The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP! Somebody has hijacked my email system

Discussion in 'E-mail Discussions' started by sexy_guy, Apr 14, 2003.

  1. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I have over 600 of these going out from my server right now, i just caught it, and i cant find the source!!!!

    2003-04-14 15:07:03 195C6Q-0004zd-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527120 id=E195AKc-00088X-00@myserver.com
    2003-04-14 15:07:03 195C6I-0004zJ-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168
    2003-04-14 15:07:03 195C6I-0004zJ-00 Completed
    2003-04-14 15:07:08 195C6V-0004zr-00 <= nobody@my.server.com H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527650 id=E195AKc-00088X-00@my.server.com
    2003-04-14 15:07:09 195C6Q-0004zd-00 => pornomag6999@yaho.com R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168

    The only thing i can do it shut down Exim to stop it. How can i find out who this is? :mad: Thats because cpanel allows messages to be send out of the server as nobody!
     
    #1 sexy_guy, Apr 14, 2003
    Last edited: Apr 14, 2003
  2. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    Can't you stop "nobody" from sending email in WHM?
     
  3. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Nope, so far they cant do it, isnt it amazing look at this

    12-13 53 ....
    13-14 616 ...................................................
    14-15 394 ................................
    15-16 83 ......

    sent in 1hr as nobody! Im still trying to stop this crap from leaving my server.
     
  4. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    In WHM - Tweak Settings.

    Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
     
  5. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I did that already and that doesnt work dgbaker. I just finished installing a mail monitor script that will tell me whos sending it. Any msgs over 5 msgs will halt the sender.
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Dont know how this phpsuexec works but after i recompiled my system last night to include it Squirrelmail was inaccessible throughout the entire system. And we had all kinds of permission problems all over the server.
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Very strange, it doesnt seem to be coming from my server. Wait localhost coming in then going straight out? I dont get this.
     
  8. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    anyone know how i can setup an exim rule to prevent delivery of messages to a domain..

    These messages are being sent to NOT.COM that has an ip of 0.0.0.0.
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I had this problem some weeks ago when a client asked me to
    modify Mail A Record .... modifing this parameter he was able to send spam ...

    Removing that value , spammer was stopped .

    Perhaps is it your problem too ?
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.
     
  11. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.
     
  12. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I haven't tried phpsuexec myself, but regarding the permissions I think you could do something like this :

    find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x

    See:
    http://forums.cpanel.net/showthread.php?s=&threadid=8576
     
  13. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Im really reluctant to change all the permissions only to find out it didnt work and be stuck with a bunch of nonworking sites. Has anyone done this and knows it works for sure?
     
  14. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    No I am not talking of mx ... however it was a dns parameter ,
    I cannot remember now (perhaps Mail Record A).
     
Loading...

Share This Page