The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

*+ WARNING. Cpanels mailling list is a source of spame +*

Discussion in 'E-mail Discussions' started by sexy_guy, Jun 5, 2003.

  1. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    The mailling installed by cPanel is vulnarable to being hijacked by spammers. We found our monthly mailling list sent to our users with a return path of Promoteus-admin@money-matchmaker.com. Please take mailmain off your servers or disable is!!!!!

    Im sending a TT to darkorb right now. I'v had it with this vuln crap! Thats what we get when they refuse to upgrade software and its exploited by spammers smarter then the software creaters. :mad:

    See my msg here; http://forums.cpanel.net/showthread.php?s=&threadid=10634&perpage=15&pagenumber=3

    Maybe now this will prompt DarkOrb to upgrade to the next version.
     
    #1 sexy_guy, Jun 5, 2003
    Last edited: Jun 5, 2003
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Found this directory in our [/usr/local/cpanel/3rdparty/mailman/lists

    drwxrwsr-x 2 mailman mailman 4096 Jun 4 17:00 promoteus_money-matchmaker.com

    HOW DID IT GET THERE? There is no such domain on our box.

    cPanel.net Support Ticket Number:
     
  3. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Registrant: money-matchmaker.com

    Verenigde Natieslaan 116
    Antwerp, Belgium 2660
    Belgium

    Domain Name: money-matchmaker.com

    Administrative Contact:
    Scarlett Fair (PB2P5) eddy@money-matchmaker.com
    Verenigde Natieslaan 116
    Antwerp, Belgium 2660
    Belgium
    Phone: 011111111

    Technical Contact:
    Scarlett Fair (PB2P5) eddy@money-matchmaker.com
    Verenigde Natieslaan 116
    Antwerp, Belgium 2660
    Belgium
    Phone: 011111111

    Billing Contact:
    Scarlett Fair (PB2P5) eddy@money-matchmaker.com
    Verenigde Natieslaan 116
    Antwerp, Belgium 2660
    Belgium
    Phone: 011111111

    Record last updated on 2003-03-26 11:27:17.993
    Record created on 2003-02-28 18:09:47.500
    Record expires on 2004-02-28 18:09:47.500

    Domain servers in listed order:
    ns1.c-4.net <------------------- NOT US
    ns2.c-4.net <------------------- NOT US

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    And nobody has any comments on this?

    cPanel.net Support Ticket Number:
     
  5. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    It seems scary.. Did you see any other logs on this specific IP or domain coming in and how they did it?

    Brenden

    cPanel.net Support Ticket Number:
     
  6. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    Maybe ask c4host to look into it he/she is a member of the boards.

    cPanel.net Support Ticket Number:
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I saw BDraco online, howcome he did not comment on this situation. It seems the version of MailMan on our servers is exploitable by local users. We have been investigating this all morning and it seems it was done by a local user. He purchased and account then he was terminated by the reseller. When his account was deleted it left his mailling list on the server that he somehow used to insert his email address into our mailling list.

    cPanel.net Support Ticket Number:
     
  8. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Or it could simply be a bug.

    cPanel.net Support Ticket Number:
     
  9. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Well if Cpanel would delete mailling lists when an account is closed maybe this thing wouldnt be exploitable after the fact. That includes domlogs and a whole slew of crumbs left over that Cpanel does not clean up after an account is deleted. Sure its a bug and an exploitable one at that.

    cPanel.net Support Ticket Number:
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    ** BUMP **

    cPanel.net Support Ticket Number:
     
  11. c4host

    c4host Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    I got an email today from another host who had the same problem,

    I found the promotus on 3 of my servers. I host his account on one. He has no access to the others.

    I deleted all his mail lists 5 of them

    thinktank_money-matchmaker.com
    power_money-matchmaker.com
    powerlist_money-matchmaker.com
    friends_money-matchmaker.com

    and the promotus list.


    Until I get more information from him I wont suspend his account. I have had no complaints yet, but I have cancelled all his list and limited his access to new ones.


    I also recently found an exploit to the cpanel reseller account if using the quota mod on the account.
    I will not post it..

    Email me privately. I did submit a bug report.

    Shane

    cPanel.net Support Ticket Number:
     
  12. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Hello, can you submit this to DarkOrb? We need MailMan upgraded to a latest so this stops.

    cPanel.net Support Ticket Number:
     
  13. c4host

    c4host Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Apparently they did upgrade today. I jsut did the manual upgrade 5 minutes ago.

    cPanel.net Support Ticket Number:
     
  14. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    The version of mailman still running is version 2.0.13 which is not the latest version if thats what you mean.

    cPanel.net Support Ticket Number:
     
  15. c4host

    c4host Well-Known Member

    Joined:
    Mar 7, 2003
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Yes I re read the post and it seems the just disabled a function

    <<<disable smtps until spam hole can be worked around>>

    cPanel.net Support Ticket Number:
     
  16. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    :( :(

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page