The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spamming From My VPS

Discussion in 'Security' started by desiwebmaster, Jan 31, 2012.

  1. desiwebmaster

    desiwebmaster Member

    Joined:
    Sep 13, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Some one sending spamming from my vps i done everything as told by cpanel staff
    [cPanel tickets ID# 2182566] but nothing happen i install csf firewall still nothing happen please
    guide me what should i do

    here is the mails sent by spammers

    Code:
    1RsF6R-0006tt-74-H
    mailnull 47 12
    <mrswendy542@gmail.com>
    1328021675 0
    -helo_name User
    -host_address 127.0.0.1.57570
    -host_name localhost
    -interface_address 127.0.0.1.25
    -received_protocol smtp
    -body_linecount 35
    -max_received_linelength 702
    XX
    50
    debo48217@yahoo.com
    debo50_00@yahoo.com
    debo61924@yahoo.com
    debo71569@yahoo.com
    debo80@yahoo.com
    debo913@yahoo.com
    debo9yrclean@yahoo.com
    deboah99_00@yahoo.com
    deboahthomas@yahoo.com
    deboangel@yahoo.com
    deboat@yahoo.com
    deboatl@yahoo.com
    debob_2@yahoo.com
    debobloomington@yahoo.com
    debobob69@yahoo.com
    deboborde@yahoo.com
    debobreton@yahoo.com
    deboca66@yahoo.com
    debochicc@yahoo.com
    debocrawf@yahoo.com
    debodarius@yahoo.com
    debodebbie@yahoo.com
    debodebo40@yahoo.com
    debodel@yahoo.com
    debodeluxe@yahoo.com
    debodette@yahoo.com
    deboe_226@yahoo.com
    deboe323@yahoo.com
    deboe55@yahoo.com
    deboe99_2000@yahoo.com
    deboed2002@yahoo.com
    deboer@yahoo.com
    deboer_91977@yahoo.com
    deboerd@yahoo.com
    deboeuf@yahoo.com
    debof420@yahoo.com
    debogirlme@yahoo.com
    debois77@yahoo.com
    debojane@yahoo.com
    debojj2001@yahoo.com
    debojo98@yahoo.com
    debok1394@yahoo.com
    debokd1st@yahoo.com
    debolcik@yahoo.com
    debolicious12@yahoo.com
    debolina2@yahoo.com
    debolsen@yahoo.com
    debolson2002@yahoo.com
    debolson3012@yahoo.com
    debomartin@yahoo.com
    
    199P Received: from localhost ([127.0.0.1]:57570 helo=User)
    by server.indianhost.info with smtp (Exim 4.69)
    (envelope-from <mrswendy542@gmail.com>)
    id 1RsF6R-0006tt-74; Tue, 31 Jan 2012 20:24:36 +0530
    043R Reply-To: <rtb.consulting.ext7@live.co.uk>
    084F From: "DR ALAN BOLLARD GOVERNOR RESERVE BANK OF NEW ZEALAND"<mrswendy542@gmail.com>
    063 Subject: FINAL NOTIFICATION REGARDING YOUR UNCLAIMED PRIZE WON
    038 Date: Tue, 31 Jan 2012 06:56:44 -0500
    018 MIME-Version: 1.0
    050 Content-Type: text/plain;
    charset="Windows-1251"
    032 Content-Transfer-Encoding: 7bit
    014 X-Priority: 3
    026 X-MSMail-Priority: Normal
    051 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    057 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    1RsF6R-0006tt-74-D
    
    
    Reserve Bank of New Zealand
    2 The Terrace, PO Box 2498
    Wellington 6011
    New Zealand
    
    
    
    From The Desks of Dr Alan Bollard
    Governor Reserve Bank of New Zealand
    
    
    Attention: Sir/Madam,
    
    FINAL NOTICE
    
    several notifications were sent out to you regarding your prize money lying pending as unclaimed funds deposited into the Reserve Bank of New Zealand. We are contacting you regarding the out come of our emergency meeting with the Lottery Organiser, and some of the lotteries beneficiaries who managed to honour the invitation, attending the meeting last week in New Zealand, after going through the unclaimed records we discovered that your name was among the listed beneficiaries. Meaning that you have not yet claimed your prize money, the reasons are e.g.; you have being dealing with the wrong officials, banks, lawyers and agents and for security reason the winning reference numbers have changed.
    
