. http://mxtoolbox.com/diagnostic.aspx – Kromey Jul 24 '15 at 18:45
  • As I expected, my postfix isn't open to the internet. The only authorized ip in the conf is localhost too. – Jay Zus Jul 24 '15 at 18:49

1 Answers1

2

Well, after a lot of unlucky tries, I've managed to find a way to correct the problem. For people having the same problem or similar, here's how I proceeded :

  1. Update your wordpress
  2. Connect to your wordpress admin panel if you can and uninstall all unused themes and plugins If you can't, delete them from your server (default path is [your web dir]/web/wp-content/themes)
  3. Access your server (ssh is preferred) and, if you're in graphic mode, open a terminal.
  4. Navigate to the previously mentionned website web directory and run the command grep -rHn eval . > ~/audit.tmp. It will find every instance of "eval" in files in your directory, which will find most, if not all, commonly obfuscated code and write them in the audit file preceded by the file that contains it and the line number. (this could take some time)
  5. Now, the fastidious part. You need to look at every entry of that file and try to find abnormal uses of eval. They're usually looking like eval(very_long_string) and part of a php file.
  6. Delete all suspect files and if you're not sure of their malevolence, make a backup of them.
  7. Check your number of deferred mails by running find /var/spool/postfix/deferred -type f | wc -l
  8. Delete your deferred mails (THIS WILL PERMANENTLY DELETE THE MAILS) if they contain too much mails to be considered normal (mine for example had 120 000 mails) by running the command postsuper -d ALL deferred
  9. Check step 7 several time to see if the deferred queue is still growing abnormally. It should normally behave correctly now.
  10. Optional : contact your ISP to unblock your smtp port if they classified you as spam
Jay Zus
  • 131
  • 1
  • 6