Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Email issue .. Did i got Rooted

Discussion in 'E-mail Discussion' started by Gregd, Sep 16, 2004.

  1. Gregd

    Gregd Registered

    Joined:
    Oct 18, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    Here is the email .. i'm getting thousend in que

    1C7wSw-0002gr-G5-H
    mailnull 47 12
    <>
    1095341906 0
    -ident mailnull
    -received_protocol local
    -body_linecount 49
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1095342577
    -localerror
    XX
    1
    mail_999@hanmail.net

    156P Received: from mailnull by florida.vikingstudios.com with local (Exim 4.42)
    id 1C7wSw-0002gr-G5
    for mail_999@hanmail.net; Thu, 16 Sep 2004 09:38:26 -0400
    044 X-Failed-Recipients: jelove0913@hanmail.net
    031 Auto-Submitted: auto-generated
    069F From: Mail Delivery System <Mailer-Daemon@florida.vikingstudios.com>
    025T To: mail_999@hanmail.net
    059 Subject: Mail delivery failed: returning message to sender
    058I Message-Id: <E1C7wSw-0002gr-G5@florida.vikingstudios.com>
    038 Date: Thu, 16 Sep 2004 09:38:26 -0400


    1C7wSw-0002gr-G5-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    jelove0913@hanmail.net
    SMTP error from remote mailer after MAIL FROM:<mail_999@hanmail.net> SIZE=4040:
    host mx3.hanmail.net [211.43.197.9]: 550 5.7.1 <mail_999@hanmail.net>... Sorry,access denied(66.199.252.42).Your mail server sent too many e-mails to us(1205).Spammer may abuse your mail server for mail relay.If you are not the system administrator,inform this message to your system administrator.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <mail_999@hanmail.net>
    Received: from [220.121.52.207] (helo=user)
    by florida.vikingstudios.com with esmtp (Exim 4.42)
    id 1C7vDq-0008E6-PM
    for jelove0913@hanmail.net; Thu, 16 Sep 2004 08:18:47 -0400
    From: mail_999@hanmail.net
    Subject: =?EUC-KR?B?tKmxuLOqILTrw+KwobTJISC52bfOIL3Fw7vHz7y8v+Q=?=
    To: jelove0913@hanmail.net
    Content-Type: multipart/alternative;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf";
    charset="DEFAULT"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Sender: mail_999@hanmail.net
    Reply-To: mail_999@hanmail.net
    Date: Thu, 16 Sep 2004 21:19:17 +0900
    X-Priority: 3
    X-Library: Indy 9.00.10
    X-Mailer:Dynamailer V 8.0
    X-MimeOLE:Produced By Mircosoft MimeOLE V6.00.2600.0000
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

    This is a multi-part message in MIME format

    --=_NextPart_2rfkindysadvnqw3nerasdf
    Content-Type: text/plain
    Content-Transfer-Encoding: quoted-printable
    charset="DEFAULT"


    --=_NextPart_2rfkindysadvnqw3nerasdf
    Content-Type: text/html
    Content-Transfer-Encoding: 7bit
    charset="DEFAULT"