    Here you will find your new winning reference numbers as follows 1, 30, 35, 47, 48, 49, Bonus 8. We advised you deal directly with the Royal Trust Bank of New Zealand or Royal Trust Bank of London and stop every communication with the fraudulent agents; their names are blacklisted as scammers. More so the bank account used for these activities was confiscated and place on hold.
    
    Luckily enough we recovered your total prize money worth �3,000,000.00 Pounds only and you have being approved for payment spokes: during the meeting last week. Your payment file was forwarded to the Royal Trust Bank of New Zealand or Royal Trust Bank of London. For immediate payment contact the Royal Trust Bank of New Zealand or Royal Trust Bank of London and they will address you with the new payment methods.
    
    Contact Mr. Michael Fingleton the account officer handing your file a representative of Royal Trust Bank and always remember to quote the above reference number on every communication.
    
    Name: Mr. Michael Fingleton
    Email: payment@rtb-consultant.co.uk, rtb.consaltant@live.co.uk
    24 Hours Hotline:             +6498892043      ,             +447035944610       
    
    Best Regards,
    
    Dr Alan Bollard,
    Governor Reserve Bank of New Zealand
    Mrs. Wendy Williams.
    Auditor Reserve Bank of New Zealand
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've had a look at your ticket.

    As mentioned in the ticket, this sort of issue is the responsibility of the Server Administrator. If you're unsure of what needs done, you should hire someone for assistance. You can find a list here:
    Dev & Sys Admin Services « Application Catalog


    On the main CSF page in WHM, find the Firewall Security Level button, in there find the level High button and select that. Save and restart firewall.

    Make sure the server contact email is correct and working.

    WHM > Server Configuration > Basic cPanel & WHM Setup, Contact Information tab.

    CSF should alert you to things on the server at that email address.

    If it was me, I'd suspend the account mentioned in your ticket and leave it suspended.
     
  3. desiwebmaster

    desiwebmaster Member

    Joined:
    Sep 13, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    their is no user in my ticket that sending email
     
  4. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    1)Please check all mailing list on your vps and comare the email addresses that are viewable in email headers of spam email.
    2)Enable log selector by adding
    from WHM, Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor in first text box. Check /var/log/exim_mainlog and notice cwd= to find out actual path of the script that are sending mails
    3)Monitor php processes that are running on your vps by top command. Keep watch on scripts that are overloading your server.
    4)Remove all spam emails from mailqueue.
    5)Disable php mail function from WHM. For more details refer to Tweak Settings
    6)Once you are able to catch offended account or script, immediately disable it.
     
  5. JayFromEpic

    JayFromEpic Well-Known Member

    Joined:
    Apr 2, 2011
    Messages:
    204
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Scottsdale, AZ
    cPanel Access Level:
    Root Administrator
    Another thing you may want to do is contact Yahoo with a abuse report regarding those email addresses.
     
  6. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Try using the following command to trace the spammer.

     
  7. desiwebmaster

    desiwebmaster Member

    Joined:
    Sep 13, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    i changed csf firewall level to high now spamming stop but my clients not able to send mails from webmail please tell me what should i do
     
  8. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
  9. Jmoola

    Jmoola Member

    Joined:
    Oct 18, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Same thing happened to my VPS which cause my service to be suspended, however they did allow me acces to SSH.

    I was told to do the following using SSH:
    "setup proper mail security, mail accounting and also put in place some form of rate limiting"

    Problem is I don't know how to do these things. Any help would be great.

