How To Track Down A Compromised Php Script

Oct 29, 2009

I have a few shred hosting servers I run. One of them keeps getting listed on CBL. It is very frustrating. Does anyone have an tools, tips, or tricks on finding the compromised?

So far I have confirmed that a script is using PHP to send mail out bypassing the MTA. It is faking the HELO and impersonating a well known ISP.

I used a combination of tshark and netstat. tshark can show me the HELO and EHLO. When I see the wrong entry I cross check that with netstat to see what. So Netstat only shows that it was PHP not the script path.

Here are the commands I'm running:

Code:
nohup netstat -c -p -n -e | grep -i ":25" > /var/log/monitor/netstat-smtp.log &

nohup tshark -f "port 25 and src host XX.XX.XX.XX" > /var/log/monitor/tshark-smtp.log &
Then I grep for what I'm looking for:

grep -i "HELO" /var/log/monitor/tshark-smtp.log

Is there a way to get Netstat to show the script path or complete command that is establishing the connection? Currently these scripts are eating up memory to a point that other process or getting killed off.

I also tried to force all mail through the MTA, but When I enable SMTP_BLOCK in my firewall config I get and error:

*WARNING* Cannot use SMTP_BLOCK on this VPS as the Monolithic kernel does not support the iptables module ipt_owner - SMTP_BLOCK disabled.

If there is a better way I'm game. Maybe some IDS that can tell me more of what is going on with the server?

View 14 Replies


ADVERTISEMENT

Possible Compromised Server

Mar 8, 2008

I can resolve this situation I have.

I sent a server I have with a provider to have a RAM upgrade yesterday at 15:33 UTC, and ever since then I have had no access to my server.

SSH has been changed back to port 22, from a random high port.
root password has changed
RSA key has changed too.

I can see 3 possable reasons for this:

1) It's a different server plugged into the rack/router or a stolen IP

2) My provider "kindly" formatted and reinstalled my OS.

3) I have a compromised server, I very much doubt this as the server was offline.

I informed my provider about 18 hours ago that I had a "possable compromised server" and since then I have been given the run around as to what is happening.

For the last couple hours or so I have been trying to get them on live chat, which shows as online, but no-one answers. Thats another pet hate of mine.

I also have a couple tickets open asking for an update as they are not answering my origional ticket with updates.

Am I just being impaitent wanting a resolution to this in less than 18 hours or am I correct to complain?

View 8 Replies View Related

Is My Server Compromised

Oct 6, 2007

I am trying to determine if i am hacked, here is details:

I just got a message from softlayer support: ABUSE - 66.228.xxx,xxx - HACKING/MALICIOUS ACTIVITY - IMMEDIATE ACTION REQUIRED. with some log like this:
Quote:

Connection attempt to TCP IP.IP.IP.34:80
>from 66.228.xxx.xxx:41212 flags:0x02 Sep 28 14:05:55 PDT kernel:

Also, I did a rkhunter scan and found:

Quote:

cat /var/log/rkhunter.log | grep Warning
[18:26:29] /usr/bin/GET [ Warning ]
[18:26:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[18:26:29] /usr/bin/groups [ Warning ]
[18:26:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[18:26:30] /usr/bin/ldd [ Warning ]
[18:26:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[18:26:35] /usr/bin/whatis [ Warning ]
[18:26:35] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:26:36] /sbin/ifdown [ Warning ]
[18:26:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[18:26:36] /sbin/ifup [ Warning ]
[18:26:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[18:27:43] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[18:27:44] Checking for enabled xinetd services [ Warning ]
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa

[18:27:59] Checking for hidden files and directories [ Warning ]
[18:27:59] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression

[18:27:34] Checking running processes for deleted files [ Warning ]
[18:27:34] Warning: The following processes are using deleted files:
[18:27:34] Process: /usr/libexec/mysqld PID: 4773 File: /tmp/ib2RpbEj
[18:27:34] Process: /usr/sbin/httpd PID: 8449 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 8452 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12102 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12950 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13044 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13046 File: /tmp/.apc.PGGxew

So does that mean my server was compromised?

