Spam/phishing Emails By Remote Connection (hacked)
Apr 23, 2009
One day, you noticed that someone remotely connectted your computer and an application sends spam/phishing emails bu using your IP. What do you do?
Of course, I stopped the program and blocked remote connection for a while and changed my password... I any way, i have to connect my computer remotely... What do you advice?
By the way, i have more than 1000 email accounts on my computer. Hacker left me a gift, but I don't need them))
I are running an Plesk 11.5 on a Ubuntu 12.04 machine. Since days i have problems where i see scripts of phishing sites and mailer scripts installed in the httpdocs directory of various domain.
How I can prevent that people outsiders install this scripts on the server? Where is the bug that allows this?
We received a few days ago a warring that our server is spamming. We hired someone to find the problem and it turned out that someone was using our phplivesupport to send spam from our server. The person who we hired showed us this http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6769 ("Multiple cross-site scripting (XSS) vulnerabilities in PHP Live! 3.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the...") I sent a ticket to them and asked when they are going to release a new version and they did not answer, I asked them for a refund and no answer.
1) What do you think about this whole situation? You don't think they should refund us? (or release a new version)
The directions I recieved were "Please use remote desktop to connect to your server."
So I entered the ip address into the remote desktop connection window and it doesn't connect. Where do I go from here? I searched and can't find any relevant info.
I have an Ubuntu 8.04 server with 2 nerwork cards eth0 and eth1. I am using only eth0. The server is behind a 2-wire router. I have setup the router with the public IP addresses.
On the server I have setup an IP alias on eth0 as eth0:0. I have 3 domains which i will call foo1.com foo2.com and foo3.com. The server pc is assigned to a static public address on the router as 217.xx.xx.100 this same ip also used to setup the virtual host for foo1.com
When I am on the router I can access all the domains via the browser and can also get FTP, and ssh connection to the server. However when I leave the range of the server and connect to the net via another router, I loose ftp and ssh access to the server as well as not able to browse www.foo1.com. However www.foo2.com and www.foo3.com I can browse.
My hoster told me to use PuTTY, a terminal, to install something called a vnc. I tried to install it ,but gets rejected everytime I connect.(I was using realvnc and connecting through a tunnel) Is there another way to get to the GUI or something like that?
I am using Vista and trying to connect to Linux (Debian)
We have got 200 customers, and we will to change to cpanel.
The MYSQL server is on a solaris zone. It is possible to make the remote connecting with it. I will import the 200 users MYSQL databases to cpanel, with privileges (user settings). The mail/web dir a will import manuali to cpanel server(copy-paste-setuser:group).
I have 2 identical Fedora8 boxes with Apache 2.2.8, MySQL 5.0.45 and PhP 5.2.4. I use one as the Web+DB server (say box A), and the other (box B) just as the Web server connecting to the DB server on box A. I use this 2 machine configuration to test a LAMP based-Web application. I have a client program on other machines that can emulate a massive web workload to these 2 servers; it can emulate hundreds to thousands of users using the application simultaneously.
Before running the test, the connection to the DB server from both boxes seem fine. Using the mysql client program on either box A or B trying to connect to the DB, the connection goes through instantly. In the /etc/my.cnf file, I have max_connections=4096 and max_user_connections=4096. Note that the web app uses one single db user to connect to the db. To allow remote connection, I inserted one record into the user table of the mysql db whose the host field's value is '%' (allow connection from all remote hosts).
After running the test (which I found out that many requests sent to box B failed), mysql client program on box A is still able to connect to the db instantly; but the one on box B has a problem: it takes extremely long (5 - 10 minutes or even more) to establish the connection, it doesn't time out, just takes that long. I believe that's the cause for the failure of requests to box B.
my site is working fine for somedays and suddenly its stoped and hanged and also my PPP is not working , and file manager in PPP its give me this error VZAgent returns error #422: "Cannot initialize connection to remote host" and the suppord admin said I have problem in failcnt
I am trying to access my server remotely using Windows' Remote Desktop Connection. It functions perfectly, but it does not go full screen because my local screen res is 1680x1050 ...
Does anyone know any other remote desktop applications which work better in this way?
I know I could just change the local res settings but it is a bit of a nuisance and looks really weird if I set it to something non-wide-screen...
I have a remote XP PC: 172.16.1.5 OpenVPN connection with route added for 192.168.2.0/24 to go via the VPN
Now on the other end the network consists of:
I have a OpenVPN server inside the lan on 192.168.2.245 Its default gateway is 192.168.2.1
I have 3 Windows Servers, 192.168.2.246, 247 and 248. All gateways are set to 192.168.2.1.
