The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Have I Been Hacked?

Discussion in 'General Discussion' started by andyorourke, Aug 23, 2004.

  1. andyorourke

    andyorourke Member

    Joined:
    Dec 17, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    :confused: I have just had a few spam complaints and dont know how to tell if someone has hacked my server or just one of my users being 'clever' I have replaced real emails with xxxxxxxxx

    Here is the header from one of the offending emails:
    1By8pX-0003Kw-AN-H
    nobody 99 99
    <xxxxxxxxxxxx@twcny.rr.com>
    1093006155 2
    -ident nobody
    -received_protocol local
    -body_linecount 23
    -auth_id nobody
    -auth_sender nobody@server1.monstermailz.com
    -local
    XX
    1
    xxxxxxxxx@buildreferrals.com

    161P Received: from nobody by server1.monstermailz.com with local (Exim 4.34)
    id 1By8pX-0003Kw-AN
    for raindropp@buildreferrals.com; Fri, 20 Aug 2004 08:49:15 -0400
    033T To: raindropp@buildreferrals.com
    071 Subject: Earn E-Gold Profits in 10 Minutes! Automatic E-Gold Payments.
    033F From: xxxxxxxxxx@twcny.rr.com
    037R Reply-To: xxxxxxxxxxxx@twcny.rr.com
    031 X-Mailer: Outlook 5.40.0037134
    057I Message-Id: <E1By8pX-0003Kw-AN@server1.monstermailz.com>
    050* X-rewrote-sender: nobody@server1.monstermailz.com
    038 Date: Fri, 20 Aug 2004 08:49:15 -0400
    1By8pX-0003Kw-AN-D

    Here is a standard header from a legitimate email
    Return-path: <xxxxxxxxxx@monstermailz.com>
    Envelope-to: xxxxxxxxx@safelist-central.com
    Delivery-date: Mon, 23 Aug 2004 15:07:53 +0100
    Received: from [168.144.1.81] (helo=relay1.mail2web.com)
    by server1.safelistsweb.com with esmtp (Exim 4.34)
    id 1BzFUD-000101-J8
    for xxxxxxx@safelist-central.com; Mon, 23 Aug 2004 15:07:49 +0100
    Received: from M2W097.mail2web.com ([168.144.251.210]) by relay1.mail2web.com with Microsoft SMTPSVC(5.0.2195.6713);
    Mon, 23 Aug 2004 10:07:47 -0400
    Message-ID: <303690-22004812314747655@M2W097.mail2web.com>
    X-Priority: 3
    Reply-To: xxxxxxxxxxx@monstermailz.com
    X-Originating-IP: 194.203.215.254
    X-URL: http://mail2web.com/
    From: "xxxxxxx@monstermailz.com" <xxxxxxxxxx@monstermailz.com>

    To my untrained eye the original message doesnt contain as much information as the standard header, is there any way to tell if :
    1, I have been hacked and someone is using my box to send emails
    2. The header has been spoofed and the mails dont come from me but just have my domain in the header

    As usual. any helpful comments are greatly received.
     
    sawbuck likes this.
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If server1.monstermailz.com is your server, then the first email does indicate that it is originating from your server and is not spoofed. Since it is being sent by the local nobody user then you most likely have a PHP script on your server that is vulnerable and allowing spam to be sent through it (rather than your whole server is hacked - there's no indication of that).

    I would suggest that you either:

    1. Enabale phpsuexec so that you can track down which which domain the script is on (as the auth_id will change to the account name, rather than using nobody

    2. You enable WHM > Tweak Settings > Track the origin of messages sent though the mail server by adding the X-Source headers
     
  3. compunet2

    compunet2 Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    310
    Likes Received:
    0
    Trophy Points:
    16
    When you enable PHPsuexec, do users need to change their scripts, or does everything just work as it always did?
     
  4. andyorourke

    andyorourke Member

    Joined:
    Dec 17, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    I have done the WHM Tweak, how do I enable phpsuexec? do I check that whn I rebuild apache?

    Thanks
     
  5. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Rebuild Apache to add phpsuexec. May break some exisiting scripts but worth having the extra protection.
     
  6. andyorourke

    andyorourke Member

    Joined:
    Dec 17, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    UK
    I have SuExec enabled in WHM > Server Setup > enable/disable SuExec, do I still need to include the phpsuexec in my apache build, if so, why?

    Thanks
    Andy
     
  7. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  8. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    suexec is for perl scripts and phpsuexec is for php scripts.

    I like sawbuck's answer though. You really should understand what it is doing so that if you run into problems you know where to start addressing them :)
     
Loading...

Share This Page