Hacked?
-
Hello y’all ??
I do not know where to start to work this at this point so I try to post it here. Basically I am being exploited but a swbot or intentional spammer using my server to reach an open relay. During the course of my investigaitons I have found the perp to be at IP 95.65.31.32 and what he is doing is posting a HTTP POST to my wordpress site like so:
95.65.31.32 – – [15/May/2012:16:17:32 +0200] “POST / HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
95.65.31.32 – – [15/May/2012:16:17:32 +0200] “POST / HTTP/1.1” 200 11 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
95.65.31.32 – – [15/May/2012:16:17:43 +0200] “POST / HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”I have also enabled the mod_dumpio on apache to get the data collected but end up with stuff like in pastebin:
This does not give me any good info and my efforts to decode the post-data has failed. Seems that it is posting to the root dir of the site though and at the end of the post there is a sendmail message confirming that this actually kicks off the email. I can also see from the sSMTP logs that this post correlates with the timing of the email.
Currently I have pointed the sSMTP to a relay that fails due to SSL and user/pw requirements.
I have upgraded apache to the latest version (2.2.22) and also upgraded everyting on my server to latest patch level (gentoo). Also I have upgraded all wordpress stuff to latest version, including plugins.
What do I do next?
Thanks for any pointers you could give!
(also i have some trouble running tcpdump etc due to being in a virtual machine not having root access to the interface)
- The topic ‘Hacked?’ is closed to new replies.