EMERGENCY - Mail server WIDE OPEN

[cbingham]

Guys,

I need your help. It seems someone has found an exploit on our mail system. They are using every user they can find on the system to send SPAM out.

I need ideas, this is obviously a big problem for us, and potential problem for many. We have Redhat 7.2, the lastest install CPanel/WHM updates, meaning we are running the same software as most of you.

The idiot who is spamming, must know me personally, he sent me an email right after a changed the username on a customers account with the intro &Dear Dorkis,&

It was sent to my personal account, which very few people have.

He is spamming using the username@domain.com account, which I guess is the main email id for every domain on the system.

Thanks for your thoughts and ideas,

[feanor]

Right...........
I don't understand how he or she is authenticating, from the start? Unless your relay protection is down or dead.

did you run
/scripts/fixrelayd yet?

What account did you say they were using the log in via smtp?
Are they logging in via pop3 as well?

Do they actually have a legit account, or had an account?

[cbingham]

The person is using accounts on the server. I have tracked two seperate ones. It is as if he can see the list of users on the server and is targeting them. It looks like it may be local, the is says auth_sender = username and I don't know how they are authenticating either.

He is an exerpt:

17Sjjg-0005OG-00-H
cryptic 32035 536

1026416180 0
-ident cryptic
-received_protocol local
-body_linecount 5
-auth_id cryptic
-auth_sender cryptic@lucky.getwebhosted.com
-local
XX
1
jmyjenann@aol.com

152P Received: from cryptic by lucky.getwebhosted.com with local (Exim 3.35 #1)
id 17Sjjg-0005OG-00
for jmyjenann@aol.com; Thu, 11 Jul 2002 12:36:20 -0700
022T To: jmyjenann@aol.com
033F From: teodoro342000@yahoo.com ()
098 Subject: What life has to offer k5r7g1g0
055I Message-Id:
038 Date: Thu, 11 Jul 2002 12:36:20 -0700


This particular person is a good friend of mine, and the account before were also people I know well, but they don't konw each other, yet the message that is being sent out is the same from both accounts.

I am going to run that script now.

[TRAIN YARD SOFTWARE]

Check to see if user has latest formmail.pl, as this had happened to us because someone had version 1.6

[albertg]

[quote:6055a44aff][i:6055a44aff]Originally posted by feanor[/i:6055a44aff]


Right...........
I don't understand how he or she is authenticating, from the start? Unless your relay protection is down or dead.

did you run
/scripts/fixrelayd yet?

What account did you say they were using the log in via smtp?
Are they logging in via pop3 as well?

Do they actually have a legit account, or had an account?
[/quote:6055a44aff]

How do i run fixrelayd?
pls help..i am having big prob tooo

[JustinK]

Log in as root and type in /scripts/fixrelayd

[bmcpanel]

locate formmail.pl
locate FormMail.pl

rm -r -f /home/username/cgi-bin/formmail.pl

when found.

We told all customers that &formmail.pl& and &FormMail.pl are not acceptable names for their formmail script because spammers know to look for the script by those names. And, because we cannot be sure if it is the new, secure script or not without checking each copy.

So, our policy is, they had to name it to a different name and update their form pages. This has worked. The formmail.pl problem used to be a major pain for us, but our new policy has wiped out spam via the formmail.pl script.

[albertg]

I have clean up all the formmail but and have run fixrelayd

Still having big big big problem here.
Anyone ..has any idea? please...help me..

information that i have found is that..when that person start spamming..
from cpanel..i can see current process

/usr/local/apache/bin/httpd-DSSL = become really high (about 50-70% of cpu usage)

and alot of usr/sbin/sendmail processes to.

Please help..what version of exim are you all using? is it hard to upgrade to the latest version? anyidea ...please help!