So, I’m running a few wordpress sites on my Virtualmin server, and it has been compromised.
I have spent hours upon hours with everything, and I’ve been able to limit it, but it keeps coming back.
I have rkhunter in, nothing odd, and I’ve been tracking the logs like crazy, but all I can see is where it’s coming from, but then I can’t track it down.
Virtual Server: Primary email disabled
Running Securi and Wordfence plugins
Only 1 email address in VS
When I go to postfix queue and I have emails from: virtualservername@myserver (no .com)
However I cannot for the life of me find this email account to disable it, and I believe it is happening to other virtual servers as well.
I am currently so frustrated and so are my clients that I am looking to other options, but really love virtualmin, so I’m hoping I can get some assistance here and stay on it!
Would love any input or help! Thanks so much!
A common cause of what you’re seeing is a vulnerability in WordPress, or a WordPress plugin. If attackers are able to access WordPress, they can then send out emails which will appear to be from the Virtual Server owner.
It can be tricky to find the culprit, but I’d recommend starting by verifying that WordPress is running the most recent version, as well as all of it’s plugins.
You’d also want to review the various files located within the web root, and make sure that they appear to be legitimate.
You could also try using a tool such as Linux malware detect, which can aid in finding web-based breakins:
Andreychek, thank you so much for your response. RK hunter is Not a linux malware tool? so far it hasn’t found anything so will try LMD now.
I have also personally reviewed all wordpress files and plugins in the site, nothing. Took hours. Wordfence and Securi plugins do a great job of comparing wordpress files to the repository, and plugins as well. Nothing there either.
I’ve been digging through the mail.logs and nothing other than the virtualserver@servername emails.
Any other suggestions would be helpful.
Rkhunter is a good tool, and I use it on my own servers, but the things it looks for are different than the things that the Linux malware detect tool look for.
If you’re interested in finding web-based malware within your DocumentRoot, Linux malware detect has a higher chance of finding it.
Could you paste in the headers for one of the outgoing emails in your queue that are from "virtualservername@myserver "? That will help pinpoint whether it’s related to web-based malware, or whether it’s a compromised email account.
The email headers there show that the email was original generated by the user with the userid “1089”, using the PHP script “class-phpmailer.php”.
That means it could have been done by WordPress itself, or it could have been done by another web app owned by that user, or it could be a malicious file uploaded to that DocumentRoot which isn’t actually part of WordPress.
It looks like you’re looking for a web-based file owned by that particular user though.
Eric, thanks so much! Can you tell me how to identify which VS is that userid?
You can grep your passwd file for that particular userid.
grep 1089 /etc/passwd
The userid is the third column of that file, and typically the first number (the second number listed is the group id).
Thank you Eric for your help!!
Andrey, you were correct, found some trojan stuff in the site, thank you for the suggestion on the malware detect!!
Sticking with Virtualmin for the great product, but even more because of the community.