The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPS being used by a SPAMMER! Please Help.

Discussion in 'Security' started by Cheekychino, Aug 7, 2012.

  1. Cheekychino

    Cheekychino Registered

    Joined:
    Aug 7, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi Guys,

    I've got a problem with my VPS where is seems that someone is sending spam emails using my server somehow. Someone notified us of the situation and now looing into it we've blocked the port 25 to stop it for now. And I can see some emails that didn't get sent in the Mail Queue Manager in WHM.

    The emails are typical, just phishing emails for Facebook, but some of the first emails I see that the spammer may have been testing with. They are sending to testing@testing.com and the first few emails have the Subject line set to XXX.XXX.XXX.XXX email@emailaddress.com password (but each of these as the real values.).

    What I'm really looking for is:
    1. How do I find out where these emails are being sent from & stop it.
    2. How did this happen in the first place?

    PS. The hackers website that he was using in his emails was hutianyi.net (be careful in there I think)

    Thanks
     
  2. Cheekychino

    Cheekychino Registered

    Joined:
    Aug 7, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Anybody? Not sure where else to get support. I can provide more info just don't know what.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    Please do not open up additional threads about the same issue in other forums. All threads eventually get seen by someone. The thread was only opened up less than 24 hours ago.

    As for the issue, what is one of the full headers of one of the spamming messages? You'll need to view that in one of the emails in WHM > Mail Queue Manager. Please provide the header here.

    Next, I'd suggest going through this hardening guide for exim to ensure you have the settings enabled to track the person down:

    http://forums.cpanel.net/f5/setup-l...-hour-per-domain-users-201222.html#post843452

    You don't have to do the sendmail portion at the bottom, but the other options should be set. If you are using PHP 5.3 instead, please let us know. PHP 5.3 doesn't have PHP MailHeaders in EasyApache, but instead has an option you can enable in the php.ini file.

    Thanks!
     
  4. Cheekychino

    Cheekychino Registered

    Joined:
    Aug 7, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Code:
    1SyUbW-0003sj-MV-H
    mailnull 47 12
    <notification+bhye6cu8c23@facebook-email.com>
    1344287566 0
    -helo_name vps1.xxx.com.au
    -host_address xxx.xxx.xxx.xxx.46347
    -host_name vps1.symbill.com.au
    -host_auth dovecot_plain
    -interface_address xxx.xxx.xxx.xxx.xxx
    -received_protocol esmtpa
    -body_linecount 143
    -max_received_linelength 76
    -auth_id [email]xxx@xxx.com.au[/email]
    XX
    1
    [email]username@domain.com[/email]
    
    256P Received: from vps1.xxx.com.au ([xxx.xxx.xxx.xxx]:46347)
    	by vps1.xxx.com.au with esmtpa (Exim 4.77)
    	(envelope-from <notification+bhye6cu8c23@facebook-email.com>)
    	id 1SyUbW-0003sj-MV
    	for [email]username@domain.com[/email]; Tue, 07 Aug 2012 07:12:46 +1000
    086  Content-Type: multipart/alternative;
    	boundary="===============0773013136356466016=="
    018  MIME-Version: 1.0
    061  Subject: :xxx.xxx.xxx.xxx [email]xxx@xxx.com.au[/email] xx[emailpassword]xx:
    063F From: "Facebook" <notification+bhye6cu8c23@facebook-email.com>
    This is one of the email headers, i've removed real values in some places and replaced with xxx
     
    #4 Cheekychino, Aug 7, 2012
    Last edited: Aug 7, 2012
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you replaced the username with XX in one of the lines, that's the person doing it. It is definitely an authenticated login:

    This indicates they logged in with dovecot.
     
  6. Cheekychino

    Cheekychino Registered

    Joined:
    Aug 7, 2012
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    That XX I didn't place there sorry, was already there. But the -auth_id had a valid email addresss.

    -auth_id myemail@mywebsite.com.au

    - - - Updated - - -

    So being an authenticated login? If I remove all email accounts from that website. It should fix the problem?

    Just wondering if I need to go checking through my whole VPS for a script of some sort?
     
  7. Arsalan

    Arsalan Well-Known Member

    Joined:
    Jan 5, 2002
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    6
    Just change that email accounts password and the spam will stop :)
     
  8. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Yeah its "-auth_id myemail@mywebsite.com.au" what is compromised; no need to delete the account! Change the password of this email account as soon as possible to a stronger one!

    You may also have to contact client and ask them to make sure their local machine / network is malware free. Also ask them to enforce IMAPS / POP3S for email retrieval and use strong passwords!
     
    #8 NixTree, Aug 8, 2012
    Last edited: Aug 8, 2012
Loading...

Share This Page