The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploitable Cpanel - Spam from server

Discussion in 'General Discussion' started by jackie46, May 4, 2006.

  1. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    We are seeing a big increase in spam leaving our server on domains that are pure HTML websites. There are no scripts running on the websites, only HTML. :eek:

    We have phpseuxec running on all servers and we are seeing undeliverable mail being restured to the server. The problem is supposedly the user who sent the message does not exist as a valid email address on the server for that domain and the message was definately sent from our server as the header indicates the message was sent from localhost.localdomain 127.0.0.1. So then the question is, how was the message sent in the first place??

    Something is not right here. In mod_security we have bcc rules setup, and formmail scripts in cgi-sys are all chmod 000. I see no other possible way for mail to be leaving the server if there are no exploitable scripts on the website and the website is running only .html unless Squirrelmail, Horde, IMAP or another script on cPanel is being exploited.

    Here is a message that was sent;

    From: "Gertrude Mora" <rycxqk@motiva????.com>
    To: <laboo2@cannet.com>
    Subject: troll
    Date: Wed, 3 May 2006 21:18:24 -0700

    There is no such user rycxqk but the domain exists here.

    I'd like to know if anyone else is having this issue as it seems like something is being exploited on Cpanel. Maybe somebody has found a way to exploit IMAP and authenticated. Maybe its a Squirrelmail or Horde exploit!
     
    #1 jackie46, May 4, 2006
    Last edited: May 4, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you can, it would help to see the full email header of one of the spam emails - it could be that it's being forged and not originating from your server. Without that, it's very difficult to pin it down at all. Once it is established that it's from your server, then adding extended exim logging:

    log_selector = +arguments +subject

    Will usually make tracking down future occurances easier as it should provide the CWD of the app that sent the email.
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The script isn't deleting itself as it runs is it? This is quite possible if it's a perl script; it could start running then delete itself immediately to make it hard to see what's happening.

    Setting up the exim log_selector line as above will show you from which directory the script is running, and if there's nothing there when you look it could be that the script is deleting (or renaming) itself. Of course it's also possible it's just running from somewhere else.
     
  4. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Ill tell you why i dont think its a spoofed return.

    The site is on its own ip address and its clearly evident that the message was sent out on port 25 for that dedicated ip.

    Here;

    1FbVPQ-0002xZ-UE-H
    root 0 0
    <>
    1146716748 0
    -helo_name mx02.cannet.com
    -host_address 69.84.36.83.47166
    -host_name mx30.cannet.com
    -interface_address 216.127.xx.xx.25 <-- RIGHT HERE IS THE DEDICATED IP
    -received_protocol esmtps
    -acl 10 5
    false
    -body_linecount 579
    -frozen 1146716756
    -tls_cipher TLSv1:AES256-SHA:256
    XX
    1
    rycxqk@motiva???.com

    If it was spoofed it would nt be showing that the message was sent on that ip.
     
  5. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    I dont think it this scenerio either. I checked the sites domlogs with a fine tooth comb. If somebody was uploading then removing the script then its execution would be shown in the domlog for the website. And there is nothing there to indicate an executed script.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That looks like an incoming exim header, not an outgoing one as there's no authentication data which you would see if it was outgoing. All that interface line means is that that is the IP address that the email came in on. As I said, you really need to post the actual SMTP email header from one of the spams, not the local exim header file.

    It's the Received: header lines from the SMTP email header that are important in identifying spoofed emails, not what you've posted.
     
  7. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    1FbVPQ-0002xZ-UE-H
    root 0 0
    <>
    1146716748 0
    -helo_name mx02.cannet.com
    -host_address 69.84.36.83.47166
    -host_name mx30.cannet.com
    -interface_address 216.127.xx.xx.25
    -received_protocol esmtps
    -acl 10 5
    false
    -body_linecount 579
    -frozen 1146716756
    -tls_cipher TLSv1:AES256-SHA:256
    XX
    1
    rycxqk@motiva???.com

