mail subdomains of all hosted accounts have been defaced

[reza1217]

All my domains that have local hosted mail services have their mail.domain.com defaced. The webmail sub domain works fine. Can anyone suggest what I could try to fix this issue?

 

[reza1217]

Re: mail subdomains of all hosted accounts have been defaced fixed

Have fixed this by removing the index.html and index.php file which has been placed in the /usr/local/apache/htdocs/ directory.

 

[Infopro]

How did someone get into that directory and upload pages? I think removing the pages is a good idea, but I wouldn't consider the problem solved either.

 

[morissette]

Typically mail.domain.com will route to the main page served up on the IP of mail.domain.com

For example, if foodom.com was the main page that was returned when going to 123.456.78.91 and mail.somedom.com also pointed to 123.456.78.91, you would be able to determine that foodom.com was the actual site that was compromised.

Once you determine which site is compromised it is best to get a stat of the index file so you know when the defacement occurred and then you can backtrack through the logs to see how the malicious user compromised your account.

 

[cPanelTristan]

Of note, the timestamps for the pages would need to be checked to get an idea when the compromise happened. Once you've removed the pages, you can then no longer tell the timestamp for when the attack occurred. That timestamp matters a lot to tell you logs to check as well as to check for any processes that might still be running from that time.