How To Find The Script Which Uses Exim And Apache To Send Spam
Mar 14, 2008
Not far ago somebody hacked our customer account through the vulnerability in phpBB Album module and uploaded some scripts. Then it started to send nigerian spam using exim and apache. These scripts were found and deleted and the Album module was fully deleted too. But when I look at the processes now I see that exim and httpd still start very often so the system resources are probably overused by them ......
I've looked through my exim logs a number of times and I see emails being sent out with "from:" fields with email addresses of other domains. Usually they are spam related and fraudulent.
How can exim be setup to only send out emails that have localdomains in their from fields?
E.g. if I have account bob.com on my server then the owner of bob.com can only send out emails "firstname.lastname@example.org" no matter what else he tries to do that's all exim will send out.
How can you get exim to do this? I have been using filtering to block commonly spammed domains like aol.com hotmail.com etc - any emails sent out with these in their from fields are filtered and blocked - but rather building up a larger and larger filter of commonly abused domains - why not just block everything except domains on your server.
I have a web blog that shows promise of growing pretty big soon! This is a vbulletin whith chatbox and arcade games. The forum is for gamers and game modification talk. I want to keep my features such as in forum mp3 player for streaming music. I host no files everything is linked from outside sources. Even photos are linked from photo hosts. I forsee about 20-30 members on at all time browsing and chatting in chatbox. Playing in the online arcade!
I have no idea how much bandwidth all this will use up. I do know that 20-40 gig of space should be quite enough but as always I want all I can get. As far as bandwidth I have no idea what all those features will eat up.
I have looked at fatcow.com and talked to them they said their unlimited is this 300gig space 3000 gig bandwidth and they do not keep up with msql databases. I looked on BBB and they have an A+ record if compared to hostgator they have unsatifatory! The only problem is they are yearly contract only. I do not trust this! I also have to let them re-bill me at end of year and this gives them access to my account. The payment options are check,paybal, or credit.
I've just came across an issue with mailing list on a Linux server. Problem is that when a message is broadcasted from a mailing list having around 1500 subscribers, most of them having @yahoo.com and @hotmail.com addresses, message to most of the recepients fails with following error...
Code: 2009-07-09 12:26:25 1MOn2u-0001CB-QJ SMTP error from remote mail server after RCPT TO:<email@example.com>: host c.mx.mail.yahoo.com [188.8.131.52]: 452 Too many recipients It is becuase exim tries to send a message to as many recepients as it could to users on same domain
On a Windows server, i was running Merak mail server and there was an option to send separate message to all mailing list subscribers, but i don't know where it could be located in exim config, or even if it has!
I have a dedicated server, the server itself is secure (as far as I know) and I run lots of my sites from it. I offered a friend hosting for his flash based chat application he built.
Today I was contacted by someone; "Are you the owner of xxxx.net?" so I informed that yes, it was my server and they then showed me an email they'd received from my server. I did a search and apparently someone uploaded mail.php and a couple of files it was using to send out spam based upon a variety of conditions that the other files met. The files contained forenames and surnames, it'd use a forename and a surname then send it to popular free mail services. The email contained ramblings about new world order and promoted a website.
How can I find out how they got the files uploaded to the account and what action can I take? I checked the whois for the domain and have their contact information, however it's a large site so I'm doubtful that the owner did it. I don't want my servers IPs being blacklisted for spam :|
I don't know about you guys... But when my datacenter opens a Ticket, I drop anything else I'm working on to take care of it...
God forbid someone had reported spam on MY domain, and they were warning me with a server take down notice.
Imagine my surprise when it turned out it was them breaking there own spam policy.
Here's the ticket /SPAM for those interested:
-- Dear Customer,
Your account has been selected for a special promotional price on our Network Attached Storage (NAS) for off-server backup. This is a great way to insure that your mission critical files and data are kept safe in case of some form of hardware failure. The FTP/NAS storage we offer is basically an allotment of space on one of our shared storage servers. We will provide you with the IP address and login to the space, and you can FTP your data across the private network from the private NIC on your server to this space.
You or your server administrator can automate the process by installing a script/cron job, or by setting up the backup utility within cPanel or Plesk.
Currently your account is eligible to order a NAS account for one half of the normal retail pricing. You will need to be logged in to your customer portal at the following link:
Enter the following promotional codes to take advantage of the special pricing.
$5/mo for 20GB of NAS: Half20nas $10/mo for 40GB of NAS: Half40nas $20/mo for 80GB of NAS: Half80nas $25/mo for 100GB of NAS: Half100nas $50/mo for 250GB of NAS: Half250nas
Having a solid backup of critical data is very important. It can save hours of time and trouble for your server administrator in the event the server is compromised, or the hard drive fails. For just a few dollars a month you can rest assured that your files and data are securely stored and your business is safe. How much is your business worth to you? If it is worth more than a few dollars a month I suggest you take advantage of our half off NAS storage promotion while it lasts as this promotion is only good for 7 days!