    219P Received: from mx30.cannet.com ([69.84.36.83] helo=mx02.cannet.com)
    by secure.ourdomain.com with esmtps (TLSv1:AES256-SHA:256)
    (Exim 4.52)
    id 1FbVPQ-0002xZ-UE
    for rycxqk@motiva???.com; Wed, 03 May 2006 22:25:49 -0600
    126 Received: from localhost (localhost)
    by mx02.cannet.com (8.12.11/8.12.11) id k444aCEI011513;
    Thu, 4 May 2006 00:36:13 -0400
    037 Date: Thu, 4 May 2006 00:36:13 -0400
    062F From: Mail Delivery Subsystem <MAILER-DAEMON@mx02.cannet.com>
    058I Message-Id: <200605040436.k444aCEI011513@mx02.cannet.com>
    027T To: <rycxqk@motiva???.com>
    018 MIME-Version: 1.0
    115 Content-Type: multipart/report; report-type=delivery-status;
    boundary="k444aCEI011513.1146717373/mx02.cannet.com"
    051 Subject: Returned mail: see transcript for details
    041 Auto-Submitted: auto-generated (failure)
    077 X-A-MailScanner-Information: Please contact the ISP for more information
    039 X-A-MailScanner: Found to be clean
    245 X-A-MailScanner-SpamCheck: spam, SpamAssassin (score=7.586, required 3.5,
    BAYES_00 0.50, HTML_90_100 0.11, HTML_IMAGE_ONLY_08 3.13,
    HTML_MESSAGE 0.00, IP_NOT_FRIENDLY 0.33, MIME_HTML_MOSTLY 1.10,
    SARE_GIF_ATTACH 0.75, SARE_GIF_STOX 1.66)
    033 X-A-MailScanner-SpamScore: 7
    027 X-A-MailScanner-From:


    1FbVPQ-0002xZ-UE-D
    This is a MIME-encapsulated message

    --k444aCEI011513.1146717373/mx02.cannet.com

    The original message was received at Thu, 4 May 2006 00:36:10 -0400
    from 12-208-93-193.client.insightBB.com [12.208.93.193] (may be forged)

    ----- The following addresses had permanent fatal errors -----
    <laboo2@cannet.com>
    (reason: 550 (USER) Unknown user name in "laboo2@cannet.com")

    ----- Transcript of session follows -----
    ... while talking to mail.cannet.com.:
    >>> RCPT To:<laboo2@cannet.com>
    <<< 550 (USER) Unknown user name in "laboo2@cannet.com"
    550 5.1.1 <laboo2@cannet.com>... User unknown

    --k444aCEI011513.1146717373/mx02.cannet.com
    Content-Type: message/delivery-status

    Reporting-MTA: dns; mx02.cannet.com
    Arrival-Date: Thu, 4 May 2006 00:36:10 -0400

    Final-Recipient: RFC822; laboo2@cannet.com
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; mail.cannet.com
    Diagnostic-Code: SMTP; 550 (USER) Unknown user name in "laboo2@cannet.com"
    Last-Attempt-Date: Thu, 4 May 2006 00:36:12 -0400

    --k444aCEI011513.1146717373/mx02.cannet.com
    Content-Type: message/rfc822

    Return-Path: <rycxqk@motiva???.com>
    Received: from 12-208-93-193.client.insightBB.com (12-208-93-193.client.insightBB.com [12.208.93.193] (may be forged))
    by mx02.cannet.com (8.12.11/8.12.11) with SMTP id k444a9jx011478
    for <laboo2@cannet.com>; Thu, 4 May 2006 00:36:10 -0400
    Received: from [12.208.178.167] (helo=giud)
    by 12-208-93-193.client.insightBB.com with smtp (Exim 4.43)
    id 1FbVQv-0002Q6-G3; Wed, 3 May 2006 21:27:21 -0700
    Message-ID: <000e01c66f32$d500b89e$a7b2d00c@giud>
    From: "Gertrude Mora" <rycxqk@motiva???.com>
    To: <laboo2@cannet.com>
    Subject: troll
    Date: Wed, 3 May 2006 21:18:24 -0700
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_000A_01C66EF8.28A1E086"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    X-CanNet-MailScanner-Information: Please contact CanNet for more information
    X-CanNet-MailScanner: NOT virus scanned: Virus Scanning Service Available, call (330) 484-2260
    X-MailScanner-From: rycxqk@motiva???.com
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Great :)

    If this isn't your server:

    Received: from [12.208.178.167] (helo=giud)

    Then it's a spoofed header. The rest of it is just the bounces from the orignal spoof. The reason it mentioned localhost later on is because the final bounce is from the MAILER-DAEMON on your server trying to deliver it to someone which SMTP always tries to do, and is inconsequential.

    Looks like someone with a virus infected PC.
     
