The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware and spamming

Discussion in 'General Discussion' started by majoosh, Oct 18, 2008.

  1. majoosh

    majoosh Well-Known Member

    Joined:
    Feb 18, 2006
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    Hi :)

    Am getting lot of spam reports from spamcop saying my server is sending out spam. But when I checked the header I could see the header saying "Received: from servername (servername [<mainip>])"

    I have pasted the full header below: Here in this header mainip is my servers's main outgoing interface IP and Servername=hostname of my server. complaint@gmail.com is the customer who got spam from our server.

    When I cheked the server I could see the a process running

    -----
    773 ? Ss 199:45 /usr/bin/perl -w hnc.cgi
    21014 ? Ss 58:09 /usr/bin/perl -w hnc.cgi
    -----

    Also found some files like dochelp1.html MsHelpDict.html danya.html which contains link URL=http://91.203.93.49/cgi-bin/index.cgi?user3


    Any idea what is this and how to prevent this spamming ?
    :(

    Thx

    =======================================================
    Delivered-To: complaint@gmail.com
    Received: by 10.110.14.10 with SMTP id 10cs290410tin;
    Fri, 17 Oct 2008 14:15:11 -0700 (PDT)
    Received: by 10.181.59.19 with SMTP id m19mr1648762bkk.38.1224278109593;
    Fri, 17 Oct 2008 14:15:09 -0700 (PDT)
    Return-Path: <sigmap17:m4ubUXoe@ftp.hut.ru:21>
    Received: from servername (servername [<mainip>])
    by mx.google.com with SMTP id n10si7595422mue.0.2008.10.17.14.15.02;
    Fri, 17 Oct 2008 14:15:07 -0700 (PDT)
    Received-SPF: softfail (google.com: domain of transitioning
    sigmap17:m4ubUXoe@ftp.hut.ru:21 does not designate <mainip> as
    permitted sender) client-ip=<mainip>;
    Authentication-Results: mx.google.com; spf=softfail (google.com:
    domain of transitioning sigmap17:m4ubUXoe@ftp.hut.ru:21 does not
    designate <mainip> as permitted sender)
    smtp.mail=sigmap17:m4ubUXoe@ftp.hut.ru:21
    Message-ID: <002001c9309d$20191996$ce10638c@servername>
    Reply-To: <sigmap17:m4ubUXoe@ftp.hut.ru:21>
    From: <sigmap17:m4ubUXoe@ftp.hut.ru:21>
    To: <complaint@gmail.com>
    Subject: Feel Better Now!!
    Date: Fri, 17 Oct 2008 14:15:07 +0300
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-1";
    reply-type=original
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    http://dewap.net/rf.html
    tntnl.ilsaogdh yu ith ecegneatsrs ah
    ibtse

    <div dir="ltr"><br>-- <br>Hello. The spammer below is either using your resources to send out bulk<br>unsolicited commercial e-mail ("spam") or is deceptively trying to make it<br>look like he is. In either case, a legitimate company like yours probably<br>
    would not approve. The information below should be all you need.<br><br><pre>
    Delivered-To: <a href="mailto:complaint@gmail.com">complaint@gmail.com</a>
    Received: by <a href="http://10.110.14.10">10.110.14.10</a> with SMTP id 10cs290410tin;
    Fri, 17 Oct 2008 14:15:11 -0700 (PDT)
    Received: by <a href="http://10.181.59.19">10.181.59.19</a> with SMTP id m19mr1648762bkk.38.1224278109593;
    Fri, 17 Oct 2008 14:15:09 -0700 (PDT)
    Return-Path: <<a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a>>
    Received: from <a href="http://servername">servername</a> (<a href="http://servername">servername</a> [<a href="http://<mainip>"><mainip></a>])
    by <a href="http://mx.google.com">mx.google.com</a> with SMTP id n10si7595422mue.0.2008.10.17.14.15.02;
    Fri, 17 Oct 2008 14:15:07 -0700 (PDT)
    Received-SPF: softfail (<a href="http://google.com">google.com</a>: domain of transitioning <a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a> does not designate <a href="http://<mainip>"><mainip></a> as permitted sender) client-ip=<a href="http://<mainip>"><mainip></a>;
    Authentication-Results: <a href="http://mx.google.com">mx.google.com</a>; spf=softfail (<a href="http://google.com">google.com</a>: domain of transitioning <a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a> does not designate <a href="http://<mainip>"><mainip></a> as permitted sender) smtp.mail=<a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a>
    Message-ID: <002001c9309d$20191996$<a href="mailto:ce10638c@servername">ce10638c@servername</a>>
    Reply-To: <<a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a>>
    From: <<a href="http://sigmap17:m4ubUXoe@ftp.hut.ru:21">sigmap17:m4ubUXoe@ftp.hut.ru:21</a>>
    To: <<a href="mailto:complaint@gmail.com">complaint@gmail.com</a>>
    Subject: Feel Better Now!!
    Date: Fri, 17 Oct 2008 14:15:07 +0300
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-1";
    reply-type=original
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

