The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email spam Help Please

Discussion in 'E-mail Discussions' started by aceslady06, Jul 12, 2007.

  1. aceslady06

    aceslady06 Member

    Joined:
    Mar 26, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi, I am new to this I have had almost 9000 emails in my mail queue in the last 3 hours, I have the setting for 50 emails sent a hour, but i can not tell by the headers if this is incoming mail or out going mail, my cpu got really high then i suspended the account that it was either coming in or going of from and it dropped,

    how do i stop this i am not familar with running commands through ssh as of yet. and we had a this happen the other day where spam was going out from a user (he thinks he was hacked as he did not send these) but this is from a different user. How can i determine where these are coming from or if a script was installed to send out these emails.

    Any help asap would be greatly appreciated.

    thank you

    here is a coppy of just one email (of course it is in spanish so that dont help)
    and the Postcards@postcards.com.br is not on my server


    Main >> Email >> Mail Queue Manager
    Displaying Message ID 1I95bg-00013U-Fo
    Delete Message | Deliver Message Now | Return to Mail Queue

    1I95bg-00013U-Fo-H
    nobody 99 32002
    <nobody@server.iwhic.com>
    1184273388 0
    -ident nobody
    -received_protocol local
    -body_linecount 126
    -auth_id nobody
    -auth_sender nobody@server.iwhic.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    NN msc_caico@hotmail.com
    3
    msc_caico@hotmail.com
    Postcards@postcards.com.br
    ePostcards@postcards.com.br

    162P Received: from nobody by server.iwhic.com with local (Exim 4.66)
    (envelope-from <nobody@server.iwhic.com>)
    id 1I95bg-00013U-Fo; Thu, 12 Jul 2007 15:49:48 -0500
    026T To: msc_caico@hotmail.com
    044 Subject: Você recebeu um cartão Postcards!!
    018 MIME-Version: 1.0
    044 Content-type: text/html; charset=iso-8859-1
    034F From: Postcards@postcards.com.br>
    031C Cc: Postcards@postcards.com.br
    033* Bcc: ePostcards@postcards.com.br
    049I Message-Id: <E1I95bg-00013U-Fo@server.iwhic.com>
    038 Date: Thu, 12 Jul 2007 15:49:48 -0500

    1I95bg-00013U-Fo-D

    <html>

    <head>
    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
    <meta name="ProgId" content="FrontPage.Editor.Document">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title>PostCards</title>
    </head>

    <body>

    <p>
    </p>

    </body>

    </html>


    <html>

    <head>
    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
    <meta name="ProgId" content="FrontPage.Editor.Document">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title>PostCards</title>
    </head>

    <body>

    <p>
    </p>

    </body>

    </html>


    <html>

    <head>
    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
    <meta name="ProgId" content="FrontPage.Editor.Document">
    <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title>PostCards</title>
    </head>

    <body>

    <table cellSpacing="0" cellPadding="0" width="39%" align="center" border="0">
    <tr>
    <td bgColor="#ff9900" height="21">
    <div align="center">
    <strong>
    <font face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff" size="1">
    PostCards</font></strong></div>
    </td>
    </tr>
    <tr>
    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1">Olá,</font></td>
    </tr>
    <tr>
    <td height="12"><font face="Verdana, Arial, Helvetica, sans-serif" size="1">
    Receba este Post Cartões, de ALGUÉM QUE TE ADMIRA:</font></td>
    </tr>
    <tr>
    <td height="22">
    <div align="center">
    </div>
    </td>
    </tr>
    <tr>
    <td height="15">
    <div align="center">
    <font face="Verdana, Arial, Helvetica, sans-serif" size="1">Clique
    <font color="#0033ff"><strong>
    <a href="http://www.sgbohemians.cz/cache/">aqui</a></strong></font> para visualizar.</font></div>
    </td>
    </tr>
    <tr>
    <td height="17">
    <div align="center">
    <font face="Verdana, Arial, Helvetica, sans-serif" color="#0033ff" size="1">
    <strong>
    <a href="http://www.sgbohemians.cz/cache/">http://br.encontros.google.com</a></strong></font></div>
    </td>
    </tr>
    <tr>
    <td height="22"><font face="Verdana, Arial, Helvetica, sans-serif" size="1">
    </font></td>
    </tr>
    <tr>
    <td>
    <div align="center">
    <font face="Verdana, Arial, Helvetica, sans-serif" size="1">Um enorme
    abraço da equipe PostCards Cartões</font></div>
    </td>
    </tr>
    <tr>
    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"> </font></td>
    </tr>
    <tr>
    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1">OBS: Este
    cartão tem validade de apenas 8 dias, então não</font></td>
    </tr>
    <tr>
    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1">esqueça de
    ler essa pequena e valiosa mensagem.</font></td>
    </tr>
    <tr>
    <td><font face="Verdana, Arial, Helvetica, sans-serif" size="1"> </font></td>
    </tr>
    <tr>
    <td bgColor="#ff9900" height="21">
    <div align="center">
    <font face="Verdana, Arial, Helvetica, sans-serif" color="#ffffff" size="1">
    ©2007 PostCards</font></div>
    </td>
    </tr>
    </table>

    </body>

    </html>

    Delete Message | Deliver Message Now | Return to Mail Queue
     
  2. koolcards

    koolcards Well-Known Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    Sounds like some one used an exploit in a users script somewhere. Locating the files will give you an idea what script has been hacked.

    Try the commands below. 'fgrep' is faster than 'grep' but only searches for strings, which is okay in this case. The actual target site the spammer wants them to click to is "sgbohemians.cz" so that will probably be in a readable file somewhere. Using the --recursive option will have the search descend into lower directories but the --quiet option should make it stop after the first instance it finds. I say that because he's probably created several directories of his own for different mailing scams but all in the same location. Run the commands again after you've cleared each account to see if he's in more than one. If your sites are kept under the "/home" directory, log into the server as 'root' user using SSH then issue these commands:

    cd /home

    fgrep --recursive --quiet sgbohemians


    This should locate an instance of "sgbohemians" somewhere under the "/home" directory. Whatever directory that file is in, like a Coppermine script upload directory, will tell you what script has been exploited. You can upgrade to the latest version or disable the upload ability in the script, etc. Check the file time stamps and remove all the spammers files. The time/date stamp and file names can be used in a search of the httpd access log for the spammer's IP address, although it's probably just another hacked machine somewhere.

    useful link:

    http://www.linuxdevcenter.com/linux/cmd/
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You should really read up on phpsuexec - Don't enable it until you're familiar with possible ramifications (including the inability to use .htaccess to its full potential to set php values and such) when phpsuexec is enabled.

    phpsuexec will cause customer scripts to be run under their username - so at the very least you'll be able to determine which users' site has a script running on it (or a hacked website, forum software, etc.) because the email will show that it was from their username instead of from 'nobody@'.

    Mike
     
  4. aceslady06

    aceslady06 Member

    Joined:
    Mar 26, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the info, the server tech I have enable this and i still have tons and tons of nobody process running, so should I disable this ??? thank you for the replies Aimee
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    For more info about Phpsuexec and Suexec, go to: http://servertune.com/kbase/entry/46/
    Overall, I suggest you secure and harden your server before it gets blacklisted by some anti-spam entities.
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Well, even with phpsuexec there will still be certain 'nobody' processes running, but there shouldn't be 'tons' of them running. On a very idle server of mine 'ps auwx|grep nobody|wc' reveals 29 processes. When phpsuexec is enabled, the main apache processes are still running as 'nobody' - but individual user websites scripts should be run as 'the_username'.

    Is the server still generating tons of spam that comes from nobody? Or has that ceased? I think you said you already disabled the account that you thought was responsible for this. If you did, and the spams stopped, then now is probably the time to figure out what script/app on that customer's website was compromised.

    MIke
     
Loading...

Share This Page