Mail Password hacked
I have a Rails application that runs on an Ubuntu server and sends emails through an external SMTP server. Now I was informed by my provider that the email password of the SMTP server was hacked and that spam mails are sent via the SMTP server.
I have now changed all passwords, the access password to my provider and the email password of the domain. I changed the root password on my Ubuntu server and closed all postfix ports on the firewall. The server is now only accessible via ports 80 and 443.
And still spam mails are still sent via the SMTP server. Where could I still have a security gap?
Look at what processes are running on your server. They could have installed some software that runs on the server to send the emails out and if so you'd need to remove that.
With ps ax I get the following list of processes. How could I identify the process?
PID TTY STAT TIME COMMAND
1 ? Ss 1:10 init
2 ? S 0:00 [kthreadd/797067]
3 ? S 0:00 [khelper/7970675]
141 ? S 0:00 upstart-udev-bridge --daemon
182 ? Ss 0:00 /lib/systemd/systemd-udevd --daemon
266 ? S 0:00 upstart-socket-bridge --daemon
300 ? S 0:00 upstart-file-bridge --daemon
311 ? Ssl 7:06 rsyslogd
315 ? Ss 0:00 dbus-daemon --system --fork
323 ? Ss 0:00 /lib/systemd/systemd-logind
527 ? Ss 0:00 /usr/sbin/xinetd -dontfork -pidfile /var/run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
549 ? Ss 4:52 /usr/sbin/sshd -D
584 ? Ss 0:09 cron
590 ? Ssl 155:36 /usr/sbin/mysqld
664 ? Ssl 0:01 /usr/sbin/named -u bind
1351 ? Ss 2:19 /usr/lib/postfix/master
1397 ? S 3:44 qmgr -l -t unix -u
1538 ? Ss 0:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
1539 ? S 0:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
1919 ? Sl 50:16 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
1958 tty1 Ss+ 0:00 /sbin/getty 38400 console
1960 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
3281 ? Ssl 20:50 /usr/lib/jvm/java-8-oracle/bin/java -Djdk.home=/usr/lib/jvm/java-8-oracle -Djruby.home=/root/.rbenv/versions/jruby-9.2.9.0 -Djruby.script=jruby -Djruby.shell=/bin/sh -Djffi.bo
19384 ? Ssl 22:25 /usr/lib/jvm/java-8-oracle/bin/java -Djdk.home=/usr/lib/jvm/java-8-oracle -Djruby.home=/root/.rbenv/versions/jruby-9.2.11.1 -Djruby.script=jruby -Djruby.shell=/bin/sh -Djffi.b
22122 ? Ss 0:00 nginx: master process /usr/sbin/nginx
22123 ? S 0:31 nginx: worker process
22125 ? S 0:27 nginx: worker process
22126 ? S 0:28 nginx: worker process
22127 ? S 0:29 nginx: worker process
30213 ? S 0:00 pickup -l -t unix -u -c
31811 ? S 0:00 trivial-rewrite -n rewrite -t unix -u -c
31812 ? S 0:00 smtp -t unix -u -c
31813 ? S 0:00 smtp -t unix -u -c
31814 ? S 0:00 bounce -z -n defer -t unix -u -c
31815 ? S 0:00 smtp -t unix -u -c
31816 ? S 0:00 bounce -z -n defer -t unix -u -c
31817 ? S 0:00 smtp -t unix -u -c
31818 ? S 0:00 bounce -z -n defer -t unix -u -c
31819 ? S 0:00 smtp -t unix -u -c
31820 ? S 0:00 bounce -z -n defer -t unix -u -c
31821 ? S 0:00 error -n retry -t unix -u -c
31822 ? S 0:00 error -n retry -t unix -u -c
31823 ? S 0:00 error -n retry -t unix -u -c
31824 ? S 0:00 error -n retry -t unix -u -c
31825 ? S 0:00 error -n retry -t unix -u -c
31828 ? Ss 0:00 sshd: root@pts/0
31839 pts/0 Ss 0:00 -bash