View 6 Replies View Related

Web Hosting Where Security Cannot Be Compromised

Dec 15, 2008

I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:

Security 9/10
Bandwidth 7.5/10
Disk space 6/10
E-mails, backups, etc: 8/10
Cost: 7/10

View 10 Replies View Related

Linux Server Compromised

Jun 6, 2007

Linux Fedora 5

I just got a letter from my dedicated host stating we had just been compromised. These servers just were set up last week! And there is nothing on them yet. The only thing I have done is modified the /etc/hosts file via SSH.

My servers are not even public yet. Can SSH'ing in from an unsecured wireless network make me vulnerable?

What do you guys think? Best way not to let this happen again?

Oh this is great :-| He's still logged in!

[root@server~]# who
root pts/0 2007-06-06 07:12 (xxx)
test pts/2 2007-06-06 03:08 (81.89.10.92)

View 14 Replies View Related

Compromised Account At Gnax.net

Sep 17, 2007

Ok...posting this here to hopefully get someone's attention at gnax.net.

I've written their abuse@gnax.net and engineer@gnax.net multiple times and even called into their support line and spoke with Stephen (or Steven). No one there seems to care.

They have a group of Vietnamese hackers on their network that are launching attacks from several of their servers. They also have a google phising site on one of the servers.

Spoke with Stephen at Gnax support and his answer was that it wasn't his job and I needed to send a e-mail to abuse. After telling him that I'd done that multiple times he basically said oh well that he didn't know what to do.

Seems like the admins of gnax.net are either very irresponsible, stupid or just ignorant.

Here are the URL's.

[url]

[url]

Just replace the 1's with t's and you can see for yourself. The fwooshnet.com attempts to download a trojan to your system so if you don't know what your doing don't visit either URL.

Hopefully admins from Gnax watch this forum.

View 6 Replies View Related

Server Compromised (ensim_sshd), What To Do

Aug 22, 2007

I receive reports from my DC that my server is launching some hacking / malicious activity. This is the log that they provide:

Quote:

>
> Aug 20 12:34:35 ensim sshd[30628]: Did not receive identification
> string from MY.SERVER.IP
>
> Aug 20 12:44:23 ensim sshd[444]: Failed password for admin from
> MY.SERVER.IP port 57896 ssh2
>
> Aug 20 12:44:23 ensim sshd[444]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:26 ensim sshd[445]: Failed password for root from
> MY.SERVER.IP port 58029 ssh2
>
> Aug 20 12:44:26 ensim sshd[445]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:28 ensim sshd[446]: Failed password for root from
> MY.SERVER.IP port 58141 ssh2
>
> Aug 20 12:44:28 ensim sshd[446]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:31 ensim sshd[449]: Failed password for root from
> MY.SERVER.IP port 58276 ssh2
>
> Aug 20 12:44:31 ensim sshd[449]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:33 ensim sshd[450]: Failed password for root from
> MY.SERVER.IP port 58421 ssh2
>
> Aug 20 12:44:33 ensim sshd[450]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:36 ensim sshd[453]: Failed password for root from
> MY.SERVER.IP port 58565 ssh2
>
> Aug 20 12:44:36 ensim sshd[453]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:38 ensim sshd[455]: Failed password for root from
> MY.SERVER.IP port 58672 ssh2
>
> Aug 20 12:44:38 ensim sshd[455]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:41 ensim sshd[456]: Failed password for root from
> MY.SERVER.IP port 58787 ssh2
>
> Aug 20 12:44:41 ensim sshd[456]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:43 ensim sshd[457]: Failed password for root from
> MY.SERVER.IP port 58961 ssh2
>
> Aug 20 12:44:43 ensim sshd[457]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:46 ensim sshd[458]: Failed password for root from
> MY.SERVER.IP port 59132 ssh2
>
> Aug 20 12:44:46 ensim sshd[458]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:48 ensim sshd[459]: Failed password for root from
> MY.SERVER.IP port 59348 ssh2
>
> Aug 20 12:44:48 ensim sshd[459]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:51 ensim sshd[465]: Failed password for root from
> MY.SERVER.IP port 59495 ssh2
>
> Aug 20 12:44:51 ensim sshd[465]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:53 ensim sshd[466]: Failed password for admin from
> MY.SERVER.IP port 59622 ssh2
>
> Aug 20 12:44:53 ensim sshd[466]: Received disconnect from
> MY.SERVER.IP: 11: Bye Bye
>
> Aug 20 12:44:56 ensim sshd[467]: Failed password for admin from
> MY.SERVER.IP port 59803 ssh2
>
> Aug 20 12:44:56 ensim sshd[467]: Received disconnect from
> MY.SERVER.IP: 11:

