Opened 3 years ago

Closed 7 months ago

#10840 closed Bug/Something is broken (fixed)

enlacemos.bocadepolen.org compromised

Reported by: https://id.mayfirst.org/jaimev Owned by: https://id.mayfirst.org/jaimev
Priority: High Component: Tech
Keywords: Cc: eugenio@…, https://id.mayfirst.org/cesar, https://id.mayfirst.org/magic_gmm
Sensitive: no

Description

A flood of spam e-mails in gaspar led us to investigate the cause.

There did not appear very many logs of mail injected directly by php users.

0 gaspar:~# grep "postfix/pickup" /var/log/mail.log | grep "uid=" | wc -l
64

First appearance of these mails in the logs appear like this.

gaspar postfix/smtpd[11468]: F34162FB6B: client=localhost[127.0.0.1]

"that means that the postfix instance listening on port 25 received the message from the IP address 127.0.0.1"

A search for all listening connections and greping for port 25 shows the following.

0 gaspar:~#  lsof -i -n -P  |grep :25
master     3522      root   12u  IPv4 610426653      0t0  TCP *:25 (LISTEN)
php5-cgi  18328 enlacemos    4u  IPv4 633003519      0t0  TCP 127.0.0.1:53284->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos    5u  IPv4 633003522      0t0  TCP 127.0.0.1:53285->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos    6u  IPv4 633003525      0t0  TCP 127.0.0.1:53286->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos    7u  IPv4 633003528      0t0  TCP 127.0.0.1:53287->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos    8u  IPv4 633003531      0t0  TCP 127.0.0.1:53288->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos    9u  IPv4 633003534      0t0  TCP 127.0.0.1:53289->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos   10u  IPv4 633003537      0t0  TCP 127.0.0.1:53290->127.0.0.1:25 (ESTABLISHED)
php5-cgi  18328 enlacemos   11u  IPv4 633003540      0t0  TCP 127.0.0.1:53291->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos    5u  IPv4 633002837      0t0  TCP 127.0.0.1:53336->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos    6u  IPv4 633002840      0t0  TCP 127.0.0.1:53337->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos    7u  IPv4 633002841      0t0  TCP 127.0.0.1:53338->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos    8u  IPv4 633002844      0t0  TCP 127.0.0.1:53339->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos    9u  IPv4 633002845      0t0  TCP 127.0.0.1:53340->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos   10u  IPv4 633002846      0t0  TCP 127.0.0.1:53341->127.0.0.1:25 (ESTABLISHED)
php5-cgi  19197 enlacemos   11u  IPv4 633002847      0t0  TCP 127.0.0.1:53342->127.0.0.1:25 (ESTABLISHED)

Deactivating the web configuration for enlacemos.bocadepolen.org has stopped these processes.

This site appears to be running an outdated version of wordpress and there lots of suspicous files in their web directory.

Change History (9)

comment:1 Changed 3 years ago by https://id.mayfirst.org/erq

  • Cc eugenio@… added

comment:2 Changed 3 years ago by https://id.mayfirst.org/jaimev

  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

Tenemos respaldos de hace 5 diás de este sitio pero los respaldos contienen los mismos archivos sospechosos lo cual indica que el sitio ha sido vulnerada hace más tiempo atrás. Por lo que veo posiblemente hace más que un año. Al menos que han mantenido sus propios respaldos antiguos es probable que el sitio tenfrá que iniciar desde zero o contratar un desarrollador de wordpress quien podría actualizar el sitio separando los archivos vulnerados y borrando cualquier alteración sospechoso en la base de datos.

He enviado un correo a los contactos de miembro y el correo de admin registrado en el sitio.

comment:3 Changed 3 years ago by https://id.mayfirst.org/jaimev

No hemos recibido respuesta por parte de los contactos de este sitio. Estoy intentando contactarles de nuevo.

comment:4 Changed 3 years ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/cesar added

Copiando a usuario cesar. Van varios semanas y no hemos recibido respuesta.

comment:5 Changed 3 years ago by https://id.mayfirst.org/jaimev

  • Resolution set to fixed
  • Status changed from assigned to feedback

Creo que lo que procede es dejar este sitio desactivado por lo pronto y en un momento posterior sería borrado si no hay otra respuesta de parte de la organización.

comment:6 Changed 3 years ago by automatic

  • Status changed from feedback to closed

No news is good news (we hope)! Given the lack of feedback, we think this ticket can be closed.

comment:7 Changed 3 years ago by https://id.mayfirst.org/jaimev

Today I found 1500 processes "perl main.css" running under enlacemos user. I've now disabled that user which I probably should have done before.

comment:8 Changed 16 months ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/magic_gmm added
  • Resolution fixed deleted
  • Status changed from closed to assigned

El sitio debe permanecer desactivado hasta que existe un plan para par renovar completamente la instalación del sitio.

comment:9 Changed 7 months ago by https://id.mayfirst.org/jaimev

  • Resolution set to fixed
  • Status changed from assigned to closed

I've now disabled this entire hosting order.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.