LinkBack URL
About LinkBacksHi,
My eMail Queue shows 1,000 messages all sent to someone@hotmail.com seems like a Mailbomber Script on our Server, how do We dettect it?
What do we have to check?
Please guide me!I want to delete the fu... that is sending spam
Thanks
Mail Queue 1,000 Messages
Hi,
My eMail Queue shows 1,000 messages all sent to someone@hotmail.com seems like a Mailbomber Script on our Server, how do We dettect it?
What do we have to check?
Please guide me!
Thanks
Just some ideas that may or may not help:
Check the email headers to see if it tells you anything.
Check current running processes.
Use command "top" in shell and see what it says.
Try "View Mail Stats" in WHM. It may show which user is doing the sending.
Also possible it could be an outside user, either running a script of his own or found an exploitable formmail script.
Here's the Header
1AzDKZ-0003mK-J8-H
nobody 99 99
<426044@microsoft.com>
1078485447 0
-ident nobody
-received_protocol local
-body_linecount 1
-auth_id nobody
-auth_sender nobody@free.mtxis.net
-local
XX
1
hoangtu_deptrai_87@yahoo.com
151P Received: from nobody by free.mtxis.net with local (Exim 4.24)
id 1AzDKZ-0003mK-J8
for hoangtu_deptrai_87@yahoo.com; Fri, 05 Mar 2004 03:17:27 -0800
033T To: hoangtu_deptrai_87@yahoo.com
016 Subject: 104726
027F From: 426044@microsoft.com
047I Message-Id: <E1AzDKZ-0003mK-J8@free.mtxis.net>
040* X-rewrote-sender: nobody@free.mtxis.net
038 Date: Fri, 05 Mar 2004 03:17:27 -0800
1AzDKZ-0003mK-J8-D
nhan bom nhe con trai ta
received_protocol local
So, it's sent from your server (you already knew that)
auth_sender nobody@free.mtxis.net
Makes this harder to trace. Do you have...
1. SuExec enabled? If so, then it's probably not from a CGI script
2. PHPSuexec enabled? If so, then it's probably not from a PHP script
3. "Prevent the user 'nobody' from sending out mail to remote addresses" enalbed under WHM > Tweak Settings? If not, enable it now!
Check for failure errors in /etc/httpd/logs/error_log as they may have generated errors when trying to take over the script
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Hi,Originally posted by chirpy
received_protocol local
So, it's sent from your server (you already knew that)
auth_sender nobody@free.mtxis.net
Makes this harder to trace. Do you have...
1. SuExec enabled? If so, then it's probably not from a CGI script
2. PHPSuexec enabled? If so, then it's probably not from a PHP script
3. "Prevent the user 'nobody' from sending out mail to remote addresses" enalbed under WHM > Tweak Settings? If not, enable it now!
Check for failure errors in /etc/httpd/logs/error_log as they may have generated errors when trying to take over the script
But then I won't be able to use the () Mail funtion?
BTW; SuExec is Enabled, do I enable PHPsuEXEC ?
Reply With Quote