I have a ethernet router on the network, 192.168.2.1, it has a route added for 192.168.0.0/16 to go via 192.168.2.245, and route added for 172.16.0.0/24 to go via 192.168.2.245 also). the 192.168.0.0/16 is incase any other LANs are connected at a later date, if computers saw any packets not on the the 192.168.2.x subnet they would be routed to the default gateway which would then pass them to the OpenVPN router.
The trouble is, i can remotely connect and ping to the OpenVPN router fine and also the ethernet router, however when i ping any of the Windows boxes it times out. But i can open up Remote Desktop and connect to the windows box without problem, infact if i am running 'ping 192.168.2.246 -t' it will suddenly come alive but only after the RDP connection is made.
Is this something funny with the routing? I want to keep the OpenVPN server internal to the network and i appreciate it is hitting the ethernet router then being passed to the OpenVPN but something is weird as it fires up RDP fine but not ping. No firewalls are enabled on any of the boxes. If i log into ssh on the OpenVPN router or ethernet router i can ping from that to the windows boxes fine.
Its as if a ICMP redirect is issued, and all is well after the 1st connection. Not too sure but could anyone be kind enough to enlighten me?
#Server PHP - hosts php and handles apache/mysql requests. #Server 2 - handles mail and dns requests.
Yesterday we moved mail from # server 2 to a new mail server, a cPanel one, all mailboxes are created, users can send and recieve email using webmail, mail clients, etc.
But.. while trying to send mails using PHP authenticated from the #Server PHP/Apache/MySQL , we got this error from the mail servers:
Code: We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. SMTP -> FROM SERVER: SMTP -> FROM SERVER: SMTP -> ERROR: HELO not accepted from server: SMTP -> get_lines(): $data was "" SMTP -> get_lines(): $str is "220-srv247.serverhost.com This was working when mails were recieved/sent in Sendmail (an Ensim box), now with Exim 4.x on a cPanel box we got this issue.
Already added IP address from #server php into all Exim whitelists, also added the IP to /etc/alwaysrely, but didn't help.
Im using RHE 5.2 on the mail server and latest Release build.
im getting 50 and more spam mails each day, how do i secure my vps to stop 99% of the spam from coming in as i understand theres no way to completely block spams.
Im using directadmin control panel and enabled SpamAssasain but its not much of use even when i apply strict options on it.
Got this strange issue here. Comcast customers cannot receive any emails sent from my server. With the others, most of the emails are being sent to a spam folder instead of inbox.
Serve is Centos 5 / Cpanel
I confirmed IP has proper reverse dns and is not blaclisted. I also setup SPF as well.
I am using couple of emails on my domain since 3 years. I am having a big amount of spam emails. If I use SpamAssassin™ in the Cpanel it will miss sometimes hotmail, yahoo emails etc.. If I disable it, I will continue receiving those spam emails. However, some of my clients uses free emails like hotmail and yahoo.
Some of my emails send to the clients who are using Yahoo's email is stored in their " Bulk " folder, so Yahoo is considering my email as spamer althought i'm not. So do you know how can i fix it ? Do i need to contat Yahoo about this matter ?
We use some spam blockers that come with cPanel but sometimes it feels like it isn't enough to block out all spam coming in and going out of the server. Anyone here have any experience with any other third party softwares that may be able to stop emails in its track basing it on the content of the email itself?
I would like to offer some good advice to people who Host thier sites with Hostgator or any other Webhosts who provide Cpanel. Please Check your "Mail" feature.
I just check all of my sites Mail in the Mail section.
All of my sites do not have webmail set up, but I was surprised to find tens of thousans of spam mails and I dont even have any email accounts set up!
This was causing me to get 'iNode" warnings that my account would be soon suspended and I should upgrade my site to Dedicated Hosting, something I cannot afford! Go to [url] Steps
1. Click on Mail 2. Click on Webmail 3. Click on Horde 4. Login 5. Click on Mail
SURPRISE! Do you too have thousands of Spams ... even if you dont even have an email account set up?
If you folder is full of thousands of Spams then do this...
6. Click on Folders 7. Tick Inbox 8. Choose Empy Folders from the Drop Down box above 9. Click Empty Selected Folders 10. Do this regularly before you get an email from Hostgator like this:
To maintain the highest level of performance on our shared servers we have a maximum inode (file) limit of 50,000 inodes (files) per account. The size of the file does not matter, only the number of files. For example, a DVD image (say, 4.5gb) only counts as one inode, or file. Our limit, as outlined in our terms of service, is 50,000 files per account. We generally don't hold people strictly to this limit, but at the same time we expect our users to respect the limits of the system. When an account has hundreds of thousands of files, it significantly degrades overall disk performance, as each file on the disk must be tracked/indexed.
