My apologies if you encountered any problems because the site was off-line. It’s because I was stupid enough not to use a more secretive password with characters, digits and use upper- and lowercase, I just had an easy common word which was easy to remember for me. I noticed for some time now someone trying to use SSH to gain access to my computer but never thought it to be harmful. I seen it at other sites as well. Until yesterday, they had guessed correctly ! Someone got access to my computer via SSH using my root account and installed a simple PHP script that started to send out a massive mailing (I haven’t counted them) with the postcard virus.
I was very lucky to discover it very quickly because I was fiddling with my new spam filter when I noticed that my logfile was filling up rather quickly with strange messages to email addresses I never used before. First I thought some of my others users was doing this but it kept on going so I stopped Postfix and started investigating.
I quickly found out what was going on. Cleaned the postfix queues, which where huge, and restarted Postfix. Scanned the drive for all files changed after 17:00 and located the script and removed it. Now I’ve changed all passwords, checked all user accounts and closed down SSH access until I can find a better, more secure way, of accessing this machine remotely from the outside.
Because of the spam being send out, my ISP got notified about it and blocked my internet access today without me knowing it. Which is a good case if you are on the receiving end of spam, but I solved the problem and didn’t know about it. Next time, I hope never, I will email my ISP that I solved the issue so they don’t need to block me again. I do wish that other providers would block their users if they send out spam, there would be a lot less spam.
Again my apologies for being off-line and even more if you received any of the spam being send out from my computer.
- No related posts