View 2 Replies View Related

Track A Sysadmin

Apr 7, 2007

My server currently has some problems with DNS/mail, which i can't seem to fix myself. My colocation host offered to help me by giving him root access, but i don't know him very well yet. Is there some kind of script/logtool so i can track everything he did on the server? I don't want him snooping around through my webfiles and databases...

View 13 Replies View Related

Server Compromised – Steps For Recovery

Apr 12, 2008

one of the worst things (in hosting) has happened. I received a notice this morning from lfd (configserver) that someone had logged into my server as root and it wasn’t me.

Unfortunately I didn’t notice it until eight hours later so I have no idea (yet) what happened during that period. Thankfully I don’t have any really critical data on the system that could have been stolen.

I’m in the process of restoring from a full system backup right now. After that’s done I’m going to look to see what the differences are between the files from the backup and that on the comprised drive. I’m not sure if I’ll get anything useful from the diff but hopefully I’ll find a clue as to how they got root access.

Then of course I need to get my server back up. However, I don’t want to do this until I’ve taken some steps to identify how the individual got in and take some additional preventative steps.

Here’s what I am planning on doing:

1) Check to make sure all exposed services are patched and look at some security sites to see if there are any known vulnerabilities for these services. Anyone know which sites are good to look at?

2) Change firewall to only allow ssh access from a couple specific IP addresses.

3) Disable root ssh access so I have to login via a different account and perform sudos, etc.

4)?

I’ll also look for a good server-hardening guide to see if there are some obvious things I forgot to secure.

Do any of you find folks have any other suggestions or resources that I should check out?

View 11 Replies View Related

WHMCS Breach - Some 3.5.1 Downloads Were Compromised

Jan 8, 2008

I just received a fairly scary WHMCS notice, you can view the details here:

<<please don't paste the file names, there are accounts that may have these on them>>

What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end.

I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely certain how they were backdoored or to what scale they were backdoored.

Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack.

View 14 Replies View Related

Windows Server Password Compromised

Jun 27, 2007

My windows server 2003 server password has been changed. My host tells me they must reload the entire OS in order to fix it..

Is there no way they can go in and rescue my server? Would save me alot of work.

View 6 Replies View Related

Server Compromised, Where To Get A Good Sysadmin

Jul 4, 2007

So one of the sites on our box was compromised earlier today.

We've shut it down for now and contacted our sysadmin to help research the problem. Not sure if he will be able to really help much as he's only done updates and such in the past.

Any idea of quality sysadmins who might be able to investigate the box and the site?

View 4 Replies View Related

Compromised Windows 2003 Server

Mar 19, 2007

I have been trying to troubleshoot our Windows 2003 server for weeks, but have made no lead way. The following are the steps they take to breach the server.

“They” are able to create an account. Some used usernames they have created are: sysadmin, adm, mssqladm.

It is very odd, looking in the event viewer, they just appear to create accounts out of the blue, they don’t even login or attempt to login or anything, all the sudden it says, New Account Created.

“They” then change the password of the account they just created.

Then “They” assign themselves the following group permissions, ‘Users’, and ‘Administrators’. ** SHAKING MY HEAD ** How the bloody hell do they assign themselves Administrator rights?

Then the do a few different actions depending, often times they disabled the windows firewall, and change open ports, other times they simply just logoff, other times, they have placed Trojans horses and other malware in their temporary internet folder under their use folderr.

