HELP! Somebody has hijacked my email system

[sexy_guy]

I have over 600 of these going out from my server right now, i just caught it, and i cant find the source!!!!

2003-04-14 15:07:03 195C6Q-0004zd-00 <= [email protected] H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527120 [email protected]
2003-04-14 15:07:03 195C6I-0004zJ-00 => [email protected] R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168
2003-04-14 15:07:03 195C6I-0004zJ-00 Completed
2003-04-14 15:07:08 195C6V-0004zr-00 <= [email protected] H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527650 [email protected]
2003-04-14 15:07:09 195C6Q-0004zd-00 => [email protected] R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168

The only thing i can do it shut down Exim to stop it. How can i find out who this is? Thats because cpanel allows messages to be send out of the server as nobody!

 

[xsenses]

Originally posted by sexy_guy
Thats because cpanel allows messages to be send out of the server as nobody!

Can't you stop "nobody" from sending email in WHM?

 

[sexy_guy]

Nope, so far they cant do it, isnt it amazing look at this

12-13 53 ....
13-14 616 ...................................................
14-15 394 ................................
15-16 83 ......

sent in 1hr as nobody! Im still trying to stop this crap from leaving my server.

 

[dgbaker]

In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

 

[sexy_guy]

I did that already and that doesnt work dgbaker. I just finished installing a mail monitor script that will tell me whos sending it. Any msgs over 5 msgs will halt the sender.

 

[sexy_guy]

Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Dont know how this phpsuexec works but after i recompiled my system last night to include it Squirrelmail was inaccessible throughout the entire system. And we had all kinds of permission problems all over the server.

 

[sexy_guy]

Very strange, it doesnt seem to be coming from my server. Wait localhost coming in then going straight out? I dont get this.

 

[sexy_guy]

anyone know how i can setup an exim rule to prevent delivery of messages to a domain..

These messages are being sent to NOT.COM that has an ip of 0.0.0.0.

 

[Radio_Head]

I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?

 

[sexy_guy]

Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.

 

[sexy_guy]

Originally posted by Radio_Head
I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?

We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.

 

[jamesbond]

Originally posted by sexy_guy
Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.

I haven't tried phpsuexec myself, but regarding the permissions I think you could do something like this :

find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x

See:
http://forums.cpanel.net/showthread.php?s=&threadid=8576

 

[sexy_guy]

Im really reluctant to change all the permissions only to find out it didnt work and be stuck with a bunch of nonworking sites. Has anyone done this and knows it works for sure?

 

[Radio_Head]

Originally posted by sexy_guy
We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.

No I am not talking of mx ... however it was a dns parameter ,
I cannot remember now (perhaps Mail Record A).