An easy analogy would be a table of contents or glossary for a book. If the book only has a few hundred pages, the index or glossary is likely to be small and easy to search. If the book has 5,000 pages, finding what you want might take significantly longer. The file system on a server works in a similar way, just on a larger scale. Our experience has shown that 50,000 files per account is a fair number, and accounts that exceed that by a significant amount cause disk performance issues. This message is to inform you that the listed account has significantly exceeded our limits for disk inodes/files and could potentially lead to disk issues.
It is also important to realize that accounts that exceed the inode (file) limit are not backed up by our courtesy weekly backup service, per section 7b of our Terms of Service. Of course, we advise every user to run their own backups to be safe. Accounts over our the 50,000 inode limit are bypassed so that backups can complete in a timely fashion for everyone. Otherwise, accounts with hundreds of thousands or more inodes will utilize more server resources than other accounts, and could lead to file system errors on our backup servers.
This account will be re-checked again in 7 days to verify it is below 50,000 files. If this account remains above the maximum inode limit after repeated checks, we'll have to review the situation further and advise a course of action. It is critical that one of the following actions take place before that happens:
a) reduce the number of inodes/files. This change must be permanent; if you have a high number of cache files or similar, and you expect them to naturally exceed the inode limit again in the future, the configuration must be changed to limit the total number of cached files.
If you are completely unaware of the source of the inodes, it may be that you have left your default mailbox enabled, and never cleared it. Over time, it can fill up with spam, consuming hundreds of thousands of inodes. If you have a catch-all enabled on your account, this can greatly increase the amount of mail/spam that our account receives and will raise your inode usage quickly unless routinely emptied. If you would like assistance clearing these folders from unwanted email or removing the catch-all from your account, please let us know and we would be happy to assist you.
The default mailbox is located at:
/home/xxxx/mail/cur /home/xxxxx/mail/new
b) upgrade to dedicated service, where inode counts are no longer checked. In many cases, accounts that significantly exceed our inode/file limits have simply outgrown the shared environment, and a dedicated server is the logical choice. In many cases, the transfer from a shared to dedicated server will incur no charge. In rare situations, accounts with excessive numbers of accounts or users may require a fee; the transfer department would advise you of that fact prior to the transfer taking place. If you've read this far, it's clear you're serious about taking care of the issue and we can offer you 50% off off the first month's purchase of a dedicated server. To receive the discount, please:
- Reply to this email stating you'd like to upgrade. You will automatically be assigned a ticket number, which will be visible in the subject line. You may need to confirm your email if this is the first time you've ever sent us a ticket or emailed one of our departments.
- Order a dedicated server: [url]
- Email sales@hostgator.com after placing your order. This promotion is unadvertised, and must be manually approved. You must reference the ticket # you receive (above) to qualify for the discounted rate. This promotion only applies to dedicated servers priced $ 219.00 or higher.
We thank you for taking the time to resolve this issue. If you have any questions or perhaps you are not sure what could be causing the high number of inodes, we can help you with that. Simply reply to this email and we will be more than happy to assist you.
As soon as I deleted all of my emails, guess what .... I already have 4 Spam emails, that is very quick!
I have 4 main sites with hostgator and this how much emails I have without knowing:
Site 1: 27,237 Spam Emails Site 2: 43,438 Spam Emails Site 3: 7,398 Spam Emails Site 4: 63,972 Spam Emails
This is who one Spam was from:
To: myaccount@gator257.hostgator.com
So the spammers send the emails to gator257.hostgator.com and so forth!
That is crap! Surely they can fix it, as I say, I dont even have a email account in my Cpanel!
154P Received: from mailnull by server.domain.com with local (Exim 4.68) id 1JBOml-0008CW-Fz for root@server.domain.com; Sun, 06 Jan 2008 00:15:03 -0600 038 X-Failed-Recipients: admin@domain.com 029 Auto-Submitted: auto-replied 063F From: Mail Delivery System <Mailer-Daemon@server.domain.com> 029T To: root@server.domain.com 059 Subject: Mail delivery failed: returning message to sender 052I Message-Id: <E1JBOml-0008CW-Fz@server.domain.com> 038 Date: Sun, 06 Jan 2008 00:15:03 -0600
1JBOml-0008CW-Fz-D This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
admin@domain.com SMTP error from remote mail server after RCPT TO:<admin@domain.com>: host sentry.domainbank.com [64.85.73.28]: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
------ This is a copy of the message, including all the headers. ------
Return-path: <root@server.domain.com> Received: from root by server.domain.com with local (Exim 4.68) (envelope-from <root@server.domain.com>) id 1JBOmk-0008CJ-To for admin@domain.com; Sun, 06 Jan 2008 00:15:02 -0600 To: admin@domain.com Subject: Services(2) failed From: monitor@domain.com Message-Id: <E1JBOmk-0008CJ-To@server.domain.com> Date: Sun, 06 Jan 2008 00:15:02 -0600