This has been a cat and mouse game for weeks, I catch the new account, and immediately delete it, and check the firewall and enable if needed, then run a full system scan with AVG and Prevx. Sometmies AVG finds Trojans and malware, other times its clears.

I have racked my brain, checked all running processes with google, and they are seem legit. I have updated everything in windows via windows update, we are running windows 2003 server SP2. I have looked at the users and groups and everything seems secure.

Do you have guys have any idea what is going on? I have feeling something is running internally, which is allowing them to create the accounts.

Is there a tool that tracks all currently running processes, and allows you to go look at the logs to see what exactly was running at a certain time?

View 10 Replies View Related

Plesk IIS WP User & Compromised Server

Feb 24, 2007

My server (using plesk 8.1 on windows 2003 server) has been compromised with some sort of rootkit and I'm investigating vulnerabilities. This server hosts some of my asp.net applications and I have to grant Modify Permission to IIS WP (iwam_plesk) user on Some subfolders (under Httpdocs folder for each domain). Is it a security problem? if yes, how else can I allow asp.net applications to write to, say, an Access db?

View 2 Replies View Related

Apache TRACK/TRACE

May 25, 2009

Can anyone please tell me how dangerous in fact Apache's TRACE and TRACK functions?
I have read common explanation but would disabling TRACK and TRACE improve my server's ability to fight cross site scripting and similar attacks and make it more secure?

View 1 Replies View Related

Track Down Attack Target

Mar 23, 2009

I'm small hosting provider. On one dedicated server I have around 100 cPanel accounts.

That server is under constant, although not powerful DoS attack.

Since my company domain is not targeted on another server I believe that it is not me but one of my customers that attack is against.

Is there a way, tool, service provider than can help me pin down which account is being hit?

All accounts are on server main shared IP.

Would spreading them on another IPs help? Or would I still see attacks only on main shared IP?

View 7 Replies View Related

How To Track A Hosting Proivder

Jun 27, 2009

I'd like to know, is there any way to know about hosting provider, if we have only ip address of the server. i.e.

66.63.181.74 - this is the ip address of my website server, how can i trace the service provider who is giving this hosting service?

View 6 Replies View Related

Track Changes To Code / Files

Oct 2, 2008

I am currently developing a web application on a WAMP server. Once complete my client will have some in-house "programmers" make changes to the code as they are needed.

My client wants to track all changes made to the source files (ie- who made the change, when it was made, what files were modified, and what specific lines were added/removed/modified). Also, the program must run on the server and not the programmers computers.

I've searched high and low and only found a couple programs that scratch the surface of what they want.

View 4 Replies View Related

How To Track Email That Is Not Working

Aug 10, 2008

how exactly email works. For example, I set my mx record to google apps in order to use google mail with my own domain. Thing is, I can sent from google mail now with my domain email address but cannot send. Furthermore, login to my website email bij www.domain.com/webmail is possible but receiving is impossible and even sending email from that place will not work.

Thinking about it it seems that email is lost
google can send but not receive
from my domain webmail i cannot receive nor send.

View 9 Replies View Related

How To Track Busy Web On Server

Aug 29, 2007

Is there a way I can track the HTTP traffic to which domain is running with high traffic. Due to traffic load I/O wait is increasing. I want to suspend the domain that have the large traffic to avoid down time.

View 4 Replies View Related

Is It Possible To Track Down A DDoS Attack

Feb 8, 2007

I've done plenty of searching on DDoS attacks and from what I've found so far it seems that it's "very difficult" track down the person(s) responsible for the attack.

My question is this - could someone actually do it if they were qualified enough? Would a hacker who is well versed in the techniques used be able to find the person(s)? Or is it just simply impossible sometimes?

View 3 Replies View Related

Apache :: Track Down 2.4 Seg Faults

Jun 16, 2013

I just installed Apache 2.4.4 and it seems to run fine overall. But in my error.log I get about 3 of these every hour or so.error.log:[Sat Jun 15 20:57:44.095961 2013] [core:notice] [pid 31400:tid 16384] AH00052: child pid 1971 exit signal Segmentation fault (11)

track down what causes this? What module? vhost?Otherwise the server seems to run fine. It's on Linux with PHP 5.3.26 and MySQL 5.1.

