A BIG SPAMMER ATACK - help

[duranduran]

Hi Guys,

I have a BIG problem - a SPAMMER is using one of my servers to send thousands off emails. I realy dont know how. I try everything, all solutions and i simple canot identify how this SPAMER is sending those emails. The SPAMMER continues to use this server.

Please, i am realy need a help.

This is a mail header (sent to me by my DC - ThePlanet):

Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma05.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA058-8ae4647a2e785; Sun, 13 May 2007 19:44:42 -0400
Received: from ypwhw (240.55.175.245)
by ssl.lx8server.com; Sun, 13 May 2007 20:44:32 -0300
Date: Sun, 13 May 2007 20:44:32 -0300
From: <amyr@compuvision.net>
X-Mailer: The Bat! (v2.01)
Reply-To: <20maxcandy@hotmail.com>
X-Priority: 3 (Normal)
Message-ID: <39425751.20060609052006@compuvision.net>
To: redacted@aol.com
Subject: =?iso-8859-5?B?ZnJlZSB2YWNhbmN5?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------3F5DDCD38AAF7"
X-AOL-IP: 209.62.14.18

Other:

Return-Path: <noreply@site.careerbuilder.com>
Received: from rly-ma07.mail.aol.com (rly-ma07.mail.aol.com [172.20.116.51]) by air-ma06.mail.aol.com (v115.11) with ESMTP id MAILINMA061-8be4648c5301bb; on, 14 May 2007 16:23:36 -0400
Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma07.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA078-8be4648c5301bb; Mon, 14 May 2007 16:23:12 -0400
Received: from askepy (237.83.205.19)
by ssl.lx8server.com; Mon, 14 May 2007 17:23:05 -0300
Date: Mon, 14 May 2007 17:23:05 -0300
From: <noreply@site.careerbuilder.com>
X-Mailer: The Bat! (v2.01)
Reply-To: <noreply@site.careerbuilder.com>
X-Priority: 3 (Normal)
Message-ID: <16100012.20060911152825@site.careerbuilder.com>
To: redacted@aol.com
Subject: =?iso-8859-5?B?Q2FyZWVyQnVpbGRlci5jb20g?=
=?iso-8859-5?B?Sm9iIE1hdGNoZXM6IEVuam95?=
=?iso-8859-5?B?IHdvcmtpbmcgaW4gYSBjaGFs?=
=?iso-8859-5?B?bGVuZ2luZyBhbmQgcmV3YXJk?=
=?iso-8859-5?B?aW5nIGVudmlyb25tZW50Lg==?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------F3712F2DB5"
X-AOL-IP: 209.62.14.18

Other:

Return-Path: <no_reply@paypal.com>
Received: from rly-ma04.mail.aol.com (rly-ma04.mail.aol.com [172.20.116.48]) by air-ma10.mail.aol.com (v115.11) with ESMTP id MAILINMA102-8a1464a9134297; Wed, 16 May 2007 01:06:13 -0400
Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma04.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA043-8a1464a9134297; Wed, 16 May 2007 01:05:56 -0400
Received: from wkqsiq (159.213.21.132)
by ssl.lx8server.com; Wed, 16 May 2007 02:05:44 -0300
Message-ID: <007f01c4a93f$ab84947d$473ffb22@wkqsiq>
Reply-To: <no_reply@paypal.com>
From: <no_reply@paypal.com>
To: redacted@aol.com
Subject: =?iso-8859-5?B?UGF5UGFsIEZyYXVkIE1lZGlh?=
=?iso-8859-5?B?dGlvbiBSZXF1ZXN0KEFsZXJ0?=
=?iso-8859-5?B?SUQgQ09ERTo=?=
Date: Wed, 16 May 2007 02:05:44 -0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0072_01C4FB22.473F947D"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-AOL-IP: 209.62.14.18

This server have :

WHM 10.8.0 cPanel 10.9.0-S9966
RedHat Enterprise 4 i686 - WHM X v3.1.0

PHPsuexec, nobody dont send emails, i have ACL and RBL rules, ConfigServer Firewall, etc. In this moment i canot send emails to AOL and HOTMAIL (i am blocked). Root access is fine i bealive (i execute chkrootkit, rkhunter, no problems found).

I am need a help - Thanks for all !!!

[visiox]

in that case you should see some entries in your exim-logfiles.
go thru them and you will find the used account.
if you know the account... do whatever you have to do

[duranduran]

This is the problem, this account/domain/user dont exist in this server, and antirelay is working as well.

[sbutler]

This is the problem, this account/domain/user dont exist in this server, and antirelay is working as well.

This is the problem, this account/domain/user dont exist in this server, and antirelay is working as well.

This is the problem, this account/domain/user dont exist in this server, and antirelay is working as well.

This is what I would do. I would login to the whm main control panel go down to service manager and click on it and then uncheck both check boxes for the exim server and then save the change. This is perfectly safe to do. Why because this will disable the mail server. This will be a temporary solution and when called about not able to send email just inform them that the email server is having a security update and should be back up with in one - two hours. Noone will lose any email on the server because all servers on the net use a re-try send period of upto 3 days and default time of every hour to re-send email to you.

The next thing to do is go to your Email section and click View Mail Statistics
the look for section and see if their is a list if not your server was not setup right.
Top 50 mail rejection reasons by message count
----------------------------------------------
now look for section
Top 50 sending hosts by message count
-------------------------------------

the one with unusally high count is probly the one get info for later tracking.

Now we are going to fix this problem by correcting your server email configuration.

goto server configuration section and now click Tweak Settings
goto the mail section and put a check in the box for
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
then save changes.

Now go back to service manager and re-enable exim mail server.

now we need to track down this issue.
monitor the exim usage check to see if your having issues.

please note that if the spammer domain that sent the email is not in any account this is known as a script email spoofing. This can be check by looking at users per script resource usage.


goto server status section and click CPU/Memory/MySQL Usage this will show the exact script and how much cpu resource it is using and in the path shows the account name. This is a start. see if this helps you find the person. when I get the exim conf I will post info on what to change to disable relaying email.

go to Service Configuration section and click on Exim configuration and check verify user and save changes.

[Fernis]

Maybe check out this antispam service offered by Chirpy

http://www.configserver.com/cp/exploit.html

Perhaps he could get it taken care of.

[visiox]

Ok,

in this case... check every CGI (perl/php/python, whatever is installed) your users have installed for opening port 25 or something like that.

[serversphere]

Noone will lose any email on the server because all servers on the net use a re-try send period of upto 3 days and default time of every hour to re-send email to you.

Not all servers on the net use the same settings. Some might not retry, some might only retry for an hour. All depends. Generally this is close to being correct, just thought I'd point out - not all servers on the net follow this exact formula.

[dalem]

Just cleared this looser off one of our clients servers (moving from host to host)


Add
log_selector = +arguments +subject
into your top box of your exim.conf addvanced editor

tick: Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

in tweak settings

and watch your mail logs



grep your /home dir for parts of the spammy email


I could hunt them down in a about ten min

good luck


cheers