The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop SPAMMER from my server?

Discussion in 'General Discussion' started by parser, Mar 17, 2005.

  1. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    Hello,
    anybody sent many emails from my server,
    i blocked by spamcop.

    how to stop it?

    1DB1Kb-0007jt-HF-H
    nobody 99 99
    <nobody@srv1.myserver.biz>
    1110851929 0
    -ident nobody
    -received_protocol local
    -body_linecount 39
    -auth_id nobody
    -auth_sender nobody@srv1.myserver.biz
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    tonbox-reh@hotbot.com

    146P Received: from nobody by srv1.myserver.biz with local (Exim 4.44)
    id 1DB1Kb-0007jt-HF
    for tonbox-reh@hotbot.com; Tue, 15 Mar 2005 03:58:49 +0200
    026T To: tonbox-reh@hotbot.com
    038 Subject: Urgent Security Notification
    044F From: Online Banking<support@lasallena.com>
    053* Return-Path: <Online Banking<support@lasallena.com>>
    048R Reply-To: Online Banking<support@lasallena.com>
    049 Errors-To: Online Banking<support@lasallena.com>
    029 X-Mailer: MSOUTLOOK / 4.3.10
    044 Content-type: text/html; charset=iso-8859-1
    049I Message-Id: <E1DB1Kb-0007jt-HF@srv1.myserver.biz>
    038 Date: Tue, 15 Mar 2005 03:58:49 +0200


    1DB1Kb-0007jt-HF-D

    <title>hello</title>
    <P><img src="http://www.gmprinting.co.uk/%7Esteven/lol.gif"></P>
    <P><img src="http://www.lasallebank.com/templates/images/underlined_bank.gif"></P>
    <P><FONT face="Courier New" size=2>Dear Customer,<BR>
    <BR>
    We've noticed that you experienced trouble logging into LaSalle Online
    <BR>
    on <font color="#FF0000">03/13/2005</font>.<BR>
    <BR>
    After three unsuccessful attempts to access your account, your LaSalle<BR>
    Online Profile has been locked. This has been done to secure your <BR>
    account and protect your private information. LaSalle Bank is committed
    to<BR>
    make sure that your online transactions are secure.<BR>
    <BR>
    You may unlock your account clicking <u><a href="http://www.glconsult.com/servlet/lasalle/html/login/login_new.php?shortname=lasalle&longname=LaSalle%2BOnline" target="_blank">here</a></u></FONT>.<BR>
    <BR>
    <FONT
    face="Courier New" size=2>If you have any additional questions or concerns, please
    contact<BR>
    Customer Service any time at:<BR>
    </FONT><a href="mailto:support@lasallena.com">support@lasallena.com</a><BR>
    <BR>
    <FONT face="Courier New"
    size=2>Thank You for using LaSalle Online!<BR>
    <BR>
    </FONT><FONT
    face=Arial
    size=2><FONT face="Courier New">LaSalle Online Reference Number: <font color="#FF0000">284386</font><BR>
    </FONT></FONT></P>
    <P><FONT
    face=Arial
    size=2><FONT face="Courier New">Best Regards,<br>
    Natalie A. Synnott<br>
    LaSalle Bank - Online Department.</FONT></FONT></P>
    <P><img src="http://www.lasallebank.com/templates/images/underlined_foot.gif"></P>
     
  2. Ley

    Ley Well-Known Member

    Joined:
    Jan 4, 2004
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That won't help - the spammer is sendng from the server, not to it.

    Since the spammer is using the nobody account, you have a vulnerable PHP script being actively exploited on your server. You should search a little harder on the forum to find out more information on what to do, but as a guide:

    1. Make sure all of your phpBB installations are running v2.0.13
    2. Install mod_securty and configure it with a good set of filters
    3. Check your server that it hasn't suffered any other successful hacks
    4. Check for root compromises
    5. Work fast before your server is unplugged by your Datacenter (if you lease it).
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    From the email it looks like you have one of those online banking frauders I would look at the your newest accounts. I have had a rash of these losers trying to sign up with stolen credit cards
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    We have seen so many of these problems. PM me, if need more help.
     
  6. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    Fixed!

    Thank to anybody who help me.

    My steps:

    i looking for content of spam email
    grep KeyBank *

    and got results :)
    one of my clients use phpnuke or phpBB with modules/My_eGallery
    in that directory was mzz.php ( PHP Shell )
    hacker used it! How it was uploaded? may be thru My_eGallery!?

    hacker was uploaded scripts and datalist of emails thru mzz.php and sent spam.
     
Loading...

Share This Page