HELP! Somebody has hijacked my email system

**sexy_guy** · 04-14-2003 06:10 PM

I have over 600 of these going out from my server right now, i just caught it, and i cant find the source!!!!

2003-04-14 15:07:03 195C6Q-0004zd-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1

ES-CBC3-SHA:168 S=527120 id=E195AKc-00088X-00@myserver.com
2003-04-14 15:07:03 195C6I-0004zJ-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1

ES-CBC3-SHA:168
2003-04-14 15:07:03 195C6I-0004zJ-00 Completed
2003-04-14 15:07:08 195C6V-0004zr-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1

ES-CBC3-SHA:168 S=527650 id=E195AKc-00088X-00@my.server.com
2003-04-14 15:07:09 195C6Q-0004zd-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1

ES-CBC3-SHA:168

The only thing i can do it shut down Exim to stop it. How can i find out who this is?

Thats because cpanel allows messages to be send out of the server as nobody!

**xsenses** · 04-14-2003 06:19 PM

Originally posted by sexy_guy
Thats because cpanel allows messages to be send out of the server as nobody!

Can't you stop "nobody" from sending email in WHM?

**sexy_guy** · 04-14-2003 06:21 PM

Nope, so far they cant do it, isnt it amazing look at this

12-13 53 ....
13-14 616 ...................................................
14-15 394 ................................
15-16 83 ......

sent in 1hr as nobody! Im still trying to stop this crap from leaving my server.

**dgbaker** · 04-14-2003 06:23 PM

In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

**sexy_guy** · 04-14-2003 06:37 PM

I did that already and that doesnt work dgbaker. I just finished installing a mail monitor script that will tell me whos sending it. Any msgs over 5 msgs will halt the sender.

**sexy_guy** · 04-14-2003 06:45 PM

Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Dont know how this phpsuexec works but after i recompiled my system last night to include it Squirrelmail was inaccessible throughout the entire system. And we had all kinds of permission problems all over the server.

**sexy_guy** · 04-14-2003 07:07 PM

Very strange, it doesnt seem to be coming from my server. Wait localhost coming in then going straight out? I dont get this.

**sexy_guy** · 04-14-2003 07:38 PM

anyone know how i can setup an exim rule to prevent delivery of messages to a domain..

These messages are being sent to NOT.COM that has an ip of 0.0.0.0.

**Radio_Head** · 04-15-2003 04:04 AM

I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?

**sexy_guy** · 04-15-2003 06:13 AM

Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.

**sexy_guy** · 04-15-2003 06:19 AM

Originally posted by Radio_Head
I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?

We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.

**jamesbond** · 04-15-2003 06:21 AM

Originally posted by sexy_guy
Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.

I haven't tried phpsuexec myself, but regarding the permissions I think you could do something like this :

find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x

See:
http://forums.cpanel.net/showthread....&threadid=8576

**sexy_guy** · 04-15-2003 06:29 AM

Im really reluctant to change all the permissions only to find out it didnt work and be stuck with a bunch of nonworking sites. Has anyone done this and knows it works for sure?

**Radio_Head** · 04-15-2003 06:30 AM

Originally posted by sexy_guy
We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.

No I am not talking of mx ... however it was a dns parameter ,
I cannot remember now (perhaps Mail Record A).

LinkBack

Thread Tools

HELP! Somebody has hijacked my email system

Re: HELP! Somebody has hijacked my email system

Help! Mail Hijacked!

hijacked server?

Email system...

Contact Us form hijacked?

System email not being sent