    <!-- 2004-09-16 ¿ÀÈÄ 9:19:16--> <html> <head> <title>Á÷ÀåÀδëÃâ½Åû¸ÞÀÏ </title> <style> <!-- A:link { text-decoration: none;} A:visited {text-decoration: none;} a:hover {text-decoration: underline} font { font-size: 10pt; }--> </style> <style type="text/css"> <!-- .font { font-size: 9pt; font-style: normal; line-height: 12pt; color:"#666666"} .font2 { font-size: 9pt; font-style: normal; line-height: 12pt; color:#000000; text-decoration: none} .font3 { font-size: 9pt; font-style: normal; line-height: 12pt; color:#50C81F; text-decoration: none} .tbox { Background-color:white; Border:1x SOLID #B2B2B2;font-size: 9pt;font- face:'arial';color:'#666666'} td {font-size:9pt;font-family:µ¸¿ò,arial;color:"#666666"} Body {font-size:9pt;font-family:µ¸¿ò,arial;color:"#666666"} .t1{border:1px solid #c0c0c0;} .t2{border:1px solid #60B830;} --> </style> </HEAD> <body background='http://www.loancs.co.kr/mail/1/img/bg.gif' leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'> <centeR> <table width="600" border="0" cellspacing="0" cellpadding="0"> <tr> <td bgcolor='#FFFFFF'><a href="http://www.loancs.co.kr/Register/openwin.asp?code=syahoo1" target="_blank"><img src="http://www.loancs.co.kr/mail/1/img/img.gif" width="600" height="650"></td> </tr> <tr> <td bgcolor="#CCCCCC" align="center"> <br> ¼ö½Å°ÅºÎ<b><a href="javascript:winopen()"><font color="#FFFFFF">[Deny]</font></a></b> ¹öÆ°À» Ŭ¸¯ÇÏ½Ã¸é ¼ö½Å°ÅºÎ󸮰¡ ÀÌ·ç¾î Áý´Ï´Ù.<br> À̸ÞÀÏ ÁÖ¼Ò¸¦ Àü¼ÛÇØÁÖ½Ã¸é ´õÀÌ»ó ±¤°í¼º ¸ÞÀÏÀÌ ¹ß¼ÛµÇÁö ¾Ê½À´Ï´Ù.<br> <br> If you don't want to receive this mail anymore, click here <b><a href="javascript:winopen()"><font color="#FFFFFF">[Deny]</font></a></b><br> Enter your email address if you do not want to receive this mail <br> <br> </td> </tr> </table> </centeR> </HTML>

    --=_NextPart_2rfkindysadvnqw3nerasdf--
     
  2. GOT

    GOT Get Proactive!
    PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,071
    Likes Received:
    47
    Trophy Points:
    178
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    There is something new afoot about this. Got this in one of the security email lists:

    Try lsof to see what process are tied to what open ports. Do you have any backups,
    or an integrity database (aide/tripwire) of the files before putting this mail
    server into production??
    If you can not take the system offline, then you should try to a live system
    investigation. SecurityFocus has a couple step by step walkthroughs when working
    with a live unix/linux system.
    Shirkdog
    -----Original Message-----
    From: hiltond@hotpop.com [mailto:hiltond@hotpop.com]
    Sent: Tuesday, September 14, 2004 8:23 PM
    To: incidents@securityfocus.com
    Subject: suspicous activities...
    Importance: Low
    Hi All,

    I had this really strange occurrence the other night...

    Please find the course of events detailed below :

    We had just migrated a clients email (MX) to a new server and as soon as we
    switched the MX over the server received thousands of spam emails from
    a domain called hanmail.net (or something like that). Since I was in the
    process of putting the finishing touches on the server I had not introduced
    any anti-relay measures (not that anti-relay should have been an
    afterthought) the emails were successfully relayed to other hosts for about
    a minute (just until I could re-configure sophos to block that IP from
    relaying.)



    A bit later on I ran chkrootkit and got this message :

    (just for reference zzz.yyy.xxx.www is my ip and www.xxx.yyy.zzz is the mail
    server.)


    xyzhost:~# chkrootkit -q

    You have 2 process hidden for readdir command
    You have 2 process hidden for ps command
    Warning: Possible LKM Trojan installed
    eth0 is not promisc

    so I was like "AAARRRGGGHHH!!!" I then ran :

    xyzhost:~# w
    20:38:51 up 59 min, 3 users, load average: 0.07, 0.02, 0.00
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root pts/0 zzz.yyy.xxx.www 19:40 1:18 0.13s 0.00s tail -f
    /var/log/mail/mail.log
    root pts/1 zzz.yyy.xxx.www 20:06 46.00s 0.28s 0.18s watch -n 1
    mailq
    root pts/2 zzz.yyy.xxx.www 20:38 0.00s 0.02s 0.01s w
    I ran chkrootkit again and got this message...
    xyzhost:~# chkrootkit -q
    warning, got bogus tcp line.
    eth0 is not promisc
    Then I ran it again and got nothing...???:

