The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail server down after chmod chown screw up

Discussion in 'General Discussion' started by John Donnellon, Aug 11, 2015.

  1. John Donnellon

    Joined:
    Aug 21, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Baltimore, Michigan, United States
    cPanel Access Level:
    Root Administrator
    Moved to a new VPS host over the weekend and some wordpressinstalls weren't working. I've used a script to fix permssions etc... in the past so I used it on the accounts that weren't working.

    WP_OWNER=username # <-- wordpress owner
    WP_GROUP=username # <-- wordpress group
    WP_ROOT=wp/ # <-- wordpress root directory
    WS_GROUP=nobody # <-- webserver group

    # reset to safe defaults
    find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
    find ${WP_ROOT} -type d -exec chmod 755 {} \;
    find ${WP_ROOT} -type f -exec chmod 644 {} \;

    # allow wordpress to manage wp-config.php (but prevent world access)
    chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
    chmod 660 ${WP_ROOT}/wp-config.php

    # allow wordpress to manage wp-content
    find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
    find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
    find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

    The very last account had wp in home directory so I went to change wp/ to ./ and left out the . I noticed the output right away and stopped it, but on server with SSDs it had already changed a lot of perms. I've gone through and fixed things and all my sites are back up, but mail is not working. It acts like it is but nothing comes in or out of the accounts.

    So far I've restarted cpanel, exim, imap and they all seem to restart normally. I can log into mail accounts through webmail and see mail in the inbox but nothing new. I send test msg from webmail and it acts normally but the mail is never delivered. I'm hoping someone can point me in the right direction. Thanks for reading
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you notice any specific error messages in /var/log/exim_mainlog or /var/log/exim_paniclog? You could also try running:

    Code:
    /scripts/mailperm --verbose
    Thank you.
     
  3. John Donnellon

    Joined:
    Aug 21, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Baltimore, Michigan, United States
    cPanel Access Level:
    Root Administrator
    discovered that everything was held up in queue . exim_mainlog showed that there was a whole lot of activity over the last three days from two IP addresses. seems that the mail server was hacked and used for spamming.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on this? Were you able to determine the source of the SPAM and remove the offending script?

    Thank you.
     
  5. John Donnellon

    Joined:
    Aug 21, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Baltimore, Michigan, United States
    cPanel Access Level:
    Root Administrator
    My host ran a scan and sent me a list of files containing suspicious code. Among them was c99.php which was in the public_html directory of one of the accounts. I don't know a whole lot about this script, but I do know it can be pretty bad, giving the would be hacker free reign over the serve. I'm assuming that they got ftp access to this particular account and planted the script. Then used their access to send spam through bogus email accounts. I think I caught it very quickly and won't get blacklisted, but I'm paranoid about security moving forward. I'm mean they could have changed file permissions on critical system files, who knows. Anyone else ever deal with this and have advice?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate further on how you are sure that root access was obtained? Is there additional evidence beyond the sent emails?

    Thank you.
     
  7. John Donnellon

    Joined:
    Aug 21, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Baltimore, Michigan, United States
    cPanel Access Level:
    Root Administrator
    I really don't have any other evidence than that. I've gone through logs looking for some evidence but I don't know enough about c99 to know where to look.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should assume your server has been compromised. Time to set up a new server and move your backups to it.

    How will you ever know you're safe otherwise? Google that file name...
     
Loading...

Share This Page