So, I’m running a few wordpress sites on my Virtualmin server, and it has been compromised.
I have spent hours upon hours with everything, and I’ve been able to limit it, but it keeps coming back.
I have rkhunter in, nothing odd, and I’ve been tracking the logs like crazy, but all I can see is where it’s coming from, but then I can’t track it down.
Setup:
Virtual Server: Primary email disabled
Running Securi and Wordfence plugins
Only 1 email address in VS
When I go to postfix queue and I have emails from: virtualservername@myserver (no .com)
However I cannot for the life of me find this email account to disable it, and I believe it is happening to other virtual servers as well.
I am currently so frustrated and so are my clients that I am looking to other options, but really love virtualmin, so I’m hoping I can get some assistance here and stay on it!
A common cause of what you’re seeing is a vulnerability in WordPress, or a WordPress plugin. If attackers are able to access WordPress, they can then send out emails which will appear to be from the Virtual Server owner.
It can be tricky to find the culprit, but I’d recommend starting by verifying that WordPress is running the most recent version, as well as all of it’s plugins.
You’d also want to review the various files located within the web root, and make sure that they appear to be legitimate.
You could also try using a tool such as Linux malware detect, which can aid in finding web-based breakins:
Andreychek, thank you so much for your response. RK hunter is Not a linux malware tool? so far it hasn’t found anything so will try LMD now.
I have also personally reviewed all wordpress files and plugins in the site, nothing. Took hours. Wordfence and Securi plugins do a great job of comparing wordpress files to the repository, and plugins as well. Nothing there either.
I’ve been digging through the mail.logs and nothing other than the virtualserver@servername emails.
Rkhunter is a good tool, and I use it on my own servers, but the things it looks for are different than the things that the Linux malware detect tool look for.
If you’re interested in finding web-based malware within your DocumentRoot, Linux malware detect has a higher chance of finding it.
Could you paste in the headers for one of the outgoing emails in your queue that are from "virtualservername@myserver "? That will help pinpoint whether it’s related to web-based malware, or whether it’s a compromised email account.
Final-Recipient: rfc822; ryancolt.wagoner@gmail.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; gmail-smtp-in.l.google.com
Diagnostic-Code: smtp; 550-5.7.1 [192.169.44.15 12] Our system has
detected that this message is 550-5.7.1 likely unsolicited mail. To reduce
the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked.
Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550
5.7.1 more information. o8si43443363pdm.4 - gsmtp
Message Body:
You need targeted traffic to your Contact Ryan Wagoner M.D. - Forensic Psychiatry | Ryan C. Wagoner M.D. website so why not try some for free? There is a VERY POWERFUL and POPULAR company out there who now lets you try their traffic service for 7 days free of charge. I am so glad they opened their traffic system back up to the public! Check it out here: http://swtuts.com/s/9
–
This e-mail was sent from a contact form on Ryan C. Wagoner M.D. (http://wagonermd.com)
The email headers there show that the email was original generated by the user with the userid “1089”, using the PHP script “class-phpmailer.php”.
That means it could have been done by WordPress itself, or it could have been done by another web app owned by that user, or it could be a malicious file uploaded to that DocumentRoot which isn’t actually part of WordPress.
It looks like you’re looking for a web-based file owned by that particular user though.