Topic: Excess traffic?

[drksam]

Hi everyone.  I have sme 9 setup and it has been working for some time now close to a year. A few weeks ago I noticed the the hdd light is on all the time. Today my isp called and said that my account had lots of traffic that they detected as malware and locked my account.  Without the sme hooked up I have no strange traffic so I know it has to be it. I know I can format and start over but there's so much on it that it would be a large job. Does anyone have any ideas on what can be done to figure out what is going on?

[CharlieBrady]

Your best bet would have been to ask security @ contribs.org before you made any changes.

[drksam]

I haven't made any yet. But I will ask there.
Thanks.

[Stefano]

Is there any webapp (WP, Joomla) running on it?

[drksam]

Yes Joomla runs on a couple of ibays.

[Stefano]

ok.. my guess is that your joomlas have been hacked.. are them updated? and their plugins?

take a look at /var/log/httpd/[access|error]_log

install qmHandle (http://wiki.contribs.org/Qmhandle_mail_queue_manager) and take a look at your mail queue

[drksam]

Ok thank you. I will take a look after work and report back.

[guest22]

Changing the subject would be a good idea. There is no proof of SME Server being infected and the 'seems' is no excuse to finger point directly to SME Server up front.

I assume you have checked your Joomla versions and plugins (as indicated by Stefano), and extensively searched the Joomla forums and followed up on all their (security) advisories?

[Stefano]

@drksam: please edit the title of your first post here as suggested by RequestedDeletion

do you have any news for us? thank you