Results 1 to 15 of 15
  1. #1
    Join Date
    Apr 2004
    Location
    USA
    Posts
    445

    SPAM coming from my server

    I have:
    WHM 10.8.0 cPanel 10.9.0-R44
    CentOS 3.8 i686 - WHM X v3.1.0

    I've gotten several complaints through spamcop in the last several weeks. The headers show the spam mails coming from nobody@ my server and they show the originating IP as my server. The datacenter is threatening to shut me down.

    I've looked in the mail queue and haven't found any of the sent spam mails in there (or bounces from them). I am getting bounces into horde that were apparently sent from me.

    How do I find which client is sending them? Or maybe the server has been hacked and spam software uploaded somewhere?

    I don't know where/how to begin tracking this problem down.
    ►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄

  2. #2
    Join Date
    Jul 2004
    Location
    Memphis, TN
    Posts
    1,225
    I would suggest hiring a server management company to track this down ASAP...or you might be able to get your Datacenter to do it for a fee....but from the sound of it, you need to hire someone to look into this for you and secure your server to prevent this from happening again.

    THers several good companies

    touchsupport
    Acunett
    PSM

  3. #3
    can you shut down the server's ability to send mail temporarily? i have no clue how to do this, just thinking aloud incase it may be of any help

  4. #4
    Join Date
    Oct 2002
    Location
    Hong Kong
    Posts
    165
    If you have a seperate mailserver, forward mail to your mailserver instead of letting your webserver it deliver. That way it can go thru your outgoing spam filters .

    You can also monitor your queue, or replace the original sendmail with a bash script that pipes the email thru the original sendmail, but logs the message first into a temporary file. This allows you to read certain environment variables from the script thats sending the email. It wont give you the script, but it will give you the directory of the script. This is, of course assuming you're not using suphp or phpsuexec, or another cgi wrapper.

    Good luck.

  5. #5
    Join Date
    Apr 2004
    Location
    USA
    Posts
    445
    I found someone to hire who can fix the problem.

    Thanks everyone!
    ►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄

  6. #6
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285

  7. #7
    Join Date
    Apr 2004
    Location
    USA
    Posts
    445
    The person I hired says I was hacked, which is exactly what I had a gut feeling about.

    Usually, I can figure out how to fix a server problem myself, but this time, I felt like I was going to get in over my head so I took the easy way out and found a real expert. :p

    I can't express how much I appreciate WHT. I've gotten so much help here and I've learned so much.

    Quote Originally Posted by hostingvince
    Hi,
    The following ob cPanel forums may help a bit:

    http://forums.cpanel.net/showthread.php?t=59637

    - Vince
    Thanks!! That's a BIG help.
    ►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄

  8. #8
    Quote Originally Posted by junglecat
    The person I hired says I was hacked, which is exactly what I had a gut feeling about.

    Usually, I can figure out how to fix a server problem myself, but this time, I felt like I was going to get in over my head so I took the easy way out and found a real expert. :p
    You should find someone else, then, to check this person's work. It's almost a certainty that the server was not "hacked". It is highly likely that either an account on the server had a weak password which was cracked and a spamming script uploaded, or that an account on the server has an unsecured php application through which the spammer gained access and relayed mail. It is an easy matter to solve either of those problems.

  9. #9
    Join Date
    Apr 2004
    Location
    USA
    Posts
    445
    Quote Originally Posted by thetimehascome
    You should find someone else, then, to check this person's work. It's almost a certainty that the server was not "hacked". It is highly likely that either an account on the server had a weak password which was cracked and a spamming script uploaded, or that an account on the server has an unsecured php application through which the spammer gained access and relayed mail. It is an easy matter to solve either of those problems.
    The hacking wasn't related to the spamming. I found a mod_rootme on there myself before I hired him, he found a backdoor that I assume was from that. I thought I had taken care of the trojan, because I had deleted all related files and changed the root password and the trojan was not re-uploaded after that, and nothing happened, so I thought I was safe.

    But then the spam started and a couple other odd problems were cropping up, so I got a feeling this had gotten beyond my capability to handle.

    Don't tell me how foolish I was to assume I had taken care of the original problem. I'm aware of that. I learned a lesson. I won't make a mistake like that again. I was stupid.

    I hired help for the spamming problem PLUS to make the server secure.

    (PS, I talked to people who have hired this guy before I hired him).
    ►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄

  10. #10
    If the server was rooted, the only safe way to secure it is to wipe it and start over.

  11. #11
    Join Date
    Apr 2006
    Posts
    57
    please what compagy did you hire to fix this problem because I have the same problem : I disable exim temporarly and I need a compagny to stop messages sent from my server.

    Best regards.

  12. #12
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,159
    try rack911, platinumservermanagement, serverwizards - to think of just 3 that are usually referred to in the Managed Hosting forum.
    Do not meddle in the affairs of Dragons, for you are crunchy and taste good.

  13. #13
    Join Date
    Apr 2006
    Posts
    57
    So I contact one of them ?

  14. #14
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    Next time you get your server up and running, may i suggest a few different easy steps to help prevent this;

    1. login to whm as root > goto tweak settings > disable nobody sending e-mails in the mail section

    2. Login to SSH su to root , or login as root > cd /scripts > run ./securetmp

    3. Install APF, BFD, Mod_security. Write some basic rules for mod_security to disable injections such as Bcc: and the like.

    4. Install a Root Kit Scanner, and frequently scan.

    5. Install a good spam solution.

    Best Regards,

    -Shaun-

  15. #15
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,858
    1. login to whm as root > goto tweak settings > disable nobody sending e-mails in the mail section
    Unless he's running phpsuexec, this will prevent all of his user's scripts from sending email, which will probably make a lot of legitimate email sending customers angry.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •