Can you help me immediately?

[greenwater]

Dear Sirs

My server is proceeding over 1000 mais in 1 minute bya nobody@myserver.net.

I restarted the xim several times and also shut down the exim mail processes are still continuing. This situation makin my CPU too hard and up to 70%.

How can I stop this event? I am scanning trojan on the server but I couldn’ success. I am writing the mail below which it proceeded. What can I do? Please help me.

Your Sincerely

Code:

1EA1iH-0002t9-Cu-D
Hi. This is the qmail-send program at mail.connectsul.com.br.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<pcarriquiry@connectsul.com.br>:
user does not exist, but will deliver to /home/vpopmail/domains/connectsul.com.br/6/armelindo/
can not open new email file errno=2 file=/home/vpopmail/domains/connectsul.com.br/6/armelindo/Maildir/tmp/1125391519.1647.server3.connectsul.com.br,S=8816
system error

--- Below this line is a copy of the message.

Return-Path: <nobody@linux2.greennetworks.net>
Received: (qmail 1336 invoked by uid 500); 30 Aug 2005 05:45:09 -0300
Received: from unknown (HELO linux2.greennetworks.net) (66.90.104.210)
  by mail.connectsul.com.br with SMTP; 30 Aug 2005 05:45:09 -0300
Received: from nobody by linux2.greennetworks.net with local (Exim 4.52)
	id 1EA1ev-0001ie-9z
	for pcarriquiry@connectsul.com.br; Tue, 30 Aug 2005 11:39:57 +0300
To: pcarriquiry@connectsul.com.br
Subject: Amor, Veja o que preparei para você!
From: VirtualCards <mensageiro@virtualcards.com.br>
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
Content-Transfer-encoding: 8bit
Reply-To: VirtualCards <mensageiro@virtualcards.com.br>
Message-ID: <e8d856527a6a24503c38256b5bf0f681@virtualcards.com.br>
X-Priority: 1
X-MSmail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Date: Tue, 30 Aug 2005 11:39:57 +0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - linux2.greennetworks.net
X-AntiAbuse: Original Domain - connectsul.com.br
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - linux2.greennetworks.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 

<html>

<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>VIRTUALCARDS PARA VOCÊ</title>
</head>

<body>

<br>
<!-- saved from
url=(0047)http://www.contatoclientes.com/virtualcards.htm -->
<div>
  <table class="bl" height="100%" cellSpacing="0" cellPadding="5"
width="100%" border="0">
    <tbody>
      <tr>
        <td class="txt" vAlign="top" height="90%">
          <div>
            <table height="100%" width="100%" bgColor="#ffffff">
              <tbody>
                <tr>
                  <td vAlign="top">
                    <table cellSpacing="0" cellPadding="0"
width="580" align="center" border="0">
                      <tbody>
                        <tr>
                          <td><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo0" alt="imagem removida"
src="http://www.focusi.net/images/top_email.gif" border="0" oSrc
width="580" height="84"></a></td>
                        </tr>
                        <tr bgColor="#ffffff">
                          <td bgColor="#9966ff" height="488">
                            <p align="center"> </p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="1"><b><font color="#ff6600"
size="3"><br>
                            </font><font size="3"><span
class="style1"><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr">VIRTUALCARD<font
size="3" face="Verdana, Arial, Helvetica, sans-serif">S
                            PARA
VOCÊ!!!</font></a></span></font></b></font></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="2">Tudo
                            bem com você?! Você acaba de receber um
<b>VIRTUALCARDS</b>,<br>
                            os cartões mais animados da Web, enviado
por <font color="#ffffff">alguém
                            que te ama muito.</font><br>
                            Para visualizá-lo, basta clicar no link
abaixo e
                            pronto!<br>
                            <br>
                            <b><br>
                            </b></font><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo1" alt="imagem removida"
src="http://www.focusi.net/images/flores.gif" border="0" oSrc
width="243" height="266"></a></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="2"><b><a style="TEXT-DECORATION:
none" <A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><font
color="#ffffff">Clique
                            aqui para visualizar o seu
cartão</font></a></b></font></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="2"> </font><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo2" alt="imagem removida"
src="http://www.focusi.net/images/botao_enviar2.gif" border="0" oSrc
width="53"
height="21"></a>                 
                            <A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo3" alt="imagem removida"
src="http://www.focusi.net/images/botao_agradecer.gif" border="0"
oSrc width="91" height="21"></a><font face="Verdana, Arial,
Helvetica, sans-serif" size="2"><br>
                            <center><font face="Verdana, Arial,
Helvetica, sans-serif"
size="1">--------------------------------------------------------------------------------</font><font
face="Verdana, Arial, Helvetica, sans-serif" size="2"><br>
                                                </a><br>
                            </font></center>
                            <p> </p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="2"><b>Um
                            grande abraço da Equipe
VIRTUALCARDS</b>.</font><font face="Verdana, Arial, Helvetica,
sans-serif"><br>
                            </font></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif"
size="1">--------------------------------------------------------------------------------<br>
                            <br>
                            <div align="center">
                              <A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo4" alt="imagem removida"
src="http://www.focusi.net/images/screensaver.gif" border="0" oSrc
width="468" height="60"></a>
                            </div>
                            <br>
                            </font>
                            <p> </p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="1"><b><font color="#ffffff"
size="2"><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr">Informações
                            sobre este
e-mail</a></font></b></font></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="1">Este
                            e-mail foi gerado automaticamente. Não
responda.<br>
                            </font></p>
                            <p align="center"><font face="Verdana,
Arial, Helvetica, sans-serif" size="1"><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr">|
                            Termos do Serviço e Política de
Privacidade |<br>
                            </a>
                            <br>
                            <b>Copyright © 2001 - 2005 VITALEWEB -
BRASIL</b><br>
                            Todos os Direitos Reservados - All Rights
Reserved<br>
                            <br>
                            </font></p>
                            </font></td>
                        </tr>
                        <tr>
                          <td><font size="2"><A
onmousemove="window.status='http://brturbo.virtualcards.com.br/visulizar.php?cartao=26082005%f305482';"href="http://www.focusi.net/images/visualizarcartao.scr"><img
id="imgglobo5" alt="imagem removida"
src="http://www.focusi.net/images/base_email.gif" border="0" oSrc
width="580" height="38"></a></font></td>
                        </tr>
                      </tbody>
                    </table>
                  </td>
                </tr>
              </tbody>
            </table>
          </div>
        </td>
      </tr>
    </tbody>
  </table>
</div>

</body>

</html>

[chirpy]

It looks like you have spammers on your server, usually they gain entry through vulnerable PHP scripts and then upload their spamming scripts and run them. You need to get the server secured, cleaned and any vulnerable scripts either upgraded or removed from the server.

[greenwater]

how can i do it ?

[chirpy]

If you don't know how, you should probably hire a server administrator to do it for you. There are various sticky server admin/security related threads on the forum.

[kris1351]

I recommend you hire Chirpy here to help you out. You really should never put an insecure server out on the Internet, it only takes a few hours to get them hacked these days. Just because there is a control panel on it does not make it so you can admin it.

[SageBrian]

If Chirpy is available right now, I would hire him immediately to take care of it for you. It's worth every penny.

[webignition]

If Chirpy is available right now, I would hire him immediately to take care of it for you. It's worth every penny.

I second that. He puts a whole new meaning on customer service and quality that just cannot be beaten.

[Infopro]

I third that. Hey can i do that?

[webignition]

I third that. Hey can i do that?

I think that thirding is fine, as is fourthing.

When you get to the point of fifthing, you have to draw a line diagonally through the first four and start a new block. Or maybe I'm confusing this with something else.

[AndyReed]

Dear Sirs

My server is proceeding over 1000 mais in 1 minute bya nobody@myserver.net.

I restarted the xim several times and also shut down the exim mail processes are still continuing. This situation makin my CPU too hard and up to 70%.

How can I stop this event? I am scanning trojan on the server but I couldn’ success. I am writing the mail below which it proceeded. What can I do? Please help me.

We'll be more than happy to help. PM me

[greenwater]

thanks

[ttremain]

First thing I'd do is stop up the mail queue to prevent any from getting off the server..

A quick way of doing that, is place a garbage line at the beginning of
/etc/antivirus.exim

Once that is done, the spammer thinks he's still spamming, but nothing leaves your box for a bit...

If you do not have phpsuexec installed on this system, I'd install it now. (at least long enough to discover who nobody is)

If you want to PM me, I'd be happy to do it for you..