Ask A Question

Notifications

You’re not receiving notifications from this thread.

Mail Password hacked

Herbert Schmoll asked in Rails
Herbert Schmoll Herbert Schmoll

I have a Rails application that runs on an Ubuntu server and sends emails through an external SMTP server. Now I was informed by my provider that the email password of the SMTP server was hacked and that spam mails are sent via the SMTP server.

I have now changed all passwords, the access password to my provider and the email password of the domain. I changed the root password on my Ubuntu server and closed all postfix ports on the firewall. The server is now only accessible via ports 80 and 443.

And still spam mails are still sent via the SMTP server. Where could I still have a security gap?

Reply
Chris Oliver Chris Oliver

Look at what processes are running on your server. They could have installed some software that runs on the server to send the emails out and if so you'd need to remove that.

Reply
Herbert Schmoll Herbert Schmoll

With ps ax I get the following list of processes. How could I identify the process?

PID TTY STAT TIME COMMAND
1 ? Ss 1:10 init
2 ? S 0:00 [kthreadd/797067]
3 ? S 0:00 [khelper/7970675]
141 ? S 0:00 upstart-udev-bridge --daemon
182 ? Ss 0:00 /lib/systemd/systemd-udevd --daemon
266 ? S 0:00 upstart-socket-bridge --daemon
300 ? S 0:00 upstart-file-bridge --daemon
311 ? Ssl 7:06 rsyslogd
315 ? Ss 0:00 dbus-daemon --system --fork
323 ? Ss 0:00 /lib/systemd/systemd-logind
527 ? Ss 0:00 /usr/sbin/xinetd -dontfork -pidfile /var/run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
549 ? Ss 4:52 /usr/sbin/sshd -D
584 ? Ss 0:09 cron
590 ? Ssl 155:36 /usr/sbin/mysqld
664 ? Ssl 0:01 /usr/sbin/named -u bind
1351 ? Ss 2:19 /usr/lib/postfix/master
1397 ? S 3:44 qmgr -l -t unix -u
1538 ? Ss 0:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
1539 ? S 0:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
1919 ? Sl 50:16 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
1958 tty1 Ss+ 0:00 /sbin/getty 38400 console
1960 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
3281 ? Ssl 20:50 /usr/lib/jvm/java-8-oracle/bin/java -Djdk.home=/usr/lib/jvm/java-8-oracle -Djruby.home=/root/.rbenv/versions/jruby-9.2.9.0 -Djruby.script=jruby -Djruby.shell=/bin/sh -Djffi.bo
19384 ? Ssl 22:25 /usr/lib/jvm/java-8-oracle/bin/java -Djdk.home=/usr/lib/jvm/java-8-oracle -Djruby.home=/root/.rbenv/versions/jruby-9.2.11.1 -Djruby.script=jruby -Djruby.shell=/bin/sh -Djffi.b
22122 ? Ss 0:00 nginx: master process /usr/sbin/nginx
22123 ? S 0:31 nginx: worker process
22125 ? S 0:27 nginx: worker process
22126 ? S 0:28 nginx: worker process
22127 ? S 0:29 nginx: worker process
30213 ? S 0:00 pickup -l -t unix -u -c
31811 ? S 0:00 trivial-rewrite -n rewrite -t unix -u -c
31812 ? S 0:00 smtp -t unix -u -c
31813 ? S 0:00 smtp -t unix -u -c
31814 ? S 0:00 bounce -z -n defer -t unix -u -c
31815 ? S 0:00 smtp -t unix -u -c
31816 ? S 0:00 bounce -z -n defer -t unix -u -c
31817 ? S 0:00 smtp -t unix -u -c
31818 ? S 0:00 bounce -z -n defer -t unix -u -c
31819 ? S 0:00 smtp -t unix -u -c
31820 ? S 0:00 bounce -z -n defer -t unix -u -c
31821 ? S 0:00 error -n retry -t unix -u -c
31822 ? S 0:00 error -n retry -t unix -u -c
31823 ? S 0:00 error -n retry -t unix -u -c
31824 ? S 0:00 error -n retry -t unix -u -c
31825 ? S 0:00 error -n retry -t unix -u -c
31828 ? Ss 0:00 sshd: root@pts/0

31839 pts/0 Ss 0:00 -bash

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 82,464+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.