Results 1 to 7 of 7
  1. #1

    * POP3 login refused after removing hack-script

    I am running a CPanel/WHM Webserver on RH

    After removing a hack-script in the apache/proxy directory, nobody can get their mail from the POP-server. They always get their password refused. With webmail there is no problem!

    So I am afraid that the hack-script was reading the passwords from the POP-requests, and than hand them through.

    I have already managed to reinstall popt, but this didn't work out!

    Can anybody help me to get the POP3 to work again?

    Taco
    Last edited by t.wannee; 05-24-2005 at 06:45 AM.

  2. #2
    im not that familiar with cpanel but might be worth posting the "hack-script" perhaps if its a non-standard thing?

    and since im curious, why did you remove it?

  3. #3

    Hack-script

    I am used to catch those scripts, usually in the /tmp, but last months they tend to be stored in the apache/proxy.

    So I made a script, I put in the cron for every 5 minutes to remove all files in these directories, from owner nobody, that has execute-rights.
    This is reasonably effective in fighting those hackers....

    So I can't tell you any more what script it were........

    Taco

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    You should never do something like that! I would highly suggest modifying the script to have them place it in a root owned directory. By doing that you take away the chance to easily investigate what went wrong. If you think you are doing good by removing the file consider most script kiddies today have the file download and execute immediatly so by the time you have deleted it they already have done what they want. You should look at securing your server so they cannot get on the server in the first place!

    Now as for the pop3, can they login to their ftp accouts or do those not work as well? You may just try a upcp --force.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  5. #5

    FTP is ok, did upcp --force

    FTP is ok, did upcp --force

    I will adjust the clean-script, after I got the POP3 to work properly again.

    In the /var/log/messages I only see a log like:

    May 24 14:12:04 f4 ipop3d[25940]: Login failed [email protected] [email protected] host=ip51cfda70.direct-adsl.nl [81.207.218.112]

    Will there be another place with more detailed errors?

    Taco

  6. #6
    My clients are getting impatient.

    Does someone have good experince with a company that delivers support on commercial basis to solve such a problem?

    Taco

  7. #7
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Try to verify the exact error by using the following commands on the shell :

    telnet $yourip 110
    user $username
    pass $password

    Did you verify if its a server wide problem or limited to a particular domain or user. If you are searching for pop authentication logs I think you should use /var/log/maillog as in cpanel servers, or you could check /etc/syslog.conf to find out where it is logged (if you made any changes in the process).
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •