I have a hacker on an old server - which I've left now and will shutdown very soon. What I'm worried about is he may have all the email passwords from the old server and then use them on the new server to open one of our clients email accounts. What I'm most concerned about is that he will send an email with a virus to an account on the new server to again try to re-gain root access. I thought of configuring exim to deny any emails with attachments for say a few weeks - what do people think of this solution? How would I do this?
I've got an Anti-Virus clamav setup but it runs say every hour or so - plus it takes about 30 mins to complete one scan, during this time the hacker could send a virus in an email to new server and open attachment and maybe gain root access again? Actually is this how trojans work?
I'm also going to email all clients about updating their passwords - but there will always be some who don't.
Anyone got a better solution to this problem? Can anyone tell me how to config exim to block attachments - if this is the only solution.
Why not use clamav to scan incoming mails instead of the entire system? There are plenty of howtos on setting that up. I would also run nessus against your new server to find any potential exploits someone could use to gain root access. You shouldn't worry about a virus giving someone root access since it cannot run it self once it is sitting on the box. Also make sure your mail daemon is running as a non-privilaged user such as nobody.
Let's say that someone sent an e-mail with a virus to your server and it was on your server. It may be a virus, but doesn't the file need to be executed for it to infect anything, if it's just an e-mail attachment it won't do much, will it?
I would change all of your clients passwords for them and not even give them a choice. Explain that it is annoying to them but it will protect them in the long run. I trust you have already told them that the server they were on was compromised and reccomended they change their passwords elsewhere as well.
Set up ClamAV with MailScanner. It will scan every email for viruses. At the same time simply ask your client base to change their passwords. Of course you should word it correctly, so it doesn't sound like there is a hacker on your system.
I don't see how sending viruses or trojans to emails to someone on your server can give root access. The key word is root. If you can do so, you need to trust your root access with someone who won't open attachments for fun.
Blocking all attachments is not going to work. You just antagonize your real users.