Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: scottl31
scottl31 Author
User level: Level 1
16 points

Questions to solve a Server Hack

It's clear that our SL server has been hacked. So I have some questions.


First, our provider threatened to stop service for sending spam. So I checked the queue and found thousands of messages, mostly ones that had been bounced back as having been spam. So I deleted everything and turned off mail, but it keeps turning itself back on again. So I unchecked "Enable SMTP". It occurs to me now that I could allow incoming since sending is the problem.


Now the queue is still filling up, but nothing is going out since I turned it off. Here is a typical message:


Message ID: 077893B187F3

Date: July 9, 2014 9:14:39 AM

Size: 904

Sender: _www@mail.ourdomain.com

Recipient(s) & Status:

----------------------

Email address:

mail transport unavailable



I have changed all passwords I can think of. I went through all the folders and deleted all the unauthorized files I could find. The next morning, I found more spam files in a site directory, so I deleted those. I went through again and found some others I missed the first time and deleted those. This morning did not find any new unauthorized files.


So if anyone can help with the following questions, I'd appreciate it:


1. I have been through all the logs I can find and cannot figure out how the intruder got in. Any place I should specifically look? I have looked in all mail and access logs, but maybe I'm just not recognizing it in there.


2. I did find two unauthorized logins on a worrdpress site. Can this big of a hack be done through there without FTP access?


3. Can I delete or disallow the _www user from sending mail?


4. If I have changed all the passwords, how can the sending attempts be continuing and the queue filling up?


5. Where are all those email addresses coming from and are they hidden somewhere on on the server?


6. If this happened due to a DNS problem, how could I tell? When I set up this server, it seemed like it was reading our network and filling in all the filled as I went. Afterward, I looked up some tutorials and it seemed like it was correct. Plus web and mail have been working fine for a long time.


Thanks for any help, this forum has saved me more than once!


Scott


<Email Edited by Host>

Posted on Jul 9, 2014 12:02 PM

Reply
1 reply

Questions to solve a Server Hack

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up