I facing a serious problem with my qmail and plesk 11.0.9.I found the way spammer did with my server by listening everything on port 25. Maybe he know the RCPT hosts of mine, and they send emails with random username but with domain hosted on my Plesk. (firstname.lastname@example.org, user2@ my domain.com, ... email@example.com).
qmail only check domain in RCPT if spammer input:"mail from firstname.lastname@example.org" - (with out ":") - no email address on my server.then server reply: 550, no mailbox here by that name. (#5.7.17)
But qmail check username and domain if spammer input:""mail from: email@example.com" - (with ":") - no email address on my server. Then server reply: 250 OK..This is really weird! I tried with all my plesk server, this bug still effected.Click to expand...
We received a few days ago a warring that our server is spamming. We hired someone to find the problem and it turned out that someone was using our phplivesupport to send spam from our server. The person who we hired showed us this http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6769 ("Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the...") I sent a ticket to them and asked when they are going to release a new version and they did not answer, I asked them for a refund and no answer.
1) What do you think about this whole situation? You don't think they should refund us? (or release a new version)
I've been getting a lot of "Undeliverable" emails sent to my email address. On these messages, the spammer is using my email on the "From" part of the email...... So whenever he sends out spam, the person(s) getting spammed think it's from me..... And the thousands of Undeliverable email error messages are also sent to me.
Is there a way to stop this from Happening? ....... Besides changing my email address?
We have just had reports of SPAM being sent from our CentOS 6.x server running Plesk 12.
Services like Plesk Premium antivirus, SpamAssasin, watchdog(rkhunter) and mod_security are enabled on the server to enhance security and none of these seemed to stop the scripts.
The issue is that multiple domains are sending out mail from this server, so it is difficult to find the script sending out SPAM. When we were running Plesk 11.0 we had a seperate log-file where we could see the file sending any mail going out from the postfix mailserver. I have check both /var/log/maillog and /usr/local/psa/var/log/maillog, but there is nothing in those files to tell me the file that sent the mail.
How would I go about finding this file from either the Plesk Control Panel or through SSH (using log-files)?
Hoping someone can help here. I have a web server running a couple of sites, has been for a couple of years now. With one of the domains, I have an email forwarder setup through cpanel to forward mail sent to a specific address at that domain to my gmail account (it's a "contact us" type address). I don't think the email address is listed on the web anywhere.
Anyway, I am noticing a lot of spam emails being sent to that address, from that same address and they all appear to be relayed through my exim server legitimately. Obviously they aren't (as I am not sending them).
I am only familiar with sendmail, and am unsure about where to look for any possible hacks to my exim server. Can someone point me in the right direction? I want to stop these spam messages being sent, asap.
after noticing the SQL errors on my sites, I went in to take a closer look.
First thing I noticed was my server load was at 200! This was all due to EXIM!
I stopped exim and then watched my load go back down to like 1... then started it, and it gradually rose again.
After using the Exim Cheat Sheet...
I discovered I had over 7000 messages frozen in my que and a few thousand not frozen.
After erasing all of the frozen messages because they were all spam, I am left wondering what I can do to stop this from happening again...
1. Is this spam being SENT FROM me? Or TO me?
2. Regardless of the answer to #1, how do I make it stop? I don't host any significant sites, and the server only has a few sites on it. None of the domains match up with anything I have anything to do with, so its all worthless and nobody on my server heavily uses their email through me.
What do I do? This is the second time I have had my system with a load this high and after the first time, I paid a chunck for more RAM.
We've been seeing sluggish performance on our mail gateways, and so I started doing some digging in the logs. It looks like we are filling up with messages like:
2007-05-16 12:22:16 Connection from [xx.xx.xx.xx] refused: too many connections
We have our max connections set to 20 (total, not host-specific) in exim4. So I started tailing the logs, and sure enough, we are getting bombarded with requests to firstname.lastname@example.org coming from all over the map. The requests are getting denied of course, but that doesn't help the connection issue since they are consuming all of them, preventing real mail (for the most part) from getting through.
What is the proper way to deal with something like this? I could certainly just up the max connections value from 20 to 40 or 50 or whatever, but I'm not sure what kind of performance impact that will have on the rest of the traffic going through our gateways.
Since the spam attempts are coming from all over the place, it doesn't seem like I can just firewall out a few addresses and be done with it.
This particular rack is a cluster of web and database servers behind two gateway boxes, which handle the mail traffic (so this problem is on the gateways, the actual mail server itself sits behind the gateways and never actually sees these fake emails).