I am not questioning your knowledge on this subject, I only wrote what blocked the sending of spam from my servers, as the users of the conversation asked about.
The attacks seem to be affecting most Polish servers.
Several dozen companies reported the attacks and asked us to change our passwords. Google, too, told me to change all my passwords on my PC.
Donāt forget to change the domain owner password which in turn may mean you have to change the mysql password and reconfigure wordpress with this new password, but if you leaked your credentials I would be inclined to wipe the server(s) and start again with a fresh OS and of course new passwords
1 Like
to change our passwords
Itās the first thing I told you so I donāt understand it comes back in the conversation 
But then
The attacks seem to be affecting most Polish servers.
Could you please stop change of version every 10 posts ? 
So now itās a whole attack against Polish servers ? From a Foreign country I Guess ? If itās real, you can switch off the server ā¦ 
Or as @jimr1 indirectly said, go through an hosting provider from an other country.
Still extremely important, you didnāt reply to it:
āusing your credentialsā (ā¦) does a spammer have your credentials ?
Is it True ? If it is, and the attack you mentioned above is real, I repeat what I said (With a lot of humour, really no harm, but itās the kind of threat that you can put in the mega heavy category), you can switch off the server 
. Because you shall first find (As already said) How did he get it ? If he have your credential no need to increase any kind of security measures, the attacker can do whatever he want.
Do you have at least a list of attacking IP or does the attack have been done through your own IP (What Iām asking may seems crazy 
, but I take the news as they come 
)
Well, I took it lightly but checked the news and realise that his Country might be under the biggest Cyberattack of all time (Sorry If I missed another).
First @biuro3 by highlighting it you proven (at least near 100%) the problem is not from Virtualmin. So no need to waste too much time on it
Still going slightly off topic (Itās ambiguous) Iām asking here:
- In a kind of MITM where the attacker only read the traffic and doesnāt do anything else (He doesnāt try to decrypt anything simply record it):
A lot of people say TLS is a secure way to avoid it BUT if he is already present at the first connection he got the key enabling the encryption. So, Iām asking, in this situation he can record every encrypted data without being detected and then simply decrypt it later, no ? The TLS connection/tunnel is considered secured because most consider it need a good timing, but as long as the hacker is present from the very beginning it no longer change anything, no ? Or do I misunderstand something about it ?
- You bought a new server, usually you doesnāt have instantly a certificate and will generate 1 after the whole installation:
a) As long as there are no SSL/TLS connection we agree everything is possible and the MITM can do whatever he want ?
b) How does it work with a newly generated certificate ?
I know I shall create a new topic but it might also concern this one
So there was a credential breach of unknown origin, but a credential breach non the less.
I donāt know that we will ever know the origin but Iād say this is solved and āclosedā from the forumās perspective?
2 Likes
You are correct, though the attack has to have quite a high level of access that would be unusual. If someone has infiltrated a network provider between your browser and the server, and if that server does not yet have a trustworthy cert (e.g. from Letās Encrypt), and is only encrypted with a self-signed cert, it would be possible for the attacker to pretend to be the server youāre trying to reach without you knowing it (if you donāt look very closely at the cert). A very high capability attacker could even make the fake cert look like the one for the system youāre trying to reach in near real-time. Thatās a pretty unlikely attack (it requires a lot of capability and a lot of access), and you could still compare the actual cert to the one you see in the browser. But, itās not impossible, and itās why browsers complain about self-signed certificates.
However, if a few things were true when Virtualmin was setup (hostname is fully qualified and resolves to the server IP), Virtualmin will setup a sort of hidden Virtual Server _hostname for that hostname and request a cert from Letās Encrypt. I donāt think the attacker in the above MITM attack could compromise that cert, and if you connect using that and then make certs for all of your other domains (at which point any domain is trustworthy, too), you should be fine.
Then again, if your hosting provider itself is compromised (which is one way an attacker would have the ability to intercede between your server and client at the network layer), thereās nothing you can do. If they have administrative access to the systems that spin up your VM or dedicated server, then they can have root access. They own those servers.
But, all of this continues to be way off-topic. Honestly, Iām happy to discuss/answer questions like this, but please make a new topic!
1 Like
yes i have list ip
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.