Find out where the hacker infiltrated through

[Prodisa]

Hello all.

I'm living a SPAM hell. Thank to this forum posts I have located and blocked the spam flood. Now I'm trying to avoid it to happen again.

The hacker had placed two malicious PHP scripts in two folders.

Both files were created on 10-Jan-2015, and the error_log in this folders start that date. Here is the first error log:

[10-Jan-2015 07:58:07 America/Denver] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: cannot open shared object file: No such file or directory in Unknown on line 0

All of them are equals, until today that I deleted the files.

What can I do to find out where did the attacker infiltrated through in order to block future attacks?

Thanks in advance for your help.

 

[Prodisa]

Help to find spam origin

I thought I had solved the spam flood in my server, but the email queue is filling again. Before I could identify the source: two malware scripts that I deleted. Now I need your help to locate the origin of that spam emails.

All of them are sent from an inexistent account of one of the sites hosted to yahoo accounts.

Here are the headers. For security purposes I have replaced the real server domain, the site domain and the cpanel account name of the site (marked in blue)

Mail Control Data:

[COLOR="#0000FF"]cPanelSiteName[/COLOR] 513 512
<[COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]>
1421755579 0
-ident [COLOR="#0000FF"]cPanelSiteName[/COLOR]
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 23
-max_received_linelength 80
-auth_id [COLOR="#0000FF"]cPanelSiteName[/COLOR]
-auth_sender [COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-spam_score_int 0
XX
1
[COLOR="#0000FF"]yahooTargetAccount[/COLOR]

Date: 	

Tue, 20 Jan 2015 13:06:19 +0100

From: 	

"Ethan Jarvis" <[COLOR="#0000FF"]siteInexistentEmailAccount[/COLOR]>

To: 	

[COLOR="#0000FF"]yahooTargetAccount[/COLOR]

Subject: 	

Sexy Blonde Hot Toy Insertion Action

Content-Type: 	

multipart/alternative;boundary="----------142175557954BE44BB0C57D"

Message-Id: 	

<[email protected][COLOR="#0000FF"]serverDomain[/COLOR]>

Mime-Version: 	

1.0

Received: 	

from [COLOR="#0000FF"]cPanelSiteName[/COLOR] by [COLOR="#0000FF"]serverDomain[/COLOR] with local (Exim 4.84)
 (envelope-from <[COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]>)
 id 1YDXZb-00006A-2t
 for [COLOR="#0000FF"]yahooTargetAccount[/COLOR]; Tue, 20 Jan 2015 13:06:31 +0100

Reply-To: 	

"Ethan Jarvis" <[COLOR="#0000FF"]siteInexistentEmailAccount[/COLOR]>

X-Mailer: 	

Fscfz(ver.2.75)

X-OutGoing-Spam-Status: 	

No, score=0.0

X-PHP-Script: 	

"Ethan Jarvis" <[COLOR="#0000FF"]siteDomain[/COLOR]>/ for 127.0.0.1

Thank you in advance for your help.

 

[cPanelMichael]

Hello

You may find this thread helpful:

Logs to check after account is hacked

As for determining the source of the SPAM, check this thread:

Unknown Spam Source

Thank you.

 

[Prodisa]

Michael, thank you for the links. This info helped me to keep the server spam free.

Now my IP has been blacklisted. While I manage it to be deleted from several lists, could I use my free VPS secondary IP for email services? if the answer is yes, how can I do it?

I'm afraid my reptilian hosting support agent's don't know the answer in a chat, and don't answer a two days old ticket . I need your help.

 

[cPanelMichael]

You can change the IP addressed used by Exim for outgoing email by following the instructions in the following document:

How to Configure Exim's Outgoing IP Address

Thank you.