Is this some kind of joke? Because I don’t get it.
This is not a solution! I would hope that anyone in this situation does not take an infiltration lightly.
You have a posted image above that shows you have not touched your root password in over 2 years.
Think about that!
As described in the last post, it was only changed now, when I was sure they couldn’t log in, after creating the email address.
Mine is definitely an action that isn’t certain to fix the problem, but in my specific case, it’s not a vital server.
I invite you to evaluate case by case because in this case, for example, you can try to solve it in various ways, because even if it fails, it wouldn’t be a serious problem. In fact, I still don’t understand why you worry more than me, it almost seems who have accessed my bank account 
As @Joe mentioned above:
It is first contribution. The second is that you know that the system binaries are unaltered by an attacker, and are usable for backing up user data.
Reinstallation is the only correct course if the root account is found to have been compromised. You have no idea what can be changed in the system, where what binaries have been added, where what services have been installed. In doing so, you are begging for such an IP to be removed from mail delivery to the largest postal services for a very long time. And above all, you will never be sure that your system is not controlled by someone else. This is the reason for the reinstallation. And when someone uses your server for illegal activity, the police will knock on your door.
I think it’s a very useful step! But you don’t actually know that your binaries haven’t been modified. Even if you get the sums themselves from a remote server, the debsums binary may have been modified to lie about it. And, the kernel may have been modified to always run the modified debsums command even if you download a new one.
You can never really trust a system that’s been rooted.
The biggest value of most things you can do on a rooted system would be things that can prove that it has definitely been compromised; you can never truly prove it hasn’t been rooted from within the system itself. You’d have to boot from trusted read-only media and perform your analysis using known good tools. Then you could have confidence in the output.
Yes, the way you write is the most accurate. Boot into a trusted system and examine the original. But you can easily search only for system binaries that you know where they should be, but it’s more difficult to find ones documented by an attacker. That’s why I’m trying to explain that you should back up what you can and reinstall the system. Because if someone thinks they have secured a compromised system, they are living in sweet ignorance.
We don’t want future readers of this thread to think that the thing you call a solution is really a solution to a rooted server. We are taking the trouble to document and put on record just this for the benefit of the members of the Virtualmin community.
No one really cares what you do with your server or your bank account, @LuigiMdg. However, the fact that you posted a follow-up message to let us know what you have done to address the issue is appreciated 
, even if it is not something that others should emulate.
No need to pile on, y’all. The right solution has been covered at length. If OP is happy, then that’s the solution.
Well it is clear that it is not a real solution… It is rather a patch on a server of no vital importance, as could be the complete deactivation of Postfix, in case you do not need to send mails…
The solution would certainly be to find out how they entered and what they did to send that mail, but I don’t think I have had any useful advice to investigate…
No offense but if I can give you feedback on the forum, it’s nice to have so many opinions and so many answers, which certainly open the mind to new ideas, but too often long speeches are undertaken between the various participants, this leads to confusion and does not allow you to really concentrate on the problem, we keep circling around.
Thanks Joe,
yes I’m very happy that no one is sending mail from my server anymore, for now… Which I was unable to achieve with your advice.
Have a good day 
I have no idea how spammers operate to compromise machines. I guess in theory it is possible a spammer’s script just found an opening and used it as it would any exploitable sending method without rising an alert to what account was compromised.
Still, follow @joe 's advice on this. I’m only mentioning this because of what you didn’t seem to see on a machine that would typically be considered rooted and I’m trying to make sense of it in my own mind.
Yeah, it’s hard to imagine an attacker found the root password for a box, and then only used it to send spam. That seems impossibly naive on their part. You can do so much crime with a rooted server on the internet, spam is among the least profitable of them.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.