Nem vagyok profi, elakadtam. Nem én kezelem az oldalt csak besegítek.
Észrevettem, hogy nem mennek ki a levelek a weboldalról(wordpress), majd jött egy visszadobott e-mail, hogy az IP blokkolva. Az oldal működik, csak levelek nem mennek ki. Annyit sikerült kideríteni, hogy a contact form7-es bővítményt sikerült meghakkelni egy bot-nak. A bővítményt töröltem, a spamhaus ezt írja, fogalmam sincs mit kellene kezdeni ezzel:
This IP address was detected and listed 2 times in the past 28 days, and 0 times in the past 24 hours. The most recent detection was at Fri May 3 07:05:00 2019 UTC +/- 5 minutes
This IP address is most likely a web server running Wordpress, where a virtual host (customer web site) has been compromised into providing forwarding links to malicious web sites. The infection may be caused by malware called [Stealrat] but is more likely part of a mumblehard infection.
WARNING: These listings are particularly pernicious, and if the web site isn’t cleaned and disinfected as per the instructions below, chances are that it will be relisted again almost immediately. Repeat listings will result in removal being prohibited.
In short, Mumblehard is a linux and FreeBSD binary program that contains an obfuscated Perl program. When the perl program is executed, it launches a backdoor daemon, a proxy, and a spambot.
Some of the information taken below is taken from [ESET’s git repository] that has more details. Note: The IP addresses given in the above page are no longer valid, but the other information is still valid.
The main indicator that you are infected (present version of Mumblehard) is seeing a process called “exim”, “bash”, or “proc”, that is not running under a normal userid, rather than a system userid like “root”, “mail”, “mailman”, like:
$ ps -eaf | grep exim cbl 2489 1 3 19:19 ? 00:00:11 exim cbl 2490 1 4 19:19 ? 00:00:14 exim cbl 2961 1 0 19:24 ? 00:00:00 exim
The userid may be a userid associated with the hostname alinaoneday.com.
corresponding to the userid, there will probably be a cron job that contains a single line like this:
*/15 * * * * /var/tmp/qCVwOWA >/dev/null 2>&1
The file will either be in /var/tmp or /tmp, and consist of random letters in upper and lowercase.
As the root user, you can see this cron entry by typing:
crontab -u <userid> -l
Remediation/removal is pretty simple:
- Remove the tmp file.
- Clobber the cron entry with “crontab -u <userid> /dev/null”
- If the process is “bash”, killing it can be dangerous - you may break some other non-malicious process. If it’s “bash” reboot, otherwise, as root, kill the processes, eg: “sudo pkill -9 exim”
- To be absolutely certain, reboot the computer
- Find and remove any suspicious php scripts associated with the userid assigned to the web site alinaoneday.com
Normally, you can remove the CBL listing yourself. If no removal link is given below, follow the instructions, and come back and do the lookup again, and the removal link will appear.
Delisting of inhibited until 48 hours after the listing - approximately Sun May 5 07:05:00 2019 UTC +/- 5 minutes