The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

EMERGENCY - Mail server WIDE OPEN

Discussion in 'E-mail Discussions' started by cbingham, Jul 12, 2002.

  1. cbingham

    cbingham Active Member

    Joined:
    Aug 14, 2001
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Vancouver, BC, Canada
    Guys,

    I need your help. It seems someone has found an exploit on our mail system. They are using every user they can find on the system to send SPAM out.

    I need ideas, this is obviously a big problem for us, and potential problem for many. We have Redhat 7.2, the lastest install CPanel/WHM updates, meaning we are running the same software as most of you.

    The idiot who is spamming, must know me personally, he sent me an email right after a changed the username on a customers account with the intro &Dear Dorkis,&

    It was sent to my personal account, which very few people have.

    He is spamming using the username@domain.com account, which I guess is the main email id for every domain on the system.

    Thanks for your thoughts and ideas,
     
  2. feanor

    feanor Well-Known Member

    Joined:
    Aug 13, 2001
    Messages:
    836
    Likes Received:
    0
    Trophy Points:
    16
    Right...........
    I don't understand how he or she is authenticating, from the start? Unless your relay protection is down or dead.

    did you run
    /scripts/fixrelayd yet?

    What account did you say they were using the log in via smtp?
    Are they logging in via pop3 as well?

    Do they actually have a legit account, or had an account?
     
  3. cbingham

    cbingham Active Member

    Joined:
    Aug 14, 2001
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Vancouver, BC, Canada
    The person is using accounts on the server. I have tracked two seperate ones. It is as if he can see the list of users on the server and is targeting them. It looks like it may be local, the is says auth_sender = username and I don't know how they are authenticating either.

    He is an exerpt:

    17Sjjg-0005OG-00-H
    cryptic 32035 536

    1026416180 0
    -ident cryptic
    -received_protocol local
    -body_linecount 5
    -auth_id cryptic
    -auth_sender cryptic@lucky.getwebhosted.com
    -local
    XX
    1
    jmyjenann@aol.com

    152P Received: from cryptic by lucky.getwebhosted.com with local (Exim 3.35 #1)
    id 17Sjjg-0005OG-00
    for jmyjenann@aol.com; Thu, 11 Jul 2002 12:36:20 -0700
    022T To: jmyjenann@aol.com
    033F From: teodoro342000@yahoo.com ()
    098 Subject: What life has to offer k5r7g1g0
    055I Message-Id:
    038 Date: Thu, 11 Jul 2002 12:36:20 -0700


    This particular person is a good friend of mine, and the account before were also people I know well, but they don't konw each other, yet the message that is being sent out is the same from both accounts.

    I am going to run that script now.
     
  4. TRAIN YARD SOFTWARE

    TRAIN YARD SOFTWARE Well-Known Member

    Joined:
    Dec 20, 2001
    Messages:
    224
    Likes Received:
    0
    Trophy Points:
    16
    Check to see if user has latest formmail.pl, as this had happened to us because someone had version 1.6
     
  5. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    [quote:6055a44aff][i:6055a44aff]Originally posted by feanor[/i:6055a44aff]


    Right...........
    I don't understand how he or she is authenticating, from the start? Unless your relay protection is down or dead.

    did you run
    /scripts/fixrelayd yet?

    What account did you say they were using the log in via smtp?
    Are they logging in via pop3 as well?

    Do they actually have a legit account, or had an account?
    [/quote:6055a44aff]

    How do i run fixrelayd?
    pls help..i am having big prob tooo
     
  6. JustinK

    JustinK Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    251
    Likes Received:
    0
    Trophy Points:
    16
    Log in as root and type in /scripts/fixrelayd
     
  7. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    locate formmail.pl
    locate FormMail.pl

    rm -r -f /home/username/cgi-bin/formmail.pl

    when found.

    We told all customers that &formmail.pl& and &FormMail.pl are not acceptable names for their formmail script because spammers know to look for the script by those names. And, because we cannot be sure if it is the new, secure script or not without checking each copy.

    So, our policy is, they had to name it to a different name and update their form pages. This has worked. The formmail.pl problem used to be a major pain for us, but our new policy has wiped out spam via the formmail.pl script.
     
  8. albertg

    albertg Well-Known Member
    PartnerNOC

    Joined:
    Sep 4, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    I have clean up all the formmail but and have run fixrelayd

    Still having big big big problem here.
    Anyone ..has any idea? please...help me..

    information that i have found is that..when that person start spamming..
    from cpanel..i can see current process

    /usr/local/apache/bin/httpd-DSSL = become really high (about 50-70% of cpu usage)

    and alot of usr/sbin/sendmail processes to.

    Please help..what version of exim are you all using? is it hard to upgrade to the latest version? anyidea ...please help!
     
Loading...

Share This Page