  9. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    12.208.178.167 is not us. So your sure this is a spoofed msg and not something thats being exploited? Even so, shouldnt :fail: have rejected it?
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. The only important header information is this part:

    Since none of that is to do with you, you're just seeing the bounce backs because the From: addressed has been spoofed (rycxqk@motiva???.com) which is presumably one of the domains for a non-existent user that you happen to host.
     
  11. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Not all the headers say (may be forged)). Some dont say that at all and are valid.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, but those headers are for the email trying to be delivered to someone who isn't bouncing it. When the original email tried to be delivered it started bouncing round SMTP servers trying to find someone to deliver to and ended up on your server simply because of the spoofed From: address. The last resort for delivery was your servers MAILER-DAEMON. The bounce headers don't really help as they confuse the original spam which originated from a PC that had nothing to do with you, save the spoofed From: field. Unfortunately, it's typical behaviour of spambots on compromised end-user PC's and there's little you can do but ride out all the (incorrectly) addressed bounces back to the domain you host.
     
  13. mko

    mko Member

    Joined:
    Apr 23, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Where do i need to add this ?

    Thanks
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    In the first textbox of the exim configuration editor in WHM.
     
  15. gemininetcom

    gemininetcom Active Member

    Joined:
    Nov 29, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I have a similar situation where Spam seems to be originating from own server. Following Chirpy's request, I have retrieved the headers from Logwatch:

    // Report from MailScanner //

    The following e-mails were found to have: Other Bad Content Detected

    Sender: gehafashion@saturn.manx????.net
    IP Address: 127.0.0.1
    Recipient: bacon@saturn.manx????.net
    Subject:
    MessageID: 1GNwjN-0002Pk-FY
    Quarantine: /var/spool/MailScanner/quarantine/20060914/1GNwjN-0002Pk-FY
    Report: MailScanner: Eudora long-MIME-boundary attack

    *********** Start of message header info ********************

    Received on: 14/09/06 19:18:41
    Received by: saturn.manx????.net
    Received from:
    127.0.0.1
    Received Via: 127.0.0.1
    ID: 1GNwjN-0002Pk-FY
    Message Headers: Received: from gehafashion by saturn.manx????.net with local (Exim 4.52)
    id 1GNwjN-0002Pk-FY
    for bacon@saturn.manx????.net; Thu, 14 Sep 2006 19:18:37 +0000
    To: bacon@saturn.manx????.net
    Content-Type: multipart/alternative;
    boundary=89d316d05908d130c2afe71e977dfe9b
    X-Mailer: Apple Mail (2.552)
    Subject: the asque country) ayonne am
    to: rbarnhardt@cs.com
    to: cristina.chuen@yahoo.com
    to: dmunz@bellsouth.net
    to: sweet_in_ascent@yahoo.com
    to: togarcia@hotmail.com
    to: iynchwise@aol.com
    to: isabea2003@yahoo.com
    to: dmrllgr@yahoo.com
    to: ronpearson_1@hotmail.com

    --89d316d05908d130c2afe71e977dfe9b
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain

    as just bacon and eggs . edit ealth issues n more modern times, it is
    commonly believed that diets high

    --89d316d05908d130c2afe71e977dfe9b
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain

    production ach country that produces ham has its own regulations. edit
    rance ayonne am e ambon de ayonne aking its name from the ancient port city
    of

    --89d316d05908d130c2afe71e977dfe9b--
    .

    From: ()
    Subject: WWW Form Submission

    Below is the result of your feedback form. It was submitted by ()
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Message-Id: <E1GNwjN-0002Pk-FY@saturn.manx????.net>
    From: gehafashion@saturn.manx????.net
    Date: Thu, 14 Sep 2006 19:18:37 +0000
    From:
    gehafashion@saturn.manx????.net
    To: bacon@saturn.manx????.net
    Size: 1.8Kb
    Anti-Virus/Dangerous Content Protection
    Virus: N
    Blocked File: N
    Other Infection: Y
    Report: MailScanner: Eudora long-MIME-boundary attack

    *********** End of message header info ********************

    Anyone having suggestions ?? :eek:
     
  16. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Spam is a big problem right now.
    I suggest you make sure users do not use the form mail provided by Cpanel.

    Also do not use html forms set to email such as those created by front page.

    I have written a script to prevent form email hijacking which can be found at http://netbizcity.com or http://hotscripts.com

    Search hotscripts for email hijacking

    Spam is on the rise due to this problem and you can do two things to keep it from getting out of hand.

    Set your default email address to :fail:

    Make sure that all users have Hijack proof scripts.

    Hope this helps.
     
Loading...

Share This Page