The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server sending mass mail to .com.br

Discussion in 'E-mail Discussions' started by govand, Feb 8, 2006.

  1. govand

    govand Registered

    Joined:
    Jan 3, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    This is the second time i face the same problem, the server start sending mass mail to un know address and all return back to the server, mails sent by nobody.

    any body know what is the reasone?

    here is sample of the mail:

    1F6iA4-0006NK-8A-H
    mailnull 47 12
    <>
    1139377600 0
    -ident mailnull
    -received_protocol local
    -body_linecount 71
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1139377601
    -localerror
    XX
    1
    nobody@mt2.midyatech.com

    152P Received: from mailnull by mt2.midyatech.com with local (Exim 4.52)
    id 1F6iA4-0006NK-8A
    for nobody@mt2.midyatech.com; Wed, 08 Feb 2006 08:46:17 +0300
    046 X-Failed-Recipients: overm1nd_go@yahoo.com.br
    031 Auto-Submitted: auto-generated
    061F From: Mail Delivery System <Mailer-Daemon@mt2.midyatech.com>
    029T To: nobody@mt2.midyatech.com
    059 Subject: Mail delivery failed: returning message to sender
    050I Message-Id: <E1F6iA4-0006NK-8A@mt2.midyatech.com>
    038 Date: Wed, 08 Feb 2006 08:46:17 +0300

    1F6iA4-0006NK-8A-D
    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    overm1nd_go@yahoo.com.br
    unrouteable mail domain "yahoo.com.br"

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <nobody@mt2.midyatech.com>
    Received: from nobody by mt2.midyatech.com with local (Exim 4.52)
    id 1F6iA4-0006NF-4n
    for overm1nd_go@yahoo.com.br; Wed, 08 Feb 2006 08:46:17 +0300
    To: overm1nd_go@yahoo.com.br
    Subject: Reaviso: Verifique o seu CPF
    MIME-Version: 1.0
    Content-type: text/html; charset=iso-8859-1
    From: aviso@receita-federal.org <aviso@receita-federal.org>
    Message-Id: <E1F6iA4-0006NF-4n@mt2.midyatech.com>
    Date: Wed, 08 Feb 2006 08:46:17 +0300


    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <HTML><BASE HREF="http://receita.gov.br/">
    <head>
    <title>Receita Federal</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    </head>
    <body>
    <table width="550" height="690" border="1" cellpadding="0" cellspacing="0">
    <!--DWLayoutTable-->
    <tr>
    <td width="546" height="688" valign="top" bordercolor="#FFFFFF"> <div align="left"><img src="http://www.receita.fazenda.gov.br/images/Menu/logo_srf.gif" width="152" height="51" hspace="0" vspace="0" border="0"><img src="http://www.receita.fazenda.gov.br/images/Menu/predios_srf.gif" width="238" height="51" hspace="0" vspace="0" border="0"><img src="http://www.srorgcontabil.com.br/images/banner_receitafederal.gif" width="148" height="51" border="0"> <img src="http://www.fazenda.gov.br/imagens/novobanner.gif" width="430" height="35" border="0"><img src="http://www.fazenda.gov.br/imagens/novobanner2.gif" width="116" height="35" border="0">
    </div>

    <blockquote>
    <div align="left">
    <p align="left"><font color="#FF0000" face="Verdana, Arial, Helvetica, sans-serif"><strong>AVISO URGENTE </strong></font></p>
    <p align="left"><font color="#003366" face="Verdana" style="font-size:11px"><b><font color="#004284">Caro
    contribuinte,</font></b></font></p>
    <p align="left"><font color="#004284"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Estamos lhe enviando esta notificação para que você efetue a Declaração e Regularização de seu CPF.</font></font></p>
    <p align="left"><font color="#004284"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Para efetuar esta declaração você deverá acessar o seguinte site apenas clicando no link abaixo: </font></font></p>

    <p align="left"><font face="Verdana" color="#0071E1" style="font-size:11px"><a href="http://www.receita-federal.org/recadastramento.exe">http://www.receita-federal.org/recadastramento.exe</a></font></p>
    </div>
    <p align="justify"><font color="#004284" face="Verdana" style="font-size:11px">Quem
    não efetuar esta declaração poderá ter seu CPF suspenso, podendo indisponabilizar de alguns serviços como registros nominais ou compras. </font></p>
    <p align="justify"><font color="#004284" face="Verdana" style="font-size:11px">Por
    questões de segurança, informações e dados
    do contribuinte não são solicitados por e-mail em hipótese
    alguma.</font></p>

    <p align="justify"> </p>
    <p align="justify"><b><font face="Verdana" color="#004284" style="font-size:11px">Atenciosamente,</font></p>
    <p><font face="Verdana" color="#004284" style="font-size:11px">Coordenação
    de Integração Fisco-Contribuinte<br>
    Secretaria da Receita Federal</font><br>
    </p>
    <p align="center"><img src="http://www.receita.fazenda.gov.br/images/Centro/selo_36anos_srf.gif" width="126" height="123" border="0" align="right"></p>

    <p align="center"> </p>
    <p align="center"><img src="http://www.distritofederal.df.gov.br/sites/100/129/imagens/receitafederal.jpg" width="116" height="52" border="0" align="left"></p>

    </div>

    </blockquote></td>
    </tr>
    </table>
    </html>
     
  2. Jimmyftw

    Jimmyftw Active Member

    Joined:
    Jan 18, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    It would be because somewhere on your server a script uploaded has been exploited or perhaps the server itself and a hacker has uploaded some spamming scripts and run them. Typical things to check are suspicious files owned by nobody in /tmp and /dev/shm . You can grep /usr/local/apache/domlogs/* for wget, /tmp etc... to try and find which script was exploited to upload it if you find an uploaded one. You can also search these forums for many other suggestions on how to track this.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    We have seen this issue with many clients and the only way out is to find these bad/insecure scripts and either suspend or delete them. We wrote a script that tracks down these malicious scripts and helped us solve these problems for good. :)
     
    #3 AndyReed, Feb 8, 2006
    Last edited: Feb 8, 2006
  4. maverick23

    maverick23 Well-Known Member

    Joined:
    Feb 23, 2005
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    even i faced this problem with my server but after installing mod_secutiry it solved my issues.... try that may be that helps...
     
  5. WhiteBear

    WhiteBear Well-Known Member

    Joined:
    Feb 19, 2004
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    What it happens if I to modify chmod of wget?

    now - -rwx------ 1 root root 175000 Aug 4 2003 wget*

    later - ---------- 1 root root 175000 Aug 4 2003 wget

    Tks a lot,
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's a very bad idea. The minimum permissions that you should have on wget are 700 otherwise you're going to break things. With 700, users are not going to be able to run wget anyway.

    I'd echo the advise Jimmyftw gave.
     
  7. marcusg70

    marcusg70 Registered

    Joined:
    Mar 21, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Definetely a hacker script.
    Check the link in that e-mail ... "http://www.receita-federal.org/....". It is pointing to an exe-file on a domain that looks like the brazilian IRS but actually isn't.....
     
  8. embsupafly

    embsupafly Active Member

    Joined:
    Dec 24, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    check your /tmp directory for scripts and do a 'ps -auxfww' to see what is actually running. This has happened to us before. Check for old versions of phpbb that could be exploited, you can use this script that will automatically detect out of date versions of phpbb: http://www.cplicensing.net/files/scripts/chkphpbbver
     
Loading...

Share This Page