The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail proxy: how to stop CGI mail proxies?

Discussion in 'E-mail Discussions' started by astraeuz, Jun 20, 2009.

  1. astraeuz

    astraeuz Registered

    Mar 2, 2004
    Likes Received:
    Trophy Points:
    During last week, two of our clients' accounts got compromised (most probably due to weak passwords) and there was a CGI script installed which started sending emails to more than 200,000 email accounts. This email addresses were stored in a text file.

    By the time we noticed this activity, our server got black listed on major RBLs like Barracuda, SpamCop, Spamhaus etc and it took around 2 days to cleanup :(

    3 days later, another account compromised with same *thing* and it really is pain in the arse now dealing with this and angry clients :(

    We've already implemented a policy to restrict users to send 100 messages/per hour/domain which is working, but it seems this *thing* bypass exim.

    I guess this Open Proxy Servers a Source of Spam is what i want to explain!!

    So my question is, if I've understood this right, is it possible to stop scripts like this or can we enforce mailman to use exim all the time to send messages and stop direct-mailing?

    Your suggestions are highly appreciated.
  2. PlatinumServerM

    PlatinumServerM Well-Known Member

    Jul 10, 2005
    Likes Received:
    Trophy Points:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
    There's a few different precautionary measures you can take. Programs like modsecurity, tweaking the php security, mail logging, etc., all can help stop and track this.

    It's an ongoing effort. It's not something that you can do one time and then it will never happen again. Spammers are always changing their methods of operation, so the security has to change with it.
  3. Spiral

    Spiral BANNED

    Jun 24, 2005
    Likes Received:
    Trophy Points:
    Without investigating your system directly, I couldn't tell you for sure
    whether you are dealing with a security compromise, a brute force attack,
    internal cross site scripting, or some other method of access to the
    client's accounts as there are many methods of potential compromise
    which would lead to the issues that you have described.

    What I can tell you and many people may still not be aware of this is that
    there is currently a very sophisticated hacking group operating out of
    China right now using a key logging virus / trojan to infect home computers
    to capture webhosting and bank login information when the victim connects
    to their own accounts. The program then logs into the user's hosting
    account and adds an "iframe" link to their index files and then makes a
    callback and reports the collected information back to its creators who
    apparently have been using the information collected for more hosting
    attacks and from what I've seen making unauthorized banking transfers
    and later direct logins back to the hosting account to install spamming
    scripts which usually traces back to China for those connections.

    This makes things difficult for the hosting provider to track down because
    the compromise is actually on the client's end and there are no failed
    password attempts or compromises that would be logged since the
    hackers have the full login information in hand before connecting and
    often use the victim's own internet connection for the initial attacks
    to connect so the source IP also traces back to the victim in many
    of these cases and you don't see otherwise until much later.

    For those infected with this new type of attack, I'd recommend deep scans
    of the victims home computer with the latest update virus and trojan
    scanning software and frequent password changes.

    The leading iframe modification is a nice tattle tale and has allowed us
    thus far on our own networks to put in a monitoring script to watch for
    that, autosuspend accounts suspected of this attack, and automatically
    alert us and the infected home user their home computer may
    be compromised.

    That can be a pain but can also be reduced if you take care to deeply
    monitor the mail activity of your servers (which can be automated) and
    make the appropriate measures to lockdown the security of the mail system
    so that it is more difficult for abusive scripts to work.

    Chirpy's CSF firewall can help in this area if properly configured plus there
    are certain modifications you can make to both Exim and Cpanel which
    will further limit the problem as well.

    It goes without saying that you should be running SuExec and SuPHP so
    that you are better able to track the source of spamming and other
    abusive scripts and also limit cross site scripting issues.

    You should not be on this list unless you really got a bad configuration issue!

    I work in security so I would tell you straight up that there is nothing that
    can protect you with absolute certainty short of powering down and
    unplugging your server ; With that said though, yes, there are many things
    that can be done to stop these scripts, limit traffic to legitimate traffic,
    and seriously harden the security of your server to make things very difficult
    to very nearly impossible for the spammers behind these issues.

    Now if you want any help in that department, contact me and I'll give
    you a more one on one direct hand with all of that.
    #3 Spiral, Jun 22, 2009
    Last edited: Jun 22, 2009

Share This Page