HELP! Somebody has hijacked my email system

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
I have over 600 of these going out from my server right now, i just caught it, and i cant find the source!!!!

2003-04-14 15:07:03 195C6Q-0004zd-00 <= [email protected] H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527120 [email protected]
2003-04-14 15:07:03 195C6I-0004zJ-00 => [email protected] R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168
2003-04-14 15:07:03 195C6I-0004zJ-00 Completed
2003-04-14 15:07:08 195C6V-0004zr-00 <= [email protected] H=localhost (my.server.com) [127.0.0.1] P=esmtp X=TLSv1:DES-CBC3-SHA:168 S=527650 [email protected]
2003-04-14 15:07:09 195C6Q-0004zd-00 => [email protected] R=lookuphost T=remote_smtp H=not.com [0.0.0.0] X=TLSv1:DES-CBC3-SHA:168

The only thing i can do it shut down Exim to stop it. How can i find out who this is? :mad: Thats because cpanel allows messages to be send out of the server as nobody!
 
Last edited:

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Nope, so far they cant do it, isnt it amazing look at this

12-13 53 ....
13-14 616 ...................................................
14-15 394 ................................
15-16 83 ......

sent in 1hr as nobody! Im still trying to stop this crap from leaving my server.
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
I did that already and that doesnt work dgbaker. I just finished installing a mail monitor script that will tell me whos sending it. Any msgs over 5 msgs will halt the sender.
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
Dont know how this phpsuexec works but after i recompiled my system last night to include it Squirrelmail was inaccessible throughout the entire system. And we had all kinds of permission problems all over the server.
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Very strange, it doesnt seem to be coming from my server. Wait localhost coming in then going straight out? I dont get this.
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
anyone know how i can setup an exim rule to prevent delivery of messages to a domain..

These messages are being sent to NOT.COM that has an ip of 0.0.0.0.
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by dgbaker
In WHM - Tweak Settings.

Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by Radio_Head
I had this problem some weeks ago when a client asked me to
modify Mail A Record .... modifing this parameter he was able to send spam ...

Removing that value , spammer was stopped .

Perhaps is it your problem too ?
We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Originally posted by sexy_guy
Can you write a howto on this? I mean installing it is easy however what about all the file persmissions. This is a nighmare. When i did install it i had to remove it moments after the compile because everthing stopped working, permission problems all over the place, paths not found etc etc. Good thing it was 3am otherwise our users would have killed us.
I haven't tried phpsuexec myself, but regarding the permissions I think you could do something like this :

find /home/*/public_html -name '*.php' -o -name '*.php[34]' -o -name '*.phtml' | xargs chmod -v a+x

See:
http://forums.cpanel.net/showthread.php?s=&threadid=8576
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Im really reluctant to change all the permissions only to find out it didnt work and be stuck with a bunch of nonworking sites. Has anyone done this and knows it works for sure?
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Originally posted by sexy_guy
We dont allow our users to modify MX records but this is what we found out. The guy used a sites E-Greeting card program to send out a greeting card to himself which he looped back to his origional email address then fired it off. This looped the program out of control. It stopped after 5hrs and 1,300+ emails later. We cannot recreate the problem so it seems it was a deliberate attempt. Amazing people.
No I am not talking of mx ... however it was a dns parameter ,
I cannot remember now (perhaps Mail Record A).