    Thanks
     
  10. desiwebmaster

    desiwebmaster Member

    Joined:
    Sep 13, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    jmoola just install firewall and run that on level high that will work 100%
     
  11. Jmoola

    Jmoola Member

    Joined:
    Oct 18, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I only have access to SSH, how do I go about doing that?
     
  12. desiwebmaster

    desiwebmaster Member

    Joined:
    Sep 13, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    u can do it with ssh install csf firewall check on google
     
  13. Jmoola

    Jmoola Member

    Joined:
    Oct 18, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I just tried it but I keep getting this message:

    Code:
    root@server [~]# wget http://www.configserver.com/free/csf.tgz
    --2012-02-14 13:46:31--  http://www.configserver.com/free/csf.tgz
    Resolving http://www.configserver.com... failed: Temporary failure in name resolution.
    wget: unable to resolve host address `http://www.configserver.com'
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    ConfigServer Firewall is not a product made by cPanel. That link does work, you might try downloading it manually and uploading to your server. If you run into any problems with it during installation or operation, the ConfigServer forums is the best place to go.
     
  15. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi All

    We have the same problem on our shared servers.
    But have found a way to detect such spammers.
    In most cases such scripts open local connections.
    You can check it during spamming via the following command:

    netstat -anpt| grep 127.0.0.1

    As the result you can see the following:
    tcp 0 0 127.0.0.1:56256 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56257 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56266 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56265 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56270 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56271 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56268 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56269 127.0.0.1:25 ESTABLISHED 797569/sshd: austin

    tcp 0 0 127.0.0.1:56256 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56257 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56266 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56265 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56270 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56271 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56268 127.0.0.1:25 ESTABLISHED 797569/sshd: austin
    tcp 0 0 127.0.0.1:56269 127.0.0.1:25 ESTABLISHED 797569/sshd: austin

    In this case austin isn't full name of the user.
    As in most cases a username contains 8 chars.
    Then you can use the following command:

    lsof -p 797569

    There you can see a full username and in some cases a path of spam script (but in most cases this is /tmp or /home/virtfs)
    In order to stop such spammer you just need suspend this account using /scripts/suspendacct script, then you need kill all processes which were run by the user (there you can use killall -9 -u username).
    Also, there will be an IP address of a spammer, we block it too.
    In 99% cases this stops spamming.
    But we can't find a source of the problem (script).

    In this case I need some help from cPanel support.
    I have maillogs in which I see the following:
    XXXX-XX-XX XX:XX:XX 1S0WP9-004NHt-AN <= username@aol.com H=localhost.localdomain (User) [127.0.0.1] P=esmtpa A=dovecot_login:username S=3487

    There are a lot of such strings which use the same socket (as I understand S=3487).
    Is there anyway to define via this socket (or other info from this string) how it was connected?

    Kind Regards
    Oleg G.
     
  16. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    P.S. such problems caused by WordPress and/or Joomla.
     
  17. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Right. If you are using third party software then it is always recommend to update them at regular interval.
    Mostly buggy themes , plugins of wordpress, joomla create spamming issues on server.
    So they should be updated at regular interval.
     
  18. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi

    In most cases Joomlas and WPs updated to latest versions.
    But plugins and themes are another story.
    I'm not programmer and don't have much time for checking their vulnerabilities.
    Maybe somebody have some tools in order to check them.

    Kind Regards
    Oleg G.
     
    #18 Oleg.Gricik, Feb 23, 2012
    Last edited: Feb 23, 2012
  19. Oleg.Gricik

    Oleg.Gricik Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi Again

    One our tech was able to investigate the problem deeply.
    Update:
    If your client does/doesn't have Shell access enabled, and sending of Spam has been completed.
    You can check access log using `last` command.

    Also, there is an option which called Sender Verification Callouts under Exim Configuration Editor.
    It should fix the problem, but may cause new problems with email.
    We haven't tested it, but if someone tested it before, please share you experience here =)
     
  20. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
Loading...

Share This Page