    xyzhost:~# chkrootkit -q
    eth0 is not promisc

    xyzhost:~# chkrootkit -q
    eth0 is not promisc



    --------------------------------------

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 www.xxx.yyy.zzz:25 0.0.0.0:* LISTEN
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3616
    ESTABLISHED
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3489
    ESTABLISHED
    tcp 0 0 www.xxx.yyy.zzz:22 zzz.yyy.xxx.www:3735
    ESTABLISHED
    tcp 1 0 www.xxx.yyy.zzz:33337 211.43.197.159:25
    CLOSE_WAIT
    tcp 0 0 www.xxx.yyy.zzz:33414 203.231.231.41:25
    ESTABLISHED
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags Type State I-Node Path
    unix 2 [ ACC ] STREAM LISTENING 15838
    /var/run/mmsmtp.control
    unix 2 [ ACC ] STREAM LISTENING 221
    /var/run/courier/authdaemon/socket.tmp
    unix 7 [ ] DGRAM 155 /dev/log
    unix 2 [ ] DGRAM 299
    unix 2 [ ] DGRAM 253
    unix 2 [ ] DGRAM 245
    unix 2 [ ] DGRAM 220
    unix 2 [ ] DGRAM 198
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Gregd

    Gregd Registered

    Joined:
    Oct 18, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    151
    I installed and run chkrootkit but no errors but than i run rkhunter and here is the outpoot
    * System tools
    Info: prelinked files found
    Performing 'known good' check...
    /usr/sbin/prelink: /sbin/depmod: at least one of file's dependencies has changed since prelinking /sbin/depmod [ BAD ]
    /usr/sbin/prelink: /sbin/init: at least one of file's dependencies has changed since prelinking
    /sbin/init [ BAD ]
    /usr/sbin/prelink: /sbin/insmod: at least one of file's dependencies has changed since prelinking /sbin/insmod [ BAD ]
    /usr/sbin/prelink: /sbin/ip: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /sbin/ip: at least one of file's dependencies has changed since prelinking
    /sbin/ip [ BAD ]
    /usr/sbin/prelink: /sbin/ksyms: at least one of file's dependencies has changed since prelinking /sbin/ksyms [ BAD ]
    /usr/sbin/prelink: /sbin/lsmod: at least one of file's dependencies has changed since prelinking /sbin/lsmod [ BAD ]
    /usr/sbin/prelink: /sbin/modinfo: at least one of file's dependencies has changed since prelinking /sbin/modinfo [ BAD ]
    /usr/sbin/prelink: /sbin/modprobe: at least one of file's dependencies has changed since prelinking /sbin/modprobe [ BAD ]
    /usr/sbin/prelink: /sbin/rmmod: at least one of file's dependencies has changed since prelinking /sbin/rmmod [ BAD ]
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/cat: at least one of file's dependencies has changed since prelinking
    /bin/cat [ BAD ]
    /usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /bin/chown: at least one of file's dependencies has changed since prelinking /bin/chown [ BAD ]
    /usr/sbin/prelink: /bin/df: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/df: at least one of file's dependencies has changed since prelinking
    /bin/df [ BAD ]
    /usr/sbin/prelink: /bin/echo: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/echo: at least one of file's dependencies has changed since prelinking
    /bin/echo [ BAD ]
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking /bin/egrep [ BAD ]
    /usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /bin/fgrep: at least one of file's dependencies has changed since prelinking /bin/fgrep [ BAD ]
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/grep: at least one of file's dependencies has changed since prelinking
    /bin/grep [ BAD ]
    /usr/sbin/prelink: /bin/kill: at least one of file's dependencies has changed since prelinking
    /bin/kill [ BAD ]
    /usr/sbin/prelink: /bin/login: at least one of file's dependencies has changed since prelinking
    /bin/login [ BAD ]
    /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/ls: at least one of file's dependencies has changed since prelinking
    /bin/ls [ BAD ]
