Just got alerted that my server is being used to send spam. Here is the information the datacenter gave me:
[information .....]
NOTE: I changed the real domain name and IP only.
Is there an expert who can help me decipher this? How do I find the culprit? My provider is threatening to shut me down and sink all my clients with the ship!
I am running the latest WHM and cpanel server, fyi.
Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.
mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME";
}
else {
print INFO "$date - $PWD - @info";
}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
how can i do a search for all files (probs using regex) of files consisting purely of numbers?
for e.g. find:
53243.php
24353.php
24098.php
(always have 5 numbers).
seems one of my accounts has had some script run which generated a bunch of these in various subfolders, and the php file basically does a callback to www3.rssnews.ws and www3.xmldata.info, which seem to be some sort of spyware servers.
This morning apache stopped to serve pages. I have tried to restart it
with no success:
-------
init.d/httpd restart
----------
init.d/httpd stop
killall httpd
init.d/httpd start
------
killall httpd
init.d/httpd restart
---------
such like several times
every time failed with the
address already in use message
Was 4 oclock in the morning su I stopped investigating and restarted the machine
Is there a way to really shut down such a completely non-responsive process withou restarting the machine?
just a notice - there were not a heavy server load at the time
------------------
Server Version: Apache/2.2.6 (Mandriva Linux/PREFORK-8.2mdv2008.0) mod_ssl/2.2.6 OpenSSL/0.9.8e PHP/5.2.4 with Suhosin-Patch
Server Built: Sep 12 2008 14:54:18
I'm doing the following to create an SSH tunnel:
Code:
ssh -fNg -L 8888:127.0.0.1:3306 user@123.456.789.0
How can sort of "undo" that? I ask because I need to re-tunnel in to a different IP address but right now the only way I can figure to do it is to restart my computer (which is lame).
One of my sites, hosts mp3s for music I've written for video games etc.
I uploaded a track in December, and this month my bandwith has rocketed from 18g to 25g.
When I look at the awstats I see this...
a.a.a.a11811181146.82 MB26 Jan 2007 - 17:47
a.a.a.a+11161116198.40 MB26 Jan 2007 - 17:49
b.b.b.b1151115119.61 KB26 Jan 2007 - 08:00
c.c.c.c62062023.71 MB26 Jan 2007 - 15:18
d.d.d.d543543025 Jan 2007 - 20:52
e.e.e.e537537025 Jan 2007 - 20:18
f.f.f.f 3103104.18 MB26 Jan 2007 - 17:00
Now I'm not sure about the MB values, they don't look true at all, but why suddenly would the two top places have the same IP address bar a value of 1
If I scroll down to file usage, I see
/blah/blah/blah.mp3
7533305.76 KB52685276 - so it's been viewed 7533 times
and the next most popular page or file is,
/
10099.69 KB830412
Then looking at the search engine stats the most popular search engine phrase is this
[url][summer dance]45041.2 %
450 times? and yes, - np2sp6qjpj2jkzevo5mcl2fjmw$$.mp3 [summer dance] - this is the filename coming up even though it doesn't exist on the server
It's twice as popular as "game sounds" which is the site, and is on google... something fishy going on here.
The most popular site to come from is [url] times in fact, and that's a japanese/chinese/eastern site which I don't understand.
The IP address appears to be chinese too.
Can anyone explain to me what might be going on here please? It appears that someone is continuously downloading this specific file, just to use up my bandwidth?
I want to know what does kill -6 PID does?
Is there anything else like kill -1,-2 (expect 9).
Also, what is the diff between kill and kill -9?
What the command to kill zombies processes?
I have 13 in my server and using "kill PID" is not doing anything...
There is a process on my server:
9897 root 20 0 1872 588 504 R 99.9 0.0 210:11.25 repquota
I tried kill -9 or kill -15, couldn't kill this,
i Have VPS
How i can Disable Rapidget/rapidlkill ETC...
in my VPS?
how to kill all mysql processes? Either all in general, or those only with sleep status, or all for a given user.
View 7 Replies View RelatedHow kill all proces user nobody in shell command?
View 4 Replies View RelatedCode:
1(init)/sbin/init/init [3]����������������������������������������������������������������������������������������
2(ksoftirqd/0)/
3(events/0)/
4(khelper)/
5(kacpid)/
20(kblockd/0)/
38(pdflush)/
39(pdflush)/
41(aio/0)/
21(khubd)/
40(kswapd0)/
187(kseriod)/
301(kjournald)/
1345(udevd)/sbin/udevd/udevd�
1704(kauditd)/
1745(kmirrord)/
1975(kjournald)/
1976(kjournald)/
1977(kjournald)/
1978(kjournald)/
1979(kjournald)/
2668(syslogd)/sbin/syslogd/syslogd�-m�0�
2672(klogd)/sbin/klogd/klogd�-x�
2693(named)/usr/sbin/named/var/named/usr/sbin/named�-u�named�
2736(courierlogger)/usr/sbin/courierlogger//usr/sbin/courierlogger�-pid=/var/spool/authdaemon/pid�-facility=mail�-start�/usr/libexec/courier-authlib/authdaemond�
2737(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2772(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2773(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2774(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2775(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2776(authdaemond)/usr/libexec/courier-authlib/authdaemond//usr/libexec/courier-authlib/authdaemond�
2814(smartd)/usr/sbin/smartd//usr/sbin/smartd�
2823(acpid)/usr/sbin/acpid//usr/sbin/acpid�
4454(sshd)/usr/sbin/sshd//usr/sbin/sshd�
4467(xinetd)/usr/sbin/xinetd/xinetd�-stayalive�-pidfile�/var/run/xinetd.pid�
4534(chkservd)/usr/bin/perl/chkservd
4545(courierlogger)/usr/sbin/courierlogger//usr/sbin/courierlogger�-pid=/var/run/imapd.pid�-start�-name=imapd�/usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�143�/usr/lib/courier-imap/sbin/imaplogin�/usr/lib/courier-imap/bin/imapd�Maildir�
4546(couriertcpd)/usr/lib/courier-imap/libexec/couriertcpd//usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�143�/usr/lib/courier-imap/sbin/imaplogin�/usr/lib/courier-imap/bin/imapd�Maildir�
4553(courierlogger)/usr/sbin/courierlogger//usr/sbin/courierlogger�-pid=/var/run/imapd-ssl.pid�-start�-name=imapd-ssl�/usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�993�/usr/lib/courier-imap/bin/couriertls�-server�-tcpd�/usr/lib/courier-imap/sbin/imaplogin�/usr/lib/courier-imap/bin/imapd�Maildir�
4554(couriertcpd)/usr/lib/courier-imap/libexec/couriertcpd//usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�993�/usr/lib/courier-imap/bin/couriertls�-server�-tcpd�/usr/lib/courier-imap/sbin/imaplogin�/usr/lib/courier-imap/bin/imapd�Maildir�
4559(courierlogger)/usr/sbin/courierlogger//usr/sbin/courierlogger�-pid=/var/run/pop3d.pid�-start�-name=pop3d�/usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�110�/usr/lib/courier-imap/sbin/pop3login�/usr/lib/courier-imap/bin/pop3d�Maildir�
4560(couriertcpd)/usr/lib/courier-imap/libexec/couriertcpd//usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�110�/usr/lib/courier-imap/sbin/pop3login�/usr/lib/courier-imap/bin/pop3d�Maildir�
4565(courierlogger)/usr/sbin/courierlogger//usr/sbin/courierlogger�-pid=/var/run/pop3d-ssl.pid�-start�-name=pop3d-ssl�/usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�995�/usr/lib/courier-imap/bin/couriertls�-server�-tcpd�/usr/lib/courier-imap/sbin/pop3login�/usr/lib/courier-imap/bin/pop3d�Maildir�
4566(couriertcpd)/usr/lib/courier-imap/libexec/couriertcpd//usr/lib/courier-imap/libexec/couriertcpd�-address=0�-maxprocs=40�-maxperip=30�-nodnslookup�-noidentlookup�995�/usr/lib/courier-imap/bin/couriertls�-server�-tcpd�/usr/lib/courier-imap/sbin/pop3login�/usr/lib/courier-imap/bin/pop3d�Maildir�
4644(clamd)/usr/sbin/clamd//usr/sbin/clamd�
4648(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim�-bd�-oX�26�
4654(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim�-bd�-q60m�
4658(exim)/usr/sbin/exim/var/spool/exim/usr/sbin/exim�-tls-on-connect�-bd�-oX�465�
4666(antirelayd)/usr/bin/perl/antirelayd
4752(spamd)/usr/bin/perl//usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5
4762(spamd)/usr/bin/perl/spamd child
