I have WHM 11.1.0 cPanel 11.2.1-C11635
FEDORA 4 i686 - WHM X v3.1.0
PHP Version 4.4.4
I'm not sure what my apache version is.
I want to try this:
http://www.webhostgear.com/232_print.html
It says it's for Apache 1.3x, PHP 4.3x
Will that work on my server? Will it be safe to try?
Currently my site is having a extreme surge in traffic (in and out). My webhost just sent me a warning, saying that my site is generating abusive traffic to the host's network.
Code:
Please be aware that abusive traffic is being generated from your IP, xx.xxx.xx.xxx, directed to our network as seen in the logs below. We have added a Nullroute for this IP on our network for a period up to 24-hours. Please take action to remove and prevent this abusive traffic from being generated. Repeated offenses will result in a permanent Nullroute of your entire network block.
2007-07-05 09:59:51 - sensor-ds04.tpa.sagonet.net - sshd[13496]: Did not receive identification string from ::ffff:xx.xxx.xx.xxx
2007-07-05 09:59:51 - unknown.sagonet.net - sshd: refused connect from ::ffff:xx.xxx.xx.xxx (::ffff:xx.xxx.xx.xxx)
2007-07-05 09:59:51 - spamassassin-lbb.tpa.sagonet.net - sshd[24910]: Did not receive identification string from xx.xxx.xx.xxx
2007-07-05 09:59:51 - spamassassin-lba.tpa.sagonet.net - sshd[32041]: Did not receive identification string from xx.xxx.xx.xxx
2007-07-05 09:59:51 - spamassassin-lbb.tpa.sagonet.net - sshd[24911]: Did not receive identification string from xx.xxx.xx.xxx
2007-07-05 09:59:51 - spamassassin06.cust.sagonet.com - sshd[12792]: refused connect from ::ffff:xx.xxx.xx.xxx (::ffff:xx.xxx.xx.xxx)
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - sshd[99600]: warning: /etc/hosts.allow, line 1: host name/address mismatch: xx.xxx.xx.xxx != thtdomains.com
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - sshd[99600]: warning: /etc/hosts.allow, line 1: host name/address mismatch: xx.xxx.xx.xxx != thtdomains.com
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - kernel: Jul 5 09:59:49 sensor-ds06 sshd[99600]: warning: /etc/hosts.allow, line 1: host name/address mismatch: xx.xxx.xx.xxx != thtdomains.com
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - kernel: Jul 5 09:59:49 sensor-ds06 sshd[99600]: warning: /etc/hosts.allow, line 1: host name/address mismatch: xx.xxx.xx.xxx != thtdomains.com
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - sshd[99600]: refused connect from xx.xxx.xx.xxx (xx.xxx.xx.xxx)
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - sshd[99600]: refused connect from xx.xxx.xx.xxx (xx.xxx.xx.xxx)
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - kernel: Jul 5 09:59:49 sensor-ds06 sshd[99600]: refused connect from xx.xxx.xx.xxx (xx.xxx.xx.xxx)
2007-07-05 09:59:49 - sensor-ds06.tpa.sagonet.net - kernel: Jul 5 09:59:49 sensor-ds06 sshd[99600]: refused connect from xx.xxx.xx.xxx (xx.xxx.xx.xxx)
2007-07-05 09:59:52 - sensor-ar01.tpa.sagonet.net - sshd[12730]: warning: /etc/hosts.allow, line 1: host name/address mismatch: xx.xxx.xx.xxx != thtdomains.com
My VPS is using Plesk v8.01 as the control panel. I have purchased my own 3 IPs so I'm sure this is not the case of sharing the same IP with another account.
I've checked the cgi-bin directory but there is nothing there except the usual default file (test.cgi). And I never have the right to alter the cgi-bin directory (can't remove, can't add files).
The traffic surge costs me 10 GB (in) and 5 GB (out) bandwidth a day as opposed to the normal 100~200 MB a day. I haven't ask them the exact form of the abuse. So far, I think my IP has becoming the source of abusive traffic that burdens THEIR server.
I've checked the latest access.log and everything looks normal.
But when I checked using menu Virtuozzo/Traffic Statistics, I can see that the incoming and outgoing traffic are surging up unnaturally (this is the third day).
Hour/Incoming/Outgoing (in MB):
Code:
01 5.61 26.31
02 4.94 25.11
03 6.77 33.48
04 10.42 47.17
05 91.43 94.06
06 289.51 196.99
07 309.13 200.02
08 51.78 33.33
Has anyone had any good results using spamassasin? If so, how did you go about setting it up? I was hoping someone would share some real world settings that work.
View 10 Replies View RelatedCan you control SPAM on a server ? I've got this email account that all receives is SPAM, nothing else. I'd like to eliminate this so it doesn't get any more SPAM.
View 13 Replies View RelatedI have ffmpeg installed on a webserver. If I enter the command to begin a conversion process, or the command is sent through PHP via exec(), it keeps going until it finishes or runs into an error.
Is there a way to cancel a conversion process after it's been started either through the command line or via PHP exec()?
I have CSF on my server (configserver security and firewall) and it blocks the IP when my server gets attacked, but it always seems to be a little too late... Apache goes down, even though the IP is blocked. I end up running:
iptables -I INPUT -s xx.xx.xx.xx -j DROP
service httpd restart
And that tends to sort things out... but the thing is, sometimes they still manage to attack and even though csf sends me messages explaining how it is connecting, I can check the "deny IPs" and the ip shows as blocked...
What other software is there (eg. mod_evasive... but how can I install it...) that I can run without harming my server, causing problems with CSF or any problems for that matter and how can I install it?
I designed one of my web services so that 'nobody' has to put commands to cron. Unfortunately this thing stops to work from time to time because "someone" is putting 'nobody' back to cron.deny file.
How to stop that?
Apache keeps stopping. MULTIPLE times per day! There is no logic to when it dies. But about every 2 hours.
Load stays below .30 and there is free memory available.
This is on a VPS machine. None of the other VPS's are having an issue. Just this one.
Centos release 5.3 (Final)
Apache/2.2.3
Here is what is in the httpd.conf file. I realize the numbers are way too high, but just trying to get this issue to go away.
Code:
<IfModule prefork.c>
StartServers 100
MinSpareServers 100
MaxSpareServers 100
ServerLimit 512
MaxClients 512
MaxRequestsPerChild 4000
</IfModule>
<IfModule worker.c>
StartServers 100
MaxClients 500
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 100
</IfModule>
Here is what is in the /var/log/httpd/error_log file before it dies:
Code:
[Wed Jul 01 18:06:32 2009] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 98 idle, and 108 total children
[Wed Jul 01 18:08:17 2009] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 74 idle, and 76 total children
[Wed Jul 01 18:08:18 2009] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 16 children, there are 63 idle, and 63 total children
[Wed Jul 01 18:08:19 2009] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 32 children, there are 79 idle, and 79 total children
[Wed Jul 01 18:11:36 2009] [info] server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers), spawning 8 children, there are 93 idle, and 108 total children
Is there a script or program which I can use to start my game servers remotely? I am giving my friend a free game server, but the problem is that he wants the power to start/stop the server because he wants to update the binaries. I am not looking for a game server control panel, but more like a small script or program that has the power to start/stop the server. The game server I am hosting for him is Team Fortress 2. Also, it has to be free since I am not going to make any profit of this.
Game - Team Fortress 2
OS - Windows 2003 Server
Web hosting - WAMP
I will move my vbulletin site from one server to another server.
my web data is more than 10G including mysql data, I know I may stop the vbulletin at first and move data. but I am expecting a minimal forum-stop time or no forum-stop time.
My concern is, if I don't stop the vbulletin at first, after I dump sql data out and retore them to the new server, it would be more than 3-4 hours, there must be some new data come in during that period. how may I keep the vbulletin running and move all data to new server?
We're currently testing Postini after checking with Message Labs, etc and it seemed that Postini was the most highly recommended out of all of them. We shall see, as there does seem to be ALOT that get past their filters with spam level filtering set at their most sensative level.
However, what could I do for accounts with Hosting Firms. We have a couple on Pair, and while they use SA, their filters doesn't seem to be really effective at all. Users can come in over the weekend, and have 5 valid emails out of 200 junk......
BTW, has anyone used any of the spam appliances out there lately.
We tested them about 1.5 years back and none were really effective
I am trying to run backups to an off site location, however, I have noticed that even if I try on the server side, it will only backup 2gb, which when I check the backup, the file structure is there, but there arent any files in the backups.
View 8 Replies View RelatedI saw some spams and I try to remove them on my cPanel server from WHM > Mail Queue
Message 1MFr0q-0001cK-TV is locked
Message 1MGJLb-0001UL-4y is locked
Message 1MGIqC-00036q-7v is locked
Message 1MGIvk-00044Q-5r is locked
Message 1MGJpk-0003fU-5K is locked
Message 1MGJK9-00015D-US is locked
Message 1MGJhL-00006a-Mh is locked
Message 1MGHK4-0004e6-60 is locked
Message 1MFrD4-0002Up-OX is locked
I can't seem to remove them. What's the way to kill them at once?
We have a VPS Server from one of the most reputable VPS Provider. We have 384 Guaranteed RAM and 1GB Burst. We have Dual Core AMD Opteron(tm) Processor 265 - 1795.503 MHz with 1024 KB cached allocated to our VPS.
It is only hosting 2 average forums (10-15 concurrent users in total) and 30 small websites, low traffic websites.
The problem we are having is, almost 3 times a week, the cPanel, named and apache services keeps stopping. I am monitoring our server when this is happen and prior to the event its only using about 300MB RAM and low CPU..
What could be causing this problem? Do I need to upgrade our RAM?
PRODUCT, Plesk for Windows VERSION 11.5 latest update VERSION OF MICROUPDATE 11.5.30 Actualizar #39, OPERATING SYSTEM Windows 2008 Server Suddently with no apparent reason, MYSQL stops and Ihave to go to the panel and restart it.
Every Morning I have to restart MySQL thru the control panel in remote console of windows..Works all day long, and then stops at night..Should work as always did, for several months I did not even reboot the server, no I have to reboot the server to see if that fixes the problem. Latest windows update, latest Plesk for windows update, but I have the feeling that with the latest microupdate something has broken,
Plesk 11.5 Lunix
Centos 5.6
I am having problem sending email. Email from others came in but when sent from the server it does not arrived.
SMTP Server (Postfix) keep stopping...
Any thoughts, or opinions are welcome. Looking for options on how to stop this.
Recently I've started receiving spam that appears to originate from a hosted domain on my VPS. It appears to only be an issue with this website account and not the VPS generally.
I've disabled the IMAP service to ensure the spam was not being sent from the server. The spam continues which leaves the POP email accounts as a possibility or something else.
My hosting provider says it looks like email spoofing.
Someone seems to be using the address at foobar.com to send out spam. The method that he has employed is called email spoofing. Email spoofing is the practice of changing your name in email so that it looks like the email came from somewhere or someone else. However, you need not be concerned.
Individuals, who are sending "junk" email or "SPAM", typically want the email to appear to be from an email address that may not exist. This way the email cannot be traced back to the originator. The spammer is not using our server to send out spam, hence your email address will never be blacklisted.
There is really no way to prevent receiving a spoofed email. Remember that although your email address may have been spoofed this does not mean that the spoofer has gained access to your mailbox.
The following are headers of two spam emails. Both of these addresses are setup as forwarders and not actual email accounts. The spam came to our attention because it is being sent to addresses on foobar.com with headers as also originating from foobar.com
I changed the actual names for privacy
host.vpsdomain.com [123.123.123.123] - VPS domain
foobar.com - website account on VPS
myemailaccount@gmail.com - address foobar forwarders send to
Delivered-To: myemailaccount@gmail.com .....
It looks like someone spammng from our server. I have checked exim_mainlog and got the this info.
2007-01-23 03:12:32 1H99Fz-0004wl-RV => erio@erio.com R=lookuphost T=remote_smtp H=mail.erio.com [217.220.27.241]
2007-01-23 03:12:40 1H99Fz-0004wl-RV => brown2525@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> beth46@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> dstanfie@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> harris3943@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> yumyyelow@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gloverlm@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> debilu@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mosleyclan4@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> 61369@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> melabong@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> k_mcmull@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> anniern@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bannaj1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> lizzied@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> gillumd@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pfeiferk36@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mommyof2@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tongem@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> whitsonswrecker@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mmal63@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> goosynina1@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> malenat@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jlhk@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> tawndawn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> usnssn@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crazybutcute0304@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> thomas0421@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> mercibw@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> crouch1966@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> pj16@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> alba93@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> sassyd69@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> bettysue57@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> jimfiscus@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> nvonalme@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> breweragency@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
2007-01-23 03:12:40 1H99Fz-0004wl-RV -> annaksimpson@bellsouth.net R=lookuphost T=remote_smtp H=mx00.mail.bellsouth.net [205.152.58.32]
In the log file is showing like this.
2007-01-22 19:11:24 1H99Fz-0004wm-Vp <= <> R=1H99Fz-0004wl-RV U=mailnull P=local S=605030
2007-01-22 19:11:24 1H99Fz-0004wl-RV <= stlawson100@yahoo.com.hk U=churchre P=local S=3558 id=23894.217.194.149.171.1169511083....el@65.xx.xx.xx
I couldn't find who is sending.
problem with spammers.. i installed bruteforce attack and apf but spammers still trying to use my mail server to spam.. bfa sending me 20-30 warning emails everyday like
Quote:
The remote system 200.83.230.214 was found to have exceeded acceptable login failures on xxxxxx; there was 62 events to the service exim. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.
Executed ban command:
/etc/apf/apf -d 200.83.230.214 {bfd.exim}
The following are event logs from 200.83.230.214 on service exim (all time stamps are GMT -0600):
this spammers causing to load cpu very hi and freeze my server sometimes.
is there any way i can setup to only allow authenticated users to access the mail server. or any idea..
im not a hosting company hosting my websites and im a poor guy can't hire server admin.. and i have search it on google could'nt found anything..
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late.
Any thoughts or suggestions?
I have found some spammer hotlinking to my images to get his site crawled, I have modified the .htaccess to attempt and serve his hotlinking domain with a warning but it does not work...
My actual .htaccess file is the one below (it was created by wordpress automatically):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
I am adding these lines right below:
--------------------------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+.)?spammerdomain.com/ [NC,OR]
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
------------------------------------
My questions...
I dont kmow too much what I am doing, following the tutorial here, http://altlab.com/htaccess_tutorial.html but the problem is that my .htacces already contains something created by wordpress that to me looks like garbage as I don't understand the meaning.
I dont know if I should add the lines inside the <IfModule mod_write.c> or outside them as I have done.
I dont know if it is ok to have two times Rewrite Engine On
PS: When I added the lines I describe above, my site also stopped displaying the images, I had stopped everyone including myself from hotlinking them. I only want to stop certain domain. or even better, my ideal solution is to WHITELIST my domain names (I have two using hotlinkg to those images), but I will settle for blacklist if it is easier.
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View 3 Replies View RelatedI have someone on my server who likes to send spam emails. How would I go about catching this person?
View 13 Replies View RelatedI was on my visitors on AWstats, and when looking up most of the top IPs (the ones that viewed the most pages), most of them were associated with IANA, and tagged as spam/hacker IPs.
Of course, I've blocked all of those IPs with my .htaccess file, but how can I further protect my server from such threats? How can I rid my server of these spammers/hackers?
Someone posted some code similar to below, I made modifications or two after trying to detect PHP "nobody" users, after dumping a few printenv I found PHP exports PWD when calling an external program such sendmail. Basically the PWD will show the user directory that is coming from, which is enough to detect who is sending SPAM even as nobody! It's not 100% secure in that they could wipe /var/log/formmail but I don't imagine any spam will notice the logger, they presume any cPanel server (or other CP for that matter) is the same.
mv /usr/sbin/sendmail /usr/sbin/sendmail2
pico /usr/bin/sendmail (paste the below code into it)
chmod +x /usr/bin/sendmail
echo > /var/log/formmail
chmod 777 /var/log/formail
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME";
}
else {
print INFO "$date - $PWD - @info";
}
my $mailprog = '/usr/sbin/sendmail.real';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);
trying to find a spammer on my system, who just sent out and is still sending out 4000+ emails...
i have a centos vps with whm.
looked at exim_mainlog, there's nothign telling. the message body is visible, but the links it points to arent' hosted by me. there is no return address, its sending mail as nobody. phpsuexec is not an option.
I need to know the ways I can distinguish spammers on my server and how to stop spamming.
View 10 Replies View RelatedI have deciated windows 2008 server and from last 2 days there is some thing which is using our smtp server to send spam its like we get thousand of spam emails qued in our outbound que, although our security is really high, such as smtp authtenication (open relay) and other options are already enable and we ran anti virus scan too but nothing found.
I wonder if there is anyone else out there who face such problem and how did you stop?
As hosting providers, it is important to follow the standard industry supported AUP/TOS agreements to keep spammers in their place. Do you believe spammers should be able to buy their way to hosting? Some hosting providers have allowed spammers to stay by allowing them to pay a premium hosting fee.
View 14 Replies View RelatedI have a massive spam problem on my server, which I cannot seem to find a cure for. Here is an example of the headers from an example email (from WHM) that is stuck in the mail queue:
Quote:
1HiU0X-0006Y3-O6-Hmailnull 47 12<>1177932329 0-ident mailnull-received_protocol local-body_linecount 78-allow_unqualified_recipient-allow_unqualified_sender-frozen 1177932333-localerrorXX1vrroark@freemail.ru144P Received: from mailnull by host.zaggs.com with local (Exim 4.63)id 1HiU0X-0006Y3-O6for vrroark@freemail.ru; Mon, 30 Apr 2007 12:25:06 +0100045 X-Failed-Recipients: download@host.zaggs.com029 Auto-Submitted: auto-replied058F From: Mail Delivery System <Mailer-Daemon@host.zaggs.com>024T To: vrroark@freemail.ru059 Subject: Mail delivery failed: returning message to sender047I Message-Id: <E1HiU0X-0006Y3-O6@host.zaggs.com>038 Date: Mon, 30 Apr 2007 12:25:06 +01001HiU0X-0006Y3-O6-DThis message was created automatically by mail delivery software.A message that you sent could not be delivered to one or more of itsrecipients. This is a permanent error. The following address(es) failed: download@host.zaggs.com (generated from abraham@keysupplier.com) retry timeout exceeded------ This is a copy of the message, including all the headers. ------Return-path: <vrroark@freemail.ru>Received: from [220.157.245.77] (port=3648 helo=localhost.localdomain)by host.zaggs.com with smtp (Exim 4.63)(envelope-from <vrroark@freemail.ru>)id 1HiU0X-0006Xu-7rfor abraham@keysupplier.com; Mon, 30 Apr 2007 12:25:06 +0100Message-ID: <10fb01c78b19$683b6042$8bc8505a@freemail.ru>From: Noticeable <vrroark@freemail.ru>To: abraham@keysupplier.comSubject: I am 79 years young!Date: Mon, 30 Apr 2007 14:19:48 +0300MIME-Version: 1.0Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_9E7D5C31.01A57A34"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express V6.00.2900.2180X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180This is a multi-part message in MIME format.------=_NextPart_000_0000_9E7D5C31.01A57A34Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bit A few words about HGH LifeI have been taking HGH Life for five weeks and there is a noticeable improvementin me overall. Waking up without muscular pain is the most obvious! WhenI run out, I shall be ordering as much as my pension will allow. I am inEngland and am 79 years young!Order HGH Life online ------=_NextPart_000_0000_9E7D5C31.01A57A34Content-Type: text/html; charset="iso-8859-1"Content-Transfer-Encoding: quoted-printable<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><META http-equiv=3DContent-Type content=3D"text/html; =charset=3Diso-8859-1"><META content=3D"MSHTML 6.00.2900.2912" name=3D"GENERATOR"></HEAD><BODY text=3D#000000 bgColor=3D#ffffff><font size=3D"3" face=3D"Times New Roman"><p align=3D"center"><font =face=3D"Arial" color=3D"#009900" size=3D"5"><strong>A few =words about HGH Life™</strong></font></p><p align=3D"center"><font face=3D"Arial">I have been taking HGH =Life™ <strong>for five weeks </strong>and there is a noticeable =improvement in me overall. Waking up without muscular pain is the most =obvious! When I run out, I shall be ordering as much as my pension will =allow. I am in England and am <strong>79 years =young</strong>!"</font></p><p align=3D"center"><a href=3D"http://worldwdefull.com"><strong><font =face=3D"Arial" color=3D"#ff6600" size=3D"4">Order HGH Life™ =online</font></strong></a></p></font></BODY></HTML>------=_NextPart_000_0000_9E7D5C31.01A57A34--
I can confirm that the person who is doing this IS NOT using the 'nobody' user because I am keeping a spam_log for that.
How else is a user able to use our server for spam? Please help as I would like to get this sorted ASAP.
I've been on yet-another crusade this morning..and have a few questions for the..umm.."general" hosting audience.
We live in odd times. If you told me that script kiddies might be able to completely comprimise a server via php..or that spammers are now using the webserver *itself* to send spam a few years ago..I would have laughed. This is no laughing matter.
A concept of privacy comes into play..and I'm curious how many of you handle it. Joe pays me for a account..agrees to my TOS/AUP..and starts uploading files. The way I see it..we have many ways of dealing with scripts that do bad things. It seems to me, though...this may be considered "spying" on our customers.
If we have a script..say..that runs every fifteen minutes..and looks for these scripts..wouldn't that be considered spying?
Or would this be something we should just bury in our aup/tos that this might happen? I have read and agreed to quite a few of those AUP/TOS things..and I can't remember even one time even a mention that files that I upload to the server may be scanned or inspected..before allowing the file to be placved on the server.
Never..not once.
However...this may have changed. If you've ever tried to get even a simple Perl script to work on a Cpanel server...you probably understand that many safeguards are there for the sake of everybody else on the server...and may prevent you from doing what you want to do with the script(s).
At the same time..though..it seems to fly in the face of common sense that many script packages available today are inherently insecure. Chmod 777 files and directories? Even in the times we live in today and know this is a very, very bad idea?
Yet..there seem to be even more like this today than ever before.
>>I mention this from first hand expereince. One of the many magazines I get had a article detailing the trials the author was having trying to get Simple Groupware working on a vps.
yesterday..I noticed a post with a person wanting something installed on a production server. Not only was the program a beta..but..just like Simple Groupware..looked horribly insecure.
In retrospect...I can remember the very first php script I ever used. The year was 1996..and this was my first Cpanel shared account. I even remember having to add *.php to the mime types.
It installed without a hitch..and..coming from the Perl world I had spent many years in..and many hours getting those scripts to work..it seemed almost like a miracle.
It seems, as hosts, there are a few ways we can go at this.
1) Modify the ftp server so it inspects files
2) Have a program that looks for things..much like rkhunter does.
3) A front-end for all scripts..perhaps MySQL as well..that enforces rulesets..for restricted content..or resource allocations.