The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hotmail says server is zombie infected.

Discussion in 'E-mail Discussions' started by ukagg, Dec 29, 2006.

  1. ukagg

    ukagg Active Member

    Joined:
    Aug 14, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Hotmail is rejecting all the emails originating from my server. When contacted they replied:-

    ######################
    Your IP xx.xx.xx.xx is blocked by Windows Live, MSN Hotmail because the traffic/e-mail originating from your IP matches characteristics of recent spam attacks from compromised, or ‘zombie’ infected, machines.
    ######################


    Server is protected with ConfigServer Firewall. I have also checked with chrootkit, but did not find anything suspicious. However top command says as under:-

    ####################################################
    top - 18:34:21 up 2 days, 12:57, 1 user, load average: 0.20, 0.20, 0.63
    Tasks: 151 total, 1 running, 147 sleeping, 0 stopped, 3 zombie
    Cpu(s): 8.5% us, 1.7% sy, 0.0% ni, 89.0% id, 0.8% wa, 0.0% hi, 0.0% si
    Mem: 1026320k total, 1006816k used, 19504k free, 61736k buffers
    Swap: 2040244k total, 160k used, 2040084k free, 548484k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    3644 nobody 16 0 25276 14m 3880 S 9 1.4 3:06.99 httpd
    8656 mysql 16 0 123m 33m 3900 S 3 3.4 41:01.27 mysqld
    24889 root 23 0 9516 3848 2780 S 1 0.4 0:00.03 exim
    24893 root 17 0 8408 3772 2740 S 1 0.4 0:00.02 exim
    327 root 15 0 0 0 0 S 0 0.0 3:02.03 kjournald
    634 beverlyd 16 0 31852 28m 2048 S 0 2.8 0:15.07 spamd
    24769 root 16 0 3876 992 760 R 0 0.1 0:00.13 top
    1 root 16 0 2748 552 472 S 0 0.1 0:04.89 init
    2 root RT 0 0 0 0 S 0 0.0 0:01.37 migration/0
    3 root 34 19 0 0 0 S 0 0.0 0:00.07 ksoftirqd/0
    4 root RT 0 0 0 0 S 0 0.0 0:00.91 migration/1
    5 root 34 19 0 0 0 S 0 0.0 0:00.10 ksoftirqd/1
    6 root 5 -10 0 0 0 S 0 0.0 0:01.45 events/0
    7 root 5 -10 0 0 0 S 0 0.0 0:01.26 events/1
    8 root 6 -10 0 0 0 S 0 0.0 0:00.00 khelper
    9 root 15 -10 0 0 0 S 0 0.0 0:00.00 kacpid
    29 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/0
    30 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/1
    ###################################################

    Can someone please suggest, how can I identify that zombie and remove the same.

    Thanks
    UKA
     
  2. GCIS

    GCIS Active Member

    Joined:
    Dec 12, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    This could be any one of four things, listed in order of decreasing likelihood:

    1. One of your accounts is running an insecure formmail script, and is sending spam to Hotmail.
    2. One of your accounts is owned by or has been hijacked by a spammer, and is sending spam to Hotmail.
    3. Your system has been comprimised by a nasty kernel-level exploit, and is running a rootkit/trojan that cannot be identified and removed by cPanel's automated software.
    4. Either previous users of your system's IP(s), or others in your block are spammers, and your server is inheriting a negative reputation for mail it did not send.


    Please run a check of the IP that your server sends mail from at www.rbls.org. You may be listed in other abuse databases, which can serve as a good starting point for determining the nature of the problem, who was responsible, and how the spam was sent.

    In addition, go ahead and run a check of the IP that your server sends mail from via Google Web and Google Groups. Limit the query of Google Groups to include "group:*abuse*". This can also serve as a good starting point for determining the nature of the spam sent, and the time at which it was sent.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    5. You have users forwarding email to their hotmail address and included in that email is spam
     
  4. ukagg

    ukagg Active Member

    Joined:
    Aug 14, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    There was a bad script in one of the account, but that script was removed about 20 days back. I do not see any other trace of spamming from the server.

    http://www.robtex.com/rbls.html does not show my IP listed in any spam blacklist. Mail Queue on server is also clean. But I do not understand what zombie means in the top command results:-

    ###########################
    top - 18:34:21 up 2 days, 12:57, 1 user, load average: 0.20, 0.20, 0.63
    Tasks: 151 total, 1 running, 147 sleeping, 0 stopped, 3 zombie
    ###########################

    What does zombie means above?

    What could be other possibilities?

    Thanks
    UKA
     
  5. schwim

    schwim Well-Known Member

    Joined:
    Aug 2, 2006
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Ukagg, that just means that the process has stopped responding. It doesn't have anything to do with the way you're thinking of "zombie".

    thanks,
    json
     
  6. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Its not always bad
    http://en.wikipedia.org/wiki/Zombie_process
     
  7. ukagg

    ukagg Active Member

    Joined:
    Aug 14, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for clarifying zombie. What could be other possibilites?

    My server is not there on any anti-spam list. Mail Queue is clean. No insecure php/perl formail (or similar) script. No forwards to hotmail. But, still IP is blocked by hotmail ??
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    5. The actual spam sending is mascarading and forging your IP address.

    (There is actually a way to fake the sending server IP in email which I have known about
    for a great many years but unfortunately looks like a lot of spammers out there
    have now learned about it and have started using that technique --- using this, all
    abuse departments and blacklists will think you sent the spam even though it
    really did not originate from your server at all)

    **** Just wanted to cover all possibilities *****

    Statistically speaking though, it's most likely that one of your users is simply forwarding their
    incoming mail to their own hotmail account. Hotmail has a similiar problem to AOL where
    it misreads forwarded mail as originating from your server instead of the real sender.
     
    #8 Spiral, Dec 29, 2006
    Last edited: Dec 29, 2006
  9. mealto

    mealto Well-Known Member

    Joined:
    Oct 20, 2006
    Messages:
    175
    Likes Received:
    0
    Trophy Points:
    16
    How does one know if a formmail script is secure or not? Do you mean https secure?
     
  10. schwim

    schwim Well-Known Member

    Joined:
    Aug 2, 2006
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    no, he means that the script is vulnerable to someone abusing it. Some scripts don't protect well against abuse, and spammers will find these scripts and use your server to send out their mail.

    thanks,
    json
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's been going on for years and is trivial to do - nothing new.
     
  12. adept2003

    adept2003 Well-Known Member

    Joined:
    Aug 11, 2003
    Messages:
    283
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    ~ "/(extra|special)/data"
Loading...

Share This Page