    /usr/sbin/prelink: /bin/more: at least one of file's dependencies has changed since prelinking
    /bin/more [ BAD ]
    /usr/sbin/prelink: /bin/mount: at least one of file's dependencies has changed since prelinking
    /bin/mount [ BAD ]
    /bin/netstat [ OK ]
    /usr/sbin/prelink: /bin/ps: at least one of file's dependencies has changed since prelinking
    /bin/ps [ BAD ]
    /usr/sbin/prelink: /bin/sort: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/sort: at least one of file's dependencies has changed since prelinking
    /bin/sort [ BAD ]
    /usr/sbin/prelink: /bin/su: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /bin/su: at least one of file's dependencies has changed since prelinking
    /bin/su [ BAD ]
    /usr/sbin/prelink: /usr/bin/chattr: at least one of file's dependencies has changed since prelinking
    /usr/bin/chattr [ BAD ]
    /usr/sbin/prelink: /usr/bin/file: at least one of file's dependencies has changed since prelinking
    /usr/bin/file [ BAD ]
    /usr/bin/find [ OK ]
    /usr/sbin/prelink: /usr/bin/kill: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/kill: at least one of file's dependencies has changed since prelinking /usr/bin/kill [ BAD ]
    /usr/sbin/prelink: /usr/bin/last: at least one of file's dependencies has changed since prelinking /usr/bin/last [ BAD ]
    /usr/sbin/prelink: /usr/bin/lastlog: at least one of file's dependencies has changed since prelinking /usr/bin/lastlog [ BAD ]
    /usr/sbin/prelink: /usr/bin/less: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/less: at least one of file's dependencies has changed since prelinking /usr/bin/less [ BAD ]
    /usr/sbin/prelink: /usr/bin/logger: at least one of file's dependencies has changed since prelinking /usr/bin/logger [ BAD ]
    /usr/sbin/prelink: /usr/bin/lsattr: at least one of file's dependencies has changed since prelinking /usr/bin/lsattr [ BAD ]
    /usr/sbin/prelink: /usr/bin/md5sum: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/md5sum: at least one of file's dependencies has changed since prelinking
    /usr/bin/md5sum [ BAD ]
    /usr/sbin/prelink: /usr/bin/passwd: at least one of file's dependencies has changed since prelinking /usr/bin/passwd [ BAD ]
    /usr/sbin/prelink: /usr/bin/pstree: at least one of file's dependencies has changed since prelinking
    /usr/bin/pstree [ BAD ]
    /usr/sbin/prelink: /usr/bin/sha1sum: at least one of file's dependencies has changed since prelinking
    /usr/sbin/prelink: /usr/bin/sha1sum: at least one of file's dependencies has changed since prelinking /usr/bin/sha1sum [ BAD ]
    /usr/sbin/prelink: /usr/bin/size: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/size: at least one of file's dependencies has changed since prelinking /usr/bin/size [ BAD ]
    /usr/sbin/prelink: /usr/bin/slocate: at least one of file's dependencies has changed since prelinking /usr/sbin/prelink: /usr/bin/slocate: at least one of file's dependencies has changed since prelinking
    /usr/bin/slocate [ BAD ]
    /usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strace: at least one of file's dependencies has changed since prelinking /usr/bin/strace [ BAD ]
    /usr/sbin/prelink: /usr/bin/strings: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/strings: at least one of file's dependencies has changed since prelinking /usr/bin/strings [ BAD ]
    /usr/sbin/prelink: /usr/bin/test: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/test: at least one of file's dependencies has changed since prelinking /usr/bin/test [ BAD ]
    /usr/sbin/prelink: /usr/bin/top: at least one of file's dependencies has changed since prelinking/usr/sbin/prelink: /usr/bin/top: at least one of file's dependencies has changed since prelinking /usr/bin/top [ BAD ]
    /usr/sbin/prelink: /usr/bin/w: at least one of file's dependencies has changed since
    i'm also getting the hootmail thing just like that.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice