Discourse sent 18K+ Emails? Or, my server got hacked

I’m gonna be honest here, I have no clue how to word this thread, or what I need to provide to receive help. All I know is that Discourse sent 18K+ emails and failed to send 7K+ emails (after my Amazon SES was frozen for having such a high bounce rate ~%20). It also looks like its still trying to send 500+ emails.

discorsesk11124×55 2.44 KB

EDIT: My forum only has 8 members.

Conclusion: Port 53 was open, even though I didn’t ever install a nameserver. Guess it got hacked (Even if Sidekiq was listing all of the processes, I know it’s hacked still)

My guess is that email or redis was broken for a long time and today it got fixed and sent out a bunch of queued up mail.

You can look at admin, email, to see what it sent.

There’s only been 23 emails sent ever when I go there.

EDIT: The day of this happening was the April 10th (just now figured out it was discourse that sent the emails), and there’s not a single email on there from the 10th.

Then something else sent the emails.

That’s the best explanation.

What would’ve, I don’t run anything else on the server but discourse, could I have been attacked or something?

Also just found this, under the retries tab on the Sidekiq dashboard, the arguments are all something like this:
{"type"=>"digest", "user_id"=>11, "current_site_id"=>"default"}

Perhaps someone got your smtp password and sent from somewhere else? Perhaps they hacked your server (is it protected by a password and you don’t have fail2ban?). Something like that.

There’s pretty much zero chance that Discourse has anything to do with it.

You should probably set up a new server and migrate discourse there.

That’s what I thought, so I went and checked the last login into it, and it was from me in March.

It may be surprising, but it’s not hard to edit logs. Or install a root kit that does it. The addresses you’re sending to don’t exist in discourse, right? So it didn’t send the messages.

It’s almost certain that you’ve been hacked.

Do you log in with a password? Do you have fail2ban?

Google for how to see what ports are open and see if anything other than 22,80,and 443 are open.

The only other port than 22, 80, and 443 that’re open is 53. And I don’t know what fail2ban is, but I’ll look into it and try to increase security. I assume I should go ahead and close port 53?

You can see what’s got it open. You didn’t install a name server, so that’s probably the culprit.

You need to spin up a new server and move there. You cannot know what is on the server. Everything is suspect.

What about the backup files, are they okay to import there?

Your discourse backup files should be safe. You could even make a new backup now to make sure that you have all your data.

Alright sweet, thanks for your help!

did you post your app.yml ever anywhere or share any screenshots for troubleshooting?

Nope, never posted my app.yml anywhere or screenshots.

The screenshot in your first post looks very much like Sidekiq - which processes jobs for all sorts of things besides email. Is that screenshot where you’re getting the 18k email count from?

It was, but it’s the exact same amount of emails that Amazon SES says were sent.

If you got hacked, it’s VERY unlikely that the hackers stole your creds and then sent the emails via Sidekiq.

If you go your Sent email logs in /admin/email/sent, do you see any hints there as to why the huge quantity?

I’ve already shut down the server, but if you’re talking about the Emails that were sent by discourse then,