The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

sites compromised

Discussion in 'General Discussion' started by Def, Jul 29, 2005.

  1. Def

    Def Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I have a serious issue on one of my servers. Over the last 2 days we've had 2 accounts that had been used for phishing scams. We've also had a spammer (from him alone we had over 24,000 bounced emails found in the mail queue.

    On these sites we've found directories named mailz or ebaymailz or mailerz which had the scripts to send the scams/spam. The accounts that had these scripts were compromised as I'm certain they didn't do this themselves.

    My question is how do I found out how these accounts were compromised?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Start with the basics:

    1. Do they have phpBB or phpNuke installed? If so are they the latest versions? If not, that's the most likely route in.

    2. Do they have any other php or perl applications installed? If so, are the versions that are running vulnerable?

    3. You'll need to search/trawl through the /etc/httpd/domlogs/ for those domains (and possibly others) for suspicous script activation and those filenames that you mentioned.

    4. As 3. but for the apache error_log

    That should get you started.
     
  3. Def

    Def Well-Known Member

    Joined:
    Feb 21, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Thanks chirpy. It looks like the spammer exploited an un-updated phpbb. The 2 phishers (same guy as it was the same IP) came through ftp according to the logs. It seems it happened the same day I changed from pro-ftpd to pure-ftpd.
     
Loading...

Share This Page