Hotmail says server is zombie infected.

[ukagg]

Hi,

Hotmail is rejecting all the emails originating from my server. When contacted they replied:-

######################
Your IP xx.xx.xx.xx is blocked by Windows Live, MSN Hotmail because the traffic/e-mail originating from your IP matches characteristics of recent spam attacks from compromised, or ‘zombie’ infected, machines.
######################


Server is protected with ConfigServer Firewall. I have also checked with chrootkit, but did not find anything suspicious. However top command says as under:-

####################################################
top - 18:34:21 up 2 days, 12:57, 1 user, load average: 0.20, 0.20, 0.63
Tasks: 151 total, 1 running, 147 sleeping, 0 stopped, 3 zombie
Cpu(s): 8.5% us, 1.7% sy, 0.0% ni, 89.0% id, 0.8% wa, 0.0% hi, 0.0% si
Mem: 1026320k total, 1006816k used, 19504k free, 61736k buffers
Swap: 2040244k total, 160k used, 2040084k free, 548484k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3644 nobody 16 0 25276 14m 3880 S 9 1.4 3:06.99 httpd
8656 mysql 16 0 123m 33m 3900 S 3 3.4 41:01.27 mysqld
24889 root 23 0 9516 3848 2780 S 1 0.4 0:00.03 exim
24893 root 17 0 8408 3772 2740 S 1 0.4 0:00.02 exim
327 root 15 0 0 0 0 S 0 0.0 3:02.03 kjournald
634 beverlyd 16 0 31852 28m 2048 S 0 2.8 0:15.07 spamd
24769 root 16 0 3876 992 760 R 0 0.1 0:00.13 top
1 root 16 0 2748 552 472 S 0 0.1 0:04.89 init
2 root RT 0 0 0 0 S 0 0.0 0:01.37 migration/0
3 root 34 19 0 0 0 S 0 0.0 0:00.07 ksoftirqd/0
4 root RT 0 0 0 0 S 0 0.0 0:00.91 migration/1
5 root 34 19 0 0 0 S 0 0.0 0:00.10 ksoftirqd/1
6 root 5 -10 0 0 0 S 0 0.0 0:01.45 events/0
7 root 5 -10 0 0 0 S 0 0.0 0:01.26 events/1
8 root 6 -10 0 0 0 S 0 0.0 0:00.00 khelper
9 root 15 -10 0 0 0 S 0 0.0 0:00.00 kacpid
29 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/0
30 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/1
###################################################

Can someone please suggest, how can I identify that zombie and remove the same.

Thanks
UKA

 

[GCIS]

This could be any one of four things, listed in order of decreasing likelihood:

1. One of your accounts is running an insecure formmail script, and is sending spam to Hotmail.
2. One of your accounts is owned by or has been hijacked by a spammer, and is sending spam to Hotmail.
3. Your system has been comprimised by a nasty kernel-level exploit, and is running a rootkit/trojan that cannot be identified and removed by cPanel's automated software.
4. Either previous users of your system's IP(s), or others in your block are spammers, and your server is inheriting a negative reputation for mail it did not send.


Please run a check of the IP that your server sends mail from at www.rbls.org. You may be listed in other abuse databases, which can serve as a good starting point for determining the nature of the problem, who was responsible, and how the spam was sent.

In addition, go ahead and run a check of the IP that your server sends mail from via Google Web and Google Groups. Limit the query of Google Groups to include "group:*abuse*". This can also serve as a good starting point for determining the nature of the spam sent, and the time at which it was sent.

 

[chirpy]

5. You have users forwarding email to their hotmail address and included in that email is spam

 

[ukagg]

There was a bad script in one of the account, but that script was removed about 20 days back. I do not see any other trace of spamming from the server.

http://www.robtex.com/rbls.html does not show my IP listed in any spam blacklist. Mail Queue on server is also clean. But I do not understand what zombie means in the top command results:-

###########################
top - 18:34:21 up 2 days, 12:57, 1 user, load average: 0.20, 0.20, 0.63
Tasks: 151 total, 1 running, 147 sleeping, 0 stopped, 3 zombie
###########################

What does zombie means above?

What could be other possibilities?

Thanks
UKA

 

[schwim]

Ukagg, that just means that the process has stopped responding. It doesn't have anything to do with the way you're thinking of "zombie".

thanks,
json

 

[Silver_2000]

There was a bad script in one of the account, but that script was removed about 20 days back. I do not see any other trace of spamming from the server.

http://www.robtex.com/rbls.html does not show my IP listed in any spam blacklist. Mail Queue on server is also clean. But I do not understand what zombie means in the top command results:-

###########################
top - 18:34:21 up 2 days, 12:57, 1 user, load average: 0.20, 0.20, 0.63
Tasks: 151 total, 1 running, 147 sleeping, 0 stopped, 3 zombie
###########################

What does zombie means above?

What could be other possibilities?

Thanks
UKA

Its not always bad
http://en.wikipedia.org/wiki/Zombie_process

On Unix operating systems, a zombie process or defunct process is a process that has completed execution but still has an entry in the process table, allowing the process that started it to read its exit status. The term zombie process derives from the common definition of zombie—an undead person. In the term's colorful metaphor, the child process has died but has not yet been reaped.

 

[ukagg]

Thanks for clarifying zombie. What could be other possibilites?

My server is not there on any anti-spam list. Mail Queue is clean. No insecure php/perl formail (or similar) script. No forwards to hotmail. But, still IP is blocked by hotmail ??

 

[Spiral]

This could be any one of four things, listed in order of decreasing likelihood:

1. One of your accounts is running an insecure formmail script, and is sending spam to Hotmail.
2. One of your accounts is owned by or has been hijacked by a spammer, and is sending spam to Hotmail.
3. Your system has been compromised by a nasty kernel-level exploit, and is running a rootkit/trojan that cannot be identified and removed by cPanel's automated software.
4. Either previous users of your system's IP(s), or others in your block are spammers, and your server is inheriting a negative reputation for mail it did not send.

5. The actual spam sending is mascarading and forging your IP address.

(There is actually a way to fake the sending server IP in email which I have known about
for a great many years but unfortunately looks like a lot of spammers out there
have now learned about it and have started using that technique --- using this, all
abuse departments and blacklists will think you sent the spam even though it
really did not originate from your server at all)

**** Just wanted to cover all possibilities *****

Statistically speaking though, it's most likely that one of your users is simply forwarding their
incoming mail to their own hotmail account. Hotmail has a similiar problem to AOL where
it misreads forwarded mail as originating from your server instead of the real sender.

 

[mealto]

1. One of your accounts is running an insecure formmail script, and is sending spam to Hotmail.

How does one know if a formmail script is secure or not? Do you mean https secure?

 

[schwim]

no, he means that the script is vulnerable to someone abusing it. Some scripts don't protect well against abuse, and spammers will find these scripts and use your server to send out their mail.

thanks,
json

 

[chirpy]

5. The actual spam sending is mascarading and forging your IP address.

(There is actually a way to fake the sending server IP in email which I have known about
for a great many years but unfortunately looks like a lot of spammers out there
have now learned about it and have started using that technique --- using this, all
abuse departments and blacklists will think you sent the spam even though it
really did not originate from your server at all)

That's been going on for years and is trivial to do - nothing new.

 

[adept2003]

Hotmail is causing us (as well as other web hosts) a few problems... http://forums.cpanel.net/showthread.php?t=61689

You'll be able to find out more info from Live/Hotmail by signing up to http://postmaster.live.com/snds/ and requesting access for your server;s IPs. You need to make sure the reverse DNS is on one of your own domains since the confirmation email will be sent to that.