Therefore it IS the “webshop” (software/program/user) that has allowed access. not specifically the port.
It might have been working just fine for 6 years. (that means nothing) has it been updated? or is there updates to be applied. is it even still maintained? is it original core software or some plugin to some other software?
If you have stopped the problem. is that webshop still working or have to stopped it’s normal functioning?
I agree with @Joe - I think you are concentrating too much on the port number and ignoring the source of the problem. It requires much more effort to seek out the culprit.
One thing I hate is people that try to bully.
Anyway the shop is Prestashop, I assume you have heard of them. Every update during this 6 years, core and modules are installed. The shop never stopped working, that has never been the problem: The problem was that someone used the shop to send out spam via port 25. So the natural first measure was to block the used port, especially when its not used by us. Mail from the shop is relayed to our own email server so no problem blocking 25… End of discussion
This is an open forum where everyone who bothers to use their time is only trying to help you to resolve problems that you have identified and for the wider benefit of other users. That help is usually appreciated.
No one has all the information that an OP has so anyone who replies often has to resort to questions that may seem to the OP (and often others) as being stupid or even ignorant (as we do not know the level of experience/knowledge of a respondent).
If you see that as “bullying” I am sorry. As that is not the intention.
For those who might not be aware, I wish to point out that @stefan1959 is one of the top contributors of the community and has helped many people by sharing his knowledge of Virtualmin.
Whatever it seems we will not get more clues about the problem. No need to go further (Even if it would have been educational for everyone, being a typical real case scenario)
Still to make sure no new comer will go in the wrong direction when he will find this topic. As @Havouza confirmed it’s a security breach on its platform, which is running pretashop. Or someone who got its Passwords/Keys.
So no need for anyone to turn off port 25 to increase security (Except during the time you try to fix the breach), it will not increase it.
And no need to disable postfix it will not increase performance of your server.
I only repeat it to be sure no beginner will be miss leaded (My self I have been one and it’s easy to make a mistake based on a bad advice)
Blocking port 25 on a server that never needs to send email is a reasonable thing to do. Likewise disabling Postfix. If you never need mail, or host mail elsewhere, it’s fine to disable all mail-related stuff (though you want to make sure you’re getting system alerts and such via some other mechanism). It is not the only thing to do in the case of an exploited system, but it’s reasonable to avoid allowing your server to become a pox on the internet.
Well well. If you mean admin passwords or ssh keys it is hardly possible. The ssh keypair comes with a passphrase, goes to a custom port and is only allowed from one ip address. The admin login as well as Webmin login also is restricted to one ip. But we think perhaps it is a module on prestashop that is the problem. When reaching out in the ps forum one of the module developers answered that the version we had on one module had been found to have serious security problems.
Then about port 25. I cant see a problem with blocking it if it is not needed. There is a reason why so many of the big cloudproviders has the port blocked by default. Some will not open it even on request
Ok so if the official team say they have security problem on this version it might be really good to update it. Because what we also wanted to highlight is:
When you have security threat allowing 1 user to send mail from your server without any authorisation it might means the hacker could do more. Get the DB, for example …
Check the log could be a good start (and it’s probably what the team did), at least to see which server’s user/group sent the mail (allowing to narrow where the breach could be).
But if a module of your version have numerous security problem … It might be near impossible for you to fix it. Then it’s up to the pretashop team (or their forum) to show you the right direction.
The module is updated to newest version. There is nothing unusual found in any log files and after blocking the port all seems back to normal. So this is my last post