Mail server down after chmod chown screw up
Moved to a new VPS host over the weekend and some wordpressinstalls weren't working. I've used a script to fix permssions etc... in the past so I used it on the accounts that weren't working.
WP_OWNER=username # <-- wordpress owner
WP_GROUP=username # <-- wordpress group
WP_ROOT=wp/ # <-- wordpress root directory
WS_GROUP=nobody # <-- webserver group
# reset to safe defaults
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;
# allow wordpress to manage wp-config.php (but prevent world access)
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php
# allow wordpress to manage wp-content
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;
The very last account had wp in home directory so I went to change wp/ to ./ and left out the . I noticed the output right away and stopped it, but on server with SSDs it had already changed a lot of perms. I've gone through and fixed things and all my sites are back up, but mail is not working. It acts like it is but nothing comes in or out of the accounts.
So far I've restarted cpanel, exim, imap and they all seem to restart normally. I can log into mail accounts through webmail and see mail in the inbox but nothing new. I send test msg from webmail and it acts normally but the mail is never delivered. I'm hoping someone can point me in the right direction. Thanks for reading
-
Hello :) Do you notice any specific error messages in /var/log/exim_mainlog or /var/log/exim_paniclog? You could also try running: /scripts/mailperm --verbose
Thank you.0 -
discovered that everything was held up in queue . exim_mainlog showed that there was a whole lot of activity over the last three days from two IP addresses. seems that the mail server was hacked and used for spamming. 0 -
seems that the mail server was hacked and used for spamming.
Could you elaborate on this? Were you able to determine the source of the SPAM and remove the offending script? Thank you.0 -
My host ran a scan and sent me a list of files containing suspicious code. Among them was c99.php which was in the public_html directory of one of the accounts. I don't know a whole lot about this script, but I do know it can be pretty bad, giving the would be hacker free reign over the serve. I'm assuming that they got ftp access to this particular account and planted the script. Then used their access to send spam through bogus email accounts. I think I caught it very quickly and won't get blacklisted, but I'm paranoid about security moving forward. I'm mean they could have changed file permissions on critical system files, who knows. Anyone else ever deal with this and have advice? 0 -
Could you elaborate further on how you are sure that root access was obtained? Is there additional evidence beyond the sent emails? Thank you. 0 -
I really don't have any other evidence than that. I've gone through logs looking for some evidence but I don't know enough about c99 to know where to look. 0 -
My host ran a scan and sent me a list of files containing suspicious code. Among them was c99.php which was in the public_html directory of one of the accounts. I don't know a whole lot about this script, but I do know it can be pretty bad, giving the would be hacker free reign over the serve. I'm assuming that they got ftp access to this particular account and planted the script. Then used their access to send spam through bogus email accounts. I think I caught it very quickly and won't get blacklisted, but I'm paranoid about security moving forward. I'm mean they could have changed file permissions on critical system files, who knows. Anyone else ever deal with this and have advice?
You should assume your server has been compromised. Time to set up a new server and move your backups to it. How will you ever know you're safe otherwise? Google that file name...0
Please sign in to leave a comment.
Comments
7 comments