Results 1 to 17 of 17
  1. #1
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267

    (HelpPlease) Someone is sending spam emails from my VPS...

    I'm almost fed up with the half butt ticket replies, hence I'm seeking help here... A client on a VPS I resell to them keeps getting blacklisted... I changed the WHM & cPanel passwords asap yesterday.. After viewing the queued emails in WHM I found out the emails were being sent from a email address not on my clients domain. I admit I am no expert in servers.

    Here is what one of the blacklist website gave me:


    Received: from Debian-exim by obfuscated2 with spam-scanned (Exim 4.71)
    (envelope-from <[email protected]>)
    id 1W1F2j-00019o-Gp
    for [email protected]e; Thu, 09 Jan 2014 07:49:08 -0500
    Received: from [173.231.12.86] (port=52413 helo=vps.mydomain.org)
    by obfuscated2 with esmtp (Exim 4.71)
    (envelope-from <[email protected]>)
    id 1W1F2j-00019b-B1; Thu, 09 Jan 2014 07:49:01 -0500
    Received: from [213.136.237.103] (port=57487 helo=User)
    by vps.mydomain.org with esmtpa (Exim 4.80.1)
    (envelope-from <[email protected]>)
    id 1W1EFL-00057u-LA; Thu, 09 Jan 2014 14:58:00 +0300
    Reply-To: <[email protected]>
    From: "Discover Card"<[email protected]>
    Subject: We noticed unusual activity in your Discover account YCXMBOQQGB
    Date: Thu, 9 Jan 2014 12:57:58 +0100
    MIME-Version: 1.0
    charset="Windows-1250"

    Dear Valued Customer,
    We detected irregular activity on your Discover Card.
    Check Card on 9th January 2014.
    As the Primary Contact, you must verify your account activity before you can continue using your card, and upon verification, we will remove any restrictions placed on your account.
    To review your account as soon as possible please.
    Please click on the link below to verify your information with us:
    http://218.30.99.119


    If you account information is not updated within 48 hours then your ability to access your account will be restricted.
    We appreciate your prompt attention to this important matter.
    2014 Discover Bank. All rights reserved.



    My question is how are they sending emails from this email address on my server and how can I stop it? I hope the tidbits Ive provided is enough to help isolate the problem. I appreciate any help in advance and can answer any questions. Thanks.

  2. #2
    Join Date
    Nov 2003
    Location
    Texas, United States
    Posts
    114
    Step one is going to be to adjust this client's account immediately until it gets cleaned up (password protect his site). If you outright suspend the client then they will not be able to log in and take corrective action.

    Most likely a script your client is running on their web site was compromised and is being used to send emails out. I would hazard a guess that at least one of their scripts is not running the latest version.

    Also, make sure you are running mod_security with some decent rules to help block some of the traffic incoming to your server that would take advantage of security holes in scripts.

    Also make sure your server itself is up to date with patches.

    It is very easy to set the "from" address of an email to whatever someone wants it to be.
    Tim Benoit

  3. #3
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    Quote Originally Posted by tbenoit View Post
    Step one is going to be to adjust this client's account immediately until it gets cleaned up (password protect his site). If you outright suspend the client then they will not be able to log in and take corrective action.

    Most likely a script your client is running on their web site was compromised and is being used to send emails out. I would hazard a guess that at least one of their scripts is not running the latest version.

    Also, make sure you are running mod_security with some decent rules to help block some of the traffic incoming to your server that would take advantage of security holes in scripts.

    Also make sure your server itself is up to date with patches.

    It is very easy to set the "from" address of an email to whatever someone wants it to be.
    The client one has one website on the VPS and its WP based. Are you saying that someone is sending emails via a script or hack in the website? And that hole is somehow giving them access to the VPS? The site is updated to the newest version to WP.

    How could I verify this is how the mail is being sent?

  4. #4
    Join Date
    Feb 2006
    Location
    Global
    Posts
    1,628
    Is the IP address correct though? Even if the domain isn't?
    Also is the VPS operating system Debian?

    With access to an SMTP server a client can send from any domain they like, doesn't need any verification, but SPF records (can be added in cPanel) will at least protect your own domain name from being used by others.

    First thing I think of though as it's not the first time blacklisted, is that the client is actually sending such emails - I couldn't guarantee that though, for all I know you might trust this client 100%.

  5. #5
    Join Date
    Nov 2003
    Location
    Texas, United States
    Posts
    114
    It is not uncommon at all for WordPress or its plugins to be exploited. You state he is running the very latest version of WordPress, which is good. I would ask if it was updated before, or after, his site started sending out SPAM. Also, the exploit could be one of the plugins.

    You can look for processes running on the server (ps -ef) to see what may be sending email, and then track down the file and inspect it to see if it is legitimate and if not to delete it.

    Definitely make sure your server is updated, firewall is in place (csf would be good, which also installs lfd to monitor certain things), mod_security setup and running.
    Tim Benoit

  6. #6
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    Quote Originally Posted by iexo View Post
    Is the IP address correct though? Even if the domain isn't?
    Also is the VPS operating system Debian?

    With access to an SMTP server a client can send from any domain they like, doesn't need any verification, but SPF records (can be added in cPanel) will at least protect your own domain name from being used by others.

    First thing I think of though as it's not the first time blacklisted, is that the client is actually sending such emails - I couldn't guarantee that though, for all I know you might trust this client 100%.
    The client is a church and I know all the employees so doubt its internal. It's a cPanel server and the first time they have been blacklisted.



    Quote Originally Posted by tbenoit View Post
    It is not uncommon at all for WordPress or its plugins to be exploited. You state he is running the very latest version of WordPress, which is good. I would ask if it was updated before, or after, his site started sending out SPAM. Also, the exploit could be one of the plugins.

    You can look for processes running on the server (ps -ef) to see what may be sending email, and then track down the file and inspect it to see if it is legitimate and if not to delete it.

    Definitely make sure your server is updated, firewall is in place (csf would be good, which also installs lfd to monitor certain things), mod_security setup and running.
    I will check the plugins now but the rest of your suggestions are lost on my due to my level of expertise. I still thank you though. Just mind boggling how they site could be hacked to send emails on the server.

    I wish there was a way in cPanel or WHM to find how the emails are being sent.

  7. #7
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by ilovetheheat View Post
    I wish there was a way in cPanel or WHM to find how the emails are being sent.
    The exim logs may help you there.

    Is this a managed server? If so your provider may be willing to take a look. If not you might want to consider hiring someone to help you with this, and to check that the server is secured as well as possible.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  8. #8
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    Quote Originally Posted by foobic View Post
    The exim logs may help you there.

    Is this a managed server? If so your provider may be willing to take a look. If not you might want to consider hiring someone to help you with this, and to check that the server is secured as well as possible.
    Forgive the noob question but how do I check the exim logs?

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    I'd log in as root and:
    Code:
    grep "discover" /var/log/exim/mainlog
    (or use any other keyword that may be relevant) but I think cPanel uses a different location (exim_mainlog?) - no doubt others can confirm.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  10. #10
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    Ive established that server is indeed being used by someone to send emails via smtp... How do I stop this? What can I do to stop this?

  11. #11
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    I also cannot longer login. It looks like the WHM and cPanel passwords have been changed. Crap.... I may be switching host soon....... They are not replying to tickets and I have no idea what to do. Clients are calling me and I have no answers....

  12. #12
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Do you have access to a management panel (SolusVM or similar)? If so you should be able to log in through the console and block all access except for your IP. Or if you don't know how, just shut it down to prevent further damage until you find someone who'll do it for you - the provider (if it's managed) or an independent sysadmin.

    Do you have offsite backups?
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  13. #13
    Join Date
    May 2010
    Location
    Miami, FL (USA)
    Posts
    267
    Quote Originally Posted by foobic View Post
    Do you have access to a management panel (SolusVM or similar)? If so you should be able to log in through the console and block all access except for your IP. Or if you don't know how, just shut it down to prevent further damage until you find someone who'll do it for you - the provider (if it's managed) or an independent sysadmin.

    Do you have offsite backups?
    Good advice. Sadly, I cant shut the server down because the client relies on their website and emails for business.

    Is there a way via WHM or cPanel to block a emails from sent from a certain IP? Ive located the IP sending the emails.. How can I block that IP?

  14. #14
    Join Date
    Jul 2006
    Location
    Florida
    Posts
    195
    Quote Originally Posted by ilovetheheat View Post
    Good advice. Sadly, I cant shut the server down because the client relies on their website and emails for business.

    Is there a way via WHM or cPanel to block a emails from sent from a certain IP? Ive located the IP sending the emails.. How can I block that IP?
    You can block their IP in CSF or IPTables, if you don't know how to manage IP Tables you should install CSF, it integrates very well with WHM.

    See the following link for CSF installation instructions:
    http://configserver.com/free/csf/install.txt

    However, blocking the IP address is unlikely to stop the SPAM, as the attacker will just use another IP address. You should ensure that Track email origin via X-Source email headers is set to On in WHM > Tweak Settings > Mail.

    A malware scan probably isn't a bad idea, look into running maldet or shellfinder, but it sounds like you need a managed server.

  15. #15
    Join Date
    Nov 2003
    Location
    Texas, United States
    Posts
    114
    Quote Originally Posted by ilovetheheat View Post
    Good advice. Sadly, I cant shut the server down because the client relies on their website and emails for business.

    Is there a way via WHM or cPanel to block a emails from sent from a certain IP? Ive located the IP sending the emails.. How can I block that IP?
    If you have installed a friendly firewall interface (for example: csf) you can enter that IP in it's WHM/cPanel interface to deny access both inbound and outbound.

    However, if you no longer have control over your server (you stated the WHM and cPanel passwords have been changed) then I would suggest the responsible thing to do is to shut down the server as it may be able to be used for anything at this point. If they have your WHM password, they have root access and can do anything they wish.
    Tim Benoit

  16. #16
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    14,877
    Quote Originally Posted by ilovetheheat View Post
    A client on a VPS I resell
    I admit I am no expert in servers.
    I think this is the whole problem right here.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  17. #17
    Join Date
    Apr 2011
    Location
    Core Files
    Posts
    7,795
    Quote Originally Posted by kpmedia View Post
    I think this is the whole problem right here.
    Sad but true. This could go down a bad road, but let's leave it as such.

Similar Threads

  1. Automatic outgoing emails (Someone sending spam using my email)
    By xtreme19 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-27-2013, 05:46 AM
  2. Help Please: My server is sending out spam emails
    By GeorgRauh in forum Hosting Security and Technology
    Replies: 10
    Last Post: 08-24-2012, 01:27 PM
  3. Stop sending SPAM emails from CentOS server
    By Asasi in forum Dedicated Server
    Replies: 1
    Last Post: 02-27-2012, 11:18 PM
  4. Plesk Server sending out spam emails
    By AlexBlundell in forum VPS Hosting
    Replies: 2
    Last Post: 07-24-2011, 12:49 PM
  5. Somebody is sending spam emails from my accounts within VPS
    By Laloo in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-03-2011, 12:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •