one of my clients has been accused of spamming. I am sure he has not done it. I looked at his server and found these files under his CGI directory.

cgiecho.is.exploitable
Cgimail

I have never seen this file. does anyone have any info on this?

some one has used his account to send mass email to AOL email addresses.
What do you think they could have used to do this?

Have you looked at the maillog file? or exim_mainlog

this is the header of the spam email


X-AOL-DATE: Tue, 17 Feb 2004 11:52:02 AM Eastern Standard Time
Return-Path: <irankick@metroid.vosn.net>
Received: from rly-yi03.mx.aol.com (rly-yi03.mail.aol.com [172.18.180.131]) by air-yi02.mail.aol.com (v98.6) with ESMTP id MAILINYI24-7b94032468c22f; Tue, 17 Feb 2004 11:52:01 -0500

Received: from metroid.vosn.net (metroid.vosn.net [209.197.232.13]) by rly-yi03.mx.aol.com (v98.5) with ESMTP id MAILRELAYINYI31-7b94032468c22f; Tue, 17 Feb 2004 11:51:28 -0500

Received: from irankick by metroid.vosn.net with local (Exim 4.24)
id 1At8RH-0001Xn-Gx; Tue, 17 Feb 2004 09:51:15 -0700
To: <Undisclosed Recipients>
From: TurnBackYourClock497@southnet.com
X-AOL-ORIG-From:
To: <Undisclosed Recipients>
From: TurnBackYourClock497@southnet.com
Content-Type: multipart/alternative; boundary=G5XM99XQTDQBq
Subject: Lose weight, have better sex, turn back time and retain your youth! Xi92 sjPVNw kCX Cv Bv W5H0m fFM i H ZhAF

Message-Id: <E1At8RH-0001Xn-Gx@metroid.vosn.net>
Date: Tue, 17 Feb 2004 09:51:15 -0700
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - metroid.vosn.net
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [32282 900] / [47 12]
X-AntiAbuse: Sender Address Domain - metroid.vosn.net
X-AOL-IP: 209.197.232.13




--G5XM99XQTDQBq
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

nY1
dsVbecL SZin ImPnKc Ya 4VW37akX4 1qgyYhH7tNXIQUWn pqr
gX1tBsDizhokz
qEAU TQD uxxe7cb7SVdv9 DE4B
0 dUvg SS XiH99T8
fsku rjt
9 XvtokrLEqP
fSFT4k
5ss moXHTX7Ax
AqB
XBlZjeqGhTeNEc8a 7 O zTuY 3IZXdaiqAGkc
3Sd6FyWhU b9C 8DjIxls fd WQduMMH yaYaJ6NS 3uqrv 5Am6ETAWV4N8LRm2ynTJRqreS nV789

--G5XM99XQTDQBq
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

It may have been possible that the header has been forged in which case although an address on your server has been used it might not have been sent through your server. Keep an eye of exim logs and mail queue.

the server is using Linux /Cpanel

where are exim logs and mail queue located?

cgiecho.is.exploitable

That says it all, it should be named cgiecho but it's been renamed. Based on experience I'd say the hacked exploited that script and used to it spam. The hacker then thoughtfully renamed the file to cgiecho.is.exploitable to clue you in as to how he got access. Delete it and have the user change their password and that should be the end of it (by delete I mean right off the server)

What do you mean by "right off the server"?

By the way the server shows that the file was created in 2003. About a year ago! Can they have modified the date to show 2003?

Better run a check for rootkits. Things can get ugly very fast in a situation like this.

Is this your own server, or hosted by a third party?

ds

Received: from metroid.vosn.net (metroid.vosn.net [209.197.232.13

If this is your server , the email was received by AOL from this server. This cannot be forged. This header information was writing by AOL's mailserver.

Originally posted by kickster
By the way the server shows that the file was created in 2003. About a year ago! Can they have modified the date to show 2003? try using 'stat' on the file instead. it tells you the access, modify, and change times.

I spoke to VO people and they inform me that the cgiecho.is.exploitable was named by them. They search the servers and look for exploitable files and rename them.

I dont know what script they used to send the spam.