4763(spamd)/usr/bin/perl/spamd child
4826(pure-ftpd)/usr/sbin/pure-ftpd/pure-ftpd (SERVER)������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
4829(pure-authd)/usr/sbin/pure-authd//usr/sbin/pure-authd�-s�/var/run/ftpd.sock�-r�/usr/sbin/pureauth�
4856(crond)/usr/sbin/crond/var/spoolcrond�
4874(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
4877(xfs)/usr/X11R6/bin/xfs/xfs�-droppriv�-daemon�
4886(anacron)/usr/sbin/anacron/var/spool/anacronanacron�-s�
4969(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
4995(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
4998(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
5001(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
5004(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
5005(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
5034(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
5083(cphulkd.pl)/usr/bin/perl/cPhulkd - processor
5105(cpdavd)/usr/bin/perl/cpdavd - accepting connections on 2077 and 2078
5116(cpbandwd)/usr/bin/perl/cpbandwd
5117(cpanellogd)/usr/bin/perl/cpanellogd - sleeping for logs
5154(mailmanctl)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/mailmanctl�-s�start�
5155(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=ArchRunner:0:1�-s�
5156(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=BounceRunner:0:1�-s�
5157(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=CommandRunner:0:1�-s�
5158(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=IncomingRunner:0:1�-s�
5159(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=NewsRunner:0:1�-s�
5160(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=OutgoingRunner:0:1�-s�
5161(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=VirginRunner:0:1�-s�
5162(python2.4)/usr/local/bin/python2.4/usr/local/cpanel/3rdparty/mailman/usr/local/bin/python2.4�/usr/local/cpanel/3rdparty/mailman/bin/qrunner�--runner=RetryRunner:0:1�-s�
5172(dbus-daemon-1)/usr/bin/dbus-daemon-1/dbus-daemon-1�--system�
5183(hald)/usr/sbin/hald/hald�
5194(mingetty)/sbin/mingetty//sbin/mingetty�tty1�
5195(mingetty)/sbin/mingetty//sbin/mingetty�tty2�
5196(mingetty)/sbin/mingetty//sbin/mingetty�tty3�
5197(mingetty)/sbin/mingetty//sbin/mingetty�tty4�
5198(mingetty)/sbin/mingetty//sbin/mingetty�tty5�
5199(mingetty)/sbin/mingetty//sbin/mingetty�tty6�
5806(cpsrvd-ssl)/usr/local/cpanel/cpsrvd-ssl/usr/local/cpanel/basecpsrvd - waiting for connections
5924(authProg)/usr/local/cpanel/bin/courier-auth//etc/authlib/authProg�
5959(mysqld_safe)/bin/bash/var/lib/bin/sh�/usr/bin/mysqld_safe�--datadir=/var/lib/mysql�--pid-file=/var/lib/mysql/tiny.dnsprotect.org.pid�
5994(mysqld)/usr/sbin/mysqld/var/lib/mysql/usr/sbin/mysqld�--basedir=/�--datadir=/var/lib/mysql�--user=mysql�--pid-file=/var/lib/mysql/tiny.dnsprotect.org.pid�--skip-external-locking�--socket=/var/lib/mysql/mysql.sock�
6081(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
7291(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
7293(mono)/opt/mono/bin/mono//opt/mono/bin/mono�/opt/mono/lib/mono/1.0/mod-mono-server.exe�--filename�/tmp/mod_mono_server_global�--nonstop�--master�
7298(httpd)/usr/local/apache/bin/httpd//usr/local/apache/bin/httpd�-k�start�-DSSL�
7740(eximstats)/usr/bin/perl/eximstats
7822(authProg)/usr/local/cpanel/bin/courier-auth//etc/authlib/authProg�
8527(authProg)/usr/local/cpanel/bin/courier-auth//etc/authlib/authProg�
9234(cpsrvd-ssl)/usr/local/cpanel/cpsrvd-ssl/usr/local/cpanel/whostmgr/docrootwhostmgrd - serving 81.104.99.97
9236(whostmgr)/usr/local/cpanel/whostmgr/bin/whostmgr/usr/local/cpanel/whostmgr/docroot/usr/local/cpanel/whostmgr/bin/whostmgr�./simpleps�
9237(simpleps)/usr/bin/perl/usr/local/cpanel/whostmgr/docroot/usr/bin/perl�/scripts/simpleps�--html�
Recently server been a lil unstable... unsure why.. only recent thing i've installed is eaccelerator thingy.
and It was a lil unstable before that..
whats the correct way to stop using root and setup a su account?
View 10 Replies View RelatedOur website is based around a customer based chat system. Customers are only on the system during a particular day and time range. So for parts of the week the server gets almost no traffic. When then time for a chat comes up we get hundreds of people on the site all doing page requests every few seconds.
So as you might imagine we are bringing the server to it's knees with heavy CPU and memory loads. Plus bandwidth usage is really high. We are currently on the biggest box that Rackspace has to offer. The site runs ok on it during these times. It's a little slow but not unbearable.
But we have not hit our max customer base. In fact if all goes well we will double our customer base next month. So I know when we do we will bring that box down totally.
I was thinking about possibly trying a cloud/cluster based approach but after some research on this site I have found that is probably not the best option.
So I am looking for advice on what to do? Is there a better host? Different technology?
Servers are not my thing really so I could really use some help.
No we can't change the way customers access the site or when they access. There is nothing that can be done in that regard so don't suggest it.
I am running phproxy on my dedicated server.
Sometime some process hangs for long.
I want to kill processes automatically when it takes more than 5 minutes.
And is there any tip you will share to optimize my server best for phproxy?
I have seen posts that some hosts suspend a user after they so many seconds of high server resource usage... I was wondering how this is done so that I can do this on my dedicated server.
View 1 Replies View Relateduser1 is running some things on the server. I need user2 to be able to kill these processes (just kill, not start up again on the other user or any other extra priveledges). How can I do this?
View 7 Replies View RelatedI have a question related DDOS attack. My hosting provider told me that my Server was DDos attacked few days ago. But in those days my server worked fine only apache server was down. The strange fact is that in the same day with this "DDOS attack" one of theyr admins worked something on SSL section of my server and during this operation the SSL hosts were down and httpd worked slow.
Inthe passed 3 months httpd worked very slow and after 2-3 restarts of httpd service the load droped down below 3.00 . I believe theyr httpd service was already with problems and that SSL configuration cause that apache failure in that day with "ddos attack"
I repeat in that day ONLY ssl hosts worked fine and non SSL hosts were down.
It's possibile on DDOS attack that load to be unde 0.5 , SSL hosts to work fine, FTP, Mail and other stuf to work like there is nobody on server (VERY FAST)?
How do I kill all Plesk backup processes?
View 3 Replies View Relatedhow to setup hourly cronjob to kill exim mail queues on the cpanel server?
I know this question may sounds a little tedious as I have tried to find an answer to this but still have no clue yet.
Any tools, programs that will execute either with windows on (remote desktop) or install a boot script that will wipe off the hard-drive without going to the datacenter?
This is for windows server 2003.
Any thoughts, or opinions are welcome. Looking for options on how to stop this.
Recently I've started receiving spam that appears to originate from a hosted domain on my VPS. It appears to only be an issue with this website account and not the VPS generally.
I've disabled the IMAP service to ensure the spam was not being sent from the server. The spam continues which leaves the POP email accounts as a possibility or something else.
My hosting provider says it looks like email spoofing.
Someone seems to be using the address at foobar.com to send out spam. The method that he has employed is called email spoofing. Email spoofing is the practice of changing your name in email so that it looks like the email came from somewhere or someone else. However, you need not be concerned.
Individuals, who are sending "junk" email or "SPAM", typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator. The spammer is not using our server to send out spam, hence your email address will never be blacklisted.
