The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Find out where the hacker infiltrated through

Discussion in 'Security' started by Prodisa, Jan 20, 2015.

  1. Prodisa

    Prodisa Registered

    Joined:
    Jan 19, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello all.

    I'm living a SPAM hell. Thank to this forum posts I have located and blocked the spam flood. Now I'm trying to avoid it to happen again.

    The hacker had placed two malicious PHP scripts in two folders.

    Both files were created on 10-Jan-2015, and the error_log in this folders start that date. Here is the first error log:
    Code:
    [10-Jan-2015 07:58:07 America/Denver] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20090626/timezonedb.so: cannot open shared object file: No such file or directory in Unknown on line 0
    
    All of them are equals, until today that I deleted the files.

    What can I do to find out where did the attacker infiltrated through in order to block future attacks?

    Thanks in advance for your help.
     
  2. Prodisa

    Prodisa Registered

    Joined:
    Jan 19, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Help to find spam origin

    I thought I had solved the spam flood in my server, but the email queue is filling again. Before I could identify the source: two malware scripts that I deleted. Now I need your help to locate the origin of that spam emails.

    All of them are sent from an inexistent account of one of the sites hosted to yahoo accounts.

    Here are the headers. For security purposes I have replaced the real server domain, the site domain and the cpanel account name of the site (marked in blue)

    Code:
    Mail Control Data:
    
    [COLOR="#0000FF"]cPanelSiteName[/COLOR] 513 512
    <[COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]>
    1421755579 0
    -ident [COLOR="#0000FF"]cPanelSiteName[/COLOR]
    -received_protocol local
    -aclc _outgoing_spam_scan 1
    1
    -body_linecount 23
    -max_received_linelength 80
    -auth_id [COLOR="#0000FF"]cPanelSiteName[/COLOR]
    -auth_sender [COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    -spam_score_int 0
    XX
    1
    [COLOR="#0000FF"]yahooTargetAccount[/COLOR]
    
    Date: 	
    
    Tue, 20 Jan 2015 13:06:19 +0100
    
    From: 	
    
    "Ethan Jarvis" <[COLOR="#0000FF"]siteInexistentEmailAccount[/COLOR]>
    
    To: 	
    
    [COLOR="#0000FF"]yahooTargetAccount[/COLOR]
    
    Subject: 	
    
    Sexy Blonde Hot Toy Insertion Action
    
    Content-Type: 	
    
    multipart/alternative;boundary="----------142175557954BE44BB0C57D"
    
    Message-Id: 	
    
    <E1YDXZb-00006A-2t@[COLOR="#0000FF"]serverDomain[/COLOR]>
    
    Mime-Version: 	
    
    1.0
    
    Received: 	
    
    from [COLOR="#0000FF"]cPanelSiteName[/COLOR] by [COLOR="#0000FF"]serverDomain[/COLOR] with local (Exim 4.84)
     (envelope-from <[COLOR="#0000FF"]cPanelSiteName[/COLOR]@[COLOR="#0000FF"]serverDomain[/COLOR]>)
     id 1YDXZb-00006A-2t
     for [COLOR="#0000FF"]yahooTargetAccount[/COLOR]; Tue, 20 Jan 2015 13:06:31 +0100
    
    Reply-To: 	
    
    "Ethan Jarvis" <[COLOR="#0000FF"]siteInexistentEmailAccount[/COLOR]>
    
    X-Mailer: 	
    
    Fscfz(ver.2.75)
    
    X-OutGoing-Spam-Status: 	
    
    No, score=0.0
    
    X-PHP-Script: 	
    
    "Ethan Jarvis" <[COLOR="#0000FF"]siteDomain[/COLOR]>/ for 127.0.0.1
    Thank you in advance for your help.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. Prodisa

    Prodisa Registered

    Joined:
    Jan 19, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Michael, thank you for the links. This info helped me to keep the server spam free.

    Now my IP has been blacklisted. While I manage it to be deleted from several lists, could I use my free VPS secondary IP for email services? if the answer is yes, how can I do it?

    I'm afraid my reptilian hosting support agent's don't know the answer in a chat, and don't answer a two days old ticket :(. I need your help.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page