    <a href="http://dewap.net/rf.html">http://dewap.net/rf.html</a>
    tntnl.ilsaogdh yu ith ecegneatsrs ah
    ibtse

    </pre><br><br><br><br><br></div>
    =====================================
     
  2. frozen_penguin

    frozen_penguin Registered

    Joined:
    Sep 28, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    hi,

    install phpsuexec and you can able to see user name which account is running that cgi script you can be sure that cgi script is doing that spam activity.

    Regards
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Here's the list that will solve the problem for you:

    • Turn on the WHM option to limit outgoing emails per hour to 150 (this is just-in-case, it looks like the spammers are actually sending email through port 25 outgoing).
    • Install CSF and tune it carefully, enable SMTP_BLOCK.
    • If you don't install CSF, turn on the WHM "SMTP Tweak" which will block outgoing port 25 spam.
    • Use "locate" or "find" to find the hnc.cgio script and disable or suspend that account.
    • Install suphp or phpsuexec so you can see who is running hnc.cgi or similar future attempts.
    • Install mod_security and a good ruleset (don't use an overly complex rule set).

    If you do all these, and clean up your current problem, you will be safe, and probably stay safe. With these done we haven't had outgoing spam for a very long time now.

    There are services around that do this (clean your system and install anti-spammer measures) for a smallish fee, www.configservers.com and www.platinumservermanagement.com are two of the well known and respected companies.
     
  4. sunil001

    sunil001 Member

    Joined:
    Oct 19, 2005
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    Hi brianoz,

    Same problem here, hackers not only using hnc.cgi some times dm.cgi, pda.cgi etc .. spam content files subject.txt, letter.txt, body.txt.

    I am able to trace the user but the problem is content is not uploading by the original user, since it has occuring on many servers and for many users and files has been uploading through ftp.

    Please let us know the solution.
     
  5. encikacop

    encikacop Member

    Joined:
    Jun 29, 2007
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Scripts to block the suspected CGI process

    Hi,

    I also facing the same problem, and what i have done is i create a scripts with 755 permission and put the contents below:

    Code:
    #!/bin/sh
    while true;do
      #echo "Checking..."
      ps -A -o comm,pmem,pid | while read line;do
        # change the "xxxx.cgi" to whatever suspected .cgi file you'd like
        if [ $(echo "$line" | awk '{printf $1}') ==  "xxxx.cgi" ];then
          kill -9 `echo $line | awk '{printf $3}'`
          echo -n "Killed: ";echo $line | awk '{printf $1}'
        fi
      done
      # check every 1 seconds
      sleep 1
    done
    Then run the file in background mode with '&' (./script_name &). Once it kill the process, it will print out this line:
    "Killed: the_file_name.cgi"

    Dont forget to change the suspected filename in line 6! Good Luck!
     
  6. Tom Pyles

    Tom Pyles Well-Known Member

    Joined:
    Apr 26, 2002
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    I saw this pop up on an account a few days ago and then another tonight. The users are reporting that they never uploaded the files (or made any recent uploads for that matter).
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This is hilariously bad advice.

    Perhaps I'm missing something here, but isn't it possible for the baddies to work around this by simply renaming their cgi script? The solution is to manage your box properly by installing a proper firewall (preferably CSF) and running SUPHP/SUEXEC; this is a bandaid not a solution. I'd liken it to shutting the gate after the cattle have bolted, or putting bars on your windows and locking the doors after the burglars are already in the house!!

    [QUOTE}
    Code:
      ps -A -o comm,pmem,pid | while read line;do
        # change the "xxxx.cgi" to whatever suspected .cgi file you'd like
        if [ $(echo "$line" | awk '{printf $1}') ==  "xxxx.cgi" ];then
          kill -9 `echo $line | awk '{printf $3}'`
          echo -n "Killed: ";echo $line | awk '{printf $1}'
        fi
    
    [/QUOTE]

    Not a bad script attempt; here's a way to make it much simpler ...
    Is it possible that comm might have two arguments in it? If so the script will break, best to re-order so comm is last ...

     
Loading...

Share This Page