There is really no way to prevent receiving a spoofed email. Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox.
The following are headers of two spam emails. Both of these addresses are setup as forwarders and not actual email accounts. The spam came to our attention because it is being sent to addresses on foobar.com with headers as also originating from foobar.com
I changed the actual names for privacy
host.vpsdomain.com [123.123.123.123] - VPS domain
foobar.com - website account on VPS
myemailaccount@gmail.com - address foobar forwarders send to
Delivered-To: myemailaccount@gmail.com .....
It looks like someone spammng from our server. I have checked exim_mainlog and got the this info.
2007-01-23 03:12:32 1H99Fz-0004wl-RV => erio@erio.com R=lookuphost T=remote_smtp H=mail.erio.com [217.220.27.241]
2007-01-23 03:12:40 1H99Fz-0004wl-RV => brown2525@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> beth46@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> dstanfie@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> harris3943@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> yumyyelow@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gloverlm@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> debilu@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mosleyclan4@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> 61369@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> melabong@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> k_mcmull@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> anniern@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bannaj1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> lizzied@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gillumd@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pfeiferk36@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mommyof2@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tongem@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> whitsonswrecker@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mmal63@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> goosynina1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> malenat@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jlhk@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tawndawn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> usnssn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crazybutcute0304@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> thomas0421@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mercibw@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crouch1966@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pj16@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> alba93@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> sassyd69@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bettysue57@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jimfiscus@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> nvonalme@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> breweragency@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> annaksimpson@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
In the log file is showing like this.
2007-01-22 19:11:24 1H99Fz-0004wm-Vp <= <> R=1H99Fz-0004wl-RV U=mailnull P=local S=605030
2007-01-22 19:11:24 1H99Fz-0004wl-RV <= stlawson100@yahoo.com.hk U=churchre P=local S=3558 id=23894.217.194.149.171.1169511083....el@65.xx.xx.xx
I couldn't find who is sending.
problem with spammers.. i installed bruteforce attack and apf but spammers still trying to use my mail server to spam.. bfa sending me 20-30 warning emails everyday like
Quote:
The remote system 200.83.230.214 was found to have exceeded acceptable login failures on xxxxxx; there was 62 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.
Executed ban command:
/etc/apf/apf -d 200.83.230.214 {bfd.exim}
The following are event logs from 200.83.230.214 on service exim (all time stamps are GMT -0600):
this spammers causing to load cpu very hi and freeze my server sometimes.
is there any way i can setup to only allow authenticated users to access the mail server. or any idea..
im not a hosting company hosting my websites and im a poor guy can't hire server admin.. and i have search it on google could'nt found anything..
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late.
Any thoughts or suggestions?
I have found some spammer hotlinking to my images to get his site crawled, I have modified the .htaccess to attempt and serve his hotlinking domain with a warning but it does not work...
My actual .htaccess file is the one below (it was created by wordpress automatically):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I am adding these lines right below:
--------------------------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+.)?spammerdomain.com/ [NC,OR]
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
------------------------------------
My questions...
I dont kmow too much what I am doing, following the tutorial here, http://altlab.com/htaccess_tutorial.html but the problem is that my .htacces already contains something created by wordpress that to me looks like garbage as I don't understand the meaning.
I dont know if I should add the lines inside the <IfModule mod_write.c> or outside them as I have done.
I dont know if it is ok to have two times Rewrite Engine On
PS: When I added the lines I describe above, my site also stopped displaying the images, I had stopped everyone including myself from hotlinking them. I only want to stop certain domain. or even better, my ideal solution is to WHITELIST my domain names (I have two using hotlinkg to those images), but I will settle for blacklist if it is easier.
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View 3 Replies View RelatedI have someone on my server who likes to send spam emails. How would I go about catching this person?
View 13 Replies View RelatedI was on my visitors on AWstats, and when looking up most of the top IPs (the ones that viewed the most pages), most of them were associated with IANA, and tagged as spam/hacker IPs.
Of course, I've blocked all of those IPs with my .htaccess file, but how can I further protect my server from such threats? How can I rid my server of these spammers/hackers?