View 2 Replies View Related

Email Account Compromised: Tools For Analysing

May 27, 2008

whose has 5 email accounts and several computers Windows and Mac.

Some spam has been sent out to people in his address book. I received one and have the email headers.

What tools are there for identifying which account/machine has been compromised?

View 3 Replies View Related

Monitor/track Bandwidth With Ipchains?

Sep 28, 2006

I'm working on setting something up for monitoring my bandwidth/traffic on multiple interfaces. I have setup interface aliases so I have eth0, eth0:0, eth0:1 and the issue I'm running into is that it seems snmp cannot tell the diff between the aliased interfaces. I've found references in the cacti forums of using ipchains rules to track the bandwidth, but I've not found a good howto that explains what I need to get going on this.

Any clues/hints?

View 0 Replies View Related

What Can I Install To Track Bandwidth Per Domain?

Oct 7, 2007

What script/application can I install on my linux box to track the bandwidth per each domain?

I currently have no CP, on lighttpd.

View 2 Replies View Related

Track Perl Hacking Script

May 19, 2008

I have FreeBsd with Cpanel.someone is running attacking perl script from my server.Below is information about that script but it shows / path in command lsof -p 30251 | grep cwd.

PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl

newinst# lsof -p 30251 | grep cwd
lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE.
perl 29018 root cwd VDIR 4,12 1024 2 /

newinst# ls -la / | more
total 22413
drwxr-xr-x 25 root wheel 1024 May 16 03:23 .
drwxr-xr-x 25 root wheel 1024 May 16 03:23 ..
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak
-rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc
-rw-r--r-- 1 root wheel 355 Feb 21 2007 .new
-rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak
drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak
-r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT
drwx--x--x 3 root wheel 512 Aug 20 2005 backup
drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin
drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot
drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom
lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat
-rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c
dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev
drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist
-rw------- 1 root wheel 4096 May 13 15:58 entropy
drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc
drwx--x--x 501 root wheel 9216 May 19 01:33 home
drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib
drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec
drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt
drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent
drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt
-rw------- 1 root wheel 22786048 May 16 04:51 perl.core
dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue
drwxr-xr-x 13 root wheel 1024 May 19 01:33 root
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin
drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts
drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand
lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys
drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp
drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr
drwxrwxrwx 24 root wheel 512 May 16 16:24 var

where it is localted at/path.

View 10 Replies View Related

How To Track Email Clients' Statistics

May 18, 2007

I'd like to track the email user agents that our clients use. Basically, I'd like to have something that looks like that:

[url]

View 3 Replies View Related

How Do I Track Down Spam Coming FROM My Server

May 29, 2007

Logwatch says I send out about 3k emails each day and that is a ridiculous amount. I use postfix and do not run any sort of relay, even for myself. I have IPB 2.2.2, Wordpress 2.0.4, and Gallery 2.x.

How can I track down where these messages are originating from? Or perhaps I am reading my LogWatch file incorrectly?

Quote:

--------------------- postfix Begin ------------------------

17999281 bytes transferred
2460 messages sent
26 messages expired and returned to sender
145 messages removed from queue

Top ten senders:
24 messages sent by:
apache (uid=48):
2 messages sent by:
root (uid=0):

View 4 Replies View Related

How To Filter / Track Outgoing Spam

Aug 9, 2007

I'm wondering if theres anything I can install on the server that will either filter or track outgoing spam. I don't want to limit the number of emails sent per hour or anything, I just want to be able to maybe search through some flagged emails or something. Or if they send the exact same email more than x times it can disable their account... I'm not sure

View 1 Replies View Related

1and1.com User Database Compromised, Sites Hacked

Jun 19, 2008

Even worse, they didn't even notice until I called. If you're a 1and1.com customer I recommend you change your username and password now!

I included some log snippets to help you make sure your account hasn't been compromised.

1and1.com hacked

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved