In my last post I mentioned I was doing some sysadmin work for UMW Domains and UMW Blogs, as well as Reclaim Hosting—although Tim gives me only so much room to hang myself when it comes to Reclaim 🙂 One of the main issues we have on UMW Domains—UMW Blogs is an AWS dream right now [knock on wood]—is hacked files on compromised accounts that send spam. We’ve had a whack-a-mole problem in our main DTLT account which hosts a whole range of sites and applications—too many actually.
A hacked file will show up in one install, and once we squash that, it will show up in another, etc. So we have started moving all the various applications from various addon domains into their own account attempting to contain the issue to see where it’s coming from. I moved four accounts out this weekend, and Martha has been cleaning and moving out files since last week. Additionally, I spent much of this afternoon running the ConfigServer eXploit Scanner on the DTLT account to try and locate hacked files in the account. I think things may be starting to get cleaned up.
Why all this? Because over the course of the last week or so a few thousand mails have been queued to be sent by spammers. We have been successful at rate limiting the larger runs which is important because it keeps us off the spam blacklists. There are also a few applications with open registrations that are getting spammed, so I am learning the ropes of hunting them down and fixing these issues. All in all, this is pretty fun, if not a bit harrowing. I like the trouble-shooting mindset it puts you in, and it’s a healthy reminder how rich a resource the web is for solving these issues.
One of the tools I know have in my sysadmin toolbox thanks to Tim (who has been a great teacher) is MX Toolbox, which allows you to put in your IP address and check if you have been added to any blacklists. Right now we have a greenlight, and I intend to keep it that way. No zombie machines on my watch!