0

I've got an abuse message from Spamhouse with following:

The host at this IP address is currently being used to distribute malware.

Malware distribution located here: http://xxx.xx.xx.xxx:8080/get/get.php

Where http://xxx.xx.xx.xxx is our domain.

We've found that any request to port 8080 returns Malware. We use Apache 2 on server. But there are now any setting on port 8080. Just looing for ideas how to fix that bug? At the moment we closed port 8080. But there are still some malware inside. Will appreciate for any suggestions.

webbear
  • 429
  • 1
  • 6
  • 12

1 Answers1

0
  1. Pull that server offline now.
  2. Deploy new server.
  3. Ensure all relevant OS and application updates are applied.
  4. Double check security configuration.
  5. Restore your data from a verified backup.
  6. Then investigate the original server logs/etc. for clues as to how you were infected in the first place.
Etan Reisner
  • 77,877
  • 8
  • 106
  • 148
  • Thank you for reply. But I'm looking for suggestions what could it be. Unfortunately I can't stop server at the moment, so I need to find that bug. – webbear Nov 07 '14 at 13:25
  • @webbear As a general rule, you **cannot** clean a compromised system. You can clean what you can find but being certain you've gotten everything is very very hard. If you are looking for advice on how to find out what the malware is and where it lives on your system that's likely something someone could help you answer but advice on how to clean up from the compromise is unlikely to be forthcoming. – Etan Reisner Nov 07 '14 at 13:30
  • Stack Overflow isn't the right forum for that kind of question. You could try https://security.stackexchange.com/ – Satya Prakash Apr 23 '20 at 06:58