Results 1 to 3 of 3
  1. #1

    * Spam trouble with layeredtech, what I have to do ?

    I ordered server from server4sale, the reseller of layeredtech. Today I received the ticket let me know that my server will be disconnected the next 24h due to spamming .
    I don't know what I have to do, contact the reseller & they tell me I have to upgrade mangement plan
    ( or it will cost me $65 per hour ). then they will help me on my trouble.

    I'm sure that I never spam other websites.
    Plz give me your advices.


    Hello You,

    Please investigate the abuse issue within 24 hours or the server will be
    disconnected by data center.

    Server ID: 2xxxx
    Server Name: LTCT-1xxx-Server4Sale-4xx-2xxxx
    Base IP:

    Subject: Policy Enforcement CIDxxxx SIDxxxxx LTCT-1xxx-Server4Sale-4xx-2xxxx Spam Web

    NOTES: Cease & Desist the spamming of Blogs, guestbooks and forums from our
    network. Work through the Exploit Removal Instructions located
    below my signature block. - - [24/Jan/2007:00:12:56 -0800]
    /wp-trackback.php?p=61 HTTP/1.0" 200 79
    "TrackBack/1.02" - - [24/Jan/2007:02:52:02 -0800]
    "POST /wp-trackback.php?p=143 HTTP/1.0" 200 78
    "TrackBack/1.02" - - [24/Jan/2007:03:02:55 -0800]
    /wp-trackback.php?p=91 HTTP/1.0" 200 79 "-"
    "TrackBack/1.02" - - [24/Jan/2007:02:52:52 -0800]
    /wp-trackback.php?p=140 HTTP/1.0" 200 79

    Dear Client,

    This Policy Enforcement Notice for Acceptable Use Policy violation available at is issued based on complaints or logs
    attached or included below. All domains, sites, users, or exploits causing this
    issue must be removed from the server and our network. If you believe the
    complaints or logs are wrong or the IP of the abuse is not your server, we will
    review the issue again.

    You must reply to this notice within the time frame given to avoid
    disconnection. Pending your reply with your comments, questions, or actions to
    resolve this issue, the server is:

    [] Monitored for Additional Violations
    [] Accessed for Investigation, Cleaning, Hardening, or Securing
    [x] Disconnected in: [x] 24-Hours [] 12-Hours [] 6-Hours [] 3-Hour [] 0-Hours
    [] Required Reload Request with: [] New Client Required [] No Data Recovery []
    Data Recovery Allowed
    at under "Open a Ticket"
    [] Hard Drives Seized for Investigation
    [] Null-Routed
    [] Port Shutdown
    [] On 30-Day Probation
    [] Reviewed for Possible Cancellation
    [] Cancelled

    For the following reasons:

    [] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a
    Person Under Legal Age
    [] Copyright L Hosting, Distributing, or Linking to Copyright Infringed
    [] Cracking H Brute Force Access of Secured Network Devices
    [] DoS H Denial of Service Attack of Network Devices
    [] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
    [] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
    [] Hacking H Circumventing Security Systems of Network Devices
    [] HYIP Site M Hosting or Linking to a Website of High Yield Investment
    Program, Ponzi Scheme, or Pyramid Scheme
    [] ID Theft H Hosting, Distributing, or Linking to Stolen Account
    Identification Information
    [] Infection M Hosting, Distributing, or Linking to Exploits, Trojans, Viruses,
    or Worms
    [] IRC Malicious M Malicious Use of Internet Relay Chat
    [] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered
    [] Pharmaceuticals M Hosting, Distributing, or Linking to Pharmaceutical/Drug
    [] Phishing H Identity Theft by Email Under False Pretense
    [] ROKSO Spamhaus C ROKSO Blacklisting of an IP at for
    Malicious Activity
    [] Scanning M Probing for Vulnerabilities of Network Devices
    [] Shells H Hosting Accounts Primarily for Shell Access
    [] Spam Cannon E Sending High Volume Spam (UCE or UBE)
    [] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email
    [] Spam List M Hosting, Distributing, or Linking to Email Address Lists for
    [] Spam Proxy H Hosting an Open Proxy Server Used for Spam
    [] Spam Relay H Hosting an Open Mail Rely Used for Spam
    [] Spam Hijack H Distributing Spam Through a Third Party Server Vulnerability
    [] Spam Site L A Site Advertised by Spam Email or Spam Web
    [] Spam Ware M Hosting, Distributing, or Linking to Software Designed for
    [x] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs,
    Forums, or Guestbooks
    [] Terrorist Site H Hosting or Linking to a Site Advocating Terrorism
    [] Tools L Hosting, Distributing, or Linking to Cracking, DoS, Forgery,
    Infection, or Scanning Software or Instruction
    [] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed
    [] Wares L Hosting, Distributing, or Linking to Cracks, Hacks, KeyGens,
    Serials, or Pirated Software
    [] Web Spider M Use of a Web Spider, Crawler, or Bot for Unauthorized
    Connection to 3rd Party Web Servers

    [] OTHER:

    Following is a table explaining the typical times allowed for a response from
    clients informing us of their active investigation into an abuse issue. These
    times are not a guarantee and may be reduced on a case-by-case basis depending
    on abuse history, number of current complaints, upstream provider requirements,
    and other factors:

    L = 24-Hour Low Issue
    M = 12-Hour Medium Issue
    H = 6-Hour High Issue
    C = 3-Hour Critical Issue
    E = 0-Hour Emergency Issue

    Thank you for your cooperation,

    Layered Technologies Abuse Team

    Thank you,

    Layered Technologies
    Policy Enforcement Technician



    1. Execute the following 3 command lines as root by copy/paste. This will
    harden files commonly abused to upload exploits and will check for possible
    existing exploits. This script only searches for possible exploits owned by the
    webserver username, but it is possible that exploits could have been uploaded by
    a current or previous user account to the searched directories. So, you still
    need to manually investigate all files in the searched directories even if the
    script returns no results. Possible exploits found should be investigated and
    removed followed by rebooting the server to kill any running exploit processes.
    You can refer to the "exploits" file generated by these commands for
    later reference.


    echo -e "\tCHOWN";chown -vv 0:0 `whidch curl fetch wget`;echo -e
    "\n\tCHMOD";chmod -vv 0750 `which asdcurl fetch wget` 2>&-;echo
    -e "\n\tEXPLOIT SEARCH"|tee exploiasdts;for x in "/dev/shm /tmp
    /usr/local/apache/pdsadroxy /var/spool /var/tmp";do ls -loAFR $x
    2>&-|grep -E "^/| apache | nobody | unksnown | www | web | htdocs
    "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_"|tee
    -a exploits;done;echo -e "\n\tEXPLOIT SUMMARY";echo -e "Block
    File: \t\t`grep -Ev "^/" exploits|grep -E "^b"|wc -l|tr -d
    ' '`";echo -e "Character File: \t`grep -Ev "^/"
    explosits|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory:
    \t\t`grep -Ev "^/" exsadploits|grep -E "^d"|wc -l|tr -d '
    '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/"
    exploits|dasgrep -E "^l"|wc -l|tr -d ' '`";echo -e "Socket
    Link: \t\t`grep -Ev "^/" expdsaloits|grep -E "^s"|wc -l|tr -d
    ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" exploits|grep -E
    "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev
    "^/" expldsaoits|grep -E "^-"|wc -l|tr -d ' '`"


    2. You should also install and run rkhunter
    ( which is a scanning tool
    to ensure you for about 99.9% you're clean of rootkits, backdoors, and local
    exploits. If any rootkits, backdoors, or local exploits are found by rkhunter,
    then the server will require a reload of your system at under "Open A Ticket" and you can
    request to mount the existing drive as a slave for data recovery.

    On BSD sytems:
    cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c

    On RedHat, Fedora, CentOS systems:
    yum -y install rkhunter; rkhunter -c

    3. If you cannot do the above steps, our staff will do it along with a manual
    investigation, hardening, and cleaning for a fee or you can hire a 3rd party
    company to do it.


    You should configure the following in your WHM (CPanel):

    Main >> Server Configuration >> Tweak Settings

    [x] Prevent the user 'nobody' from sending out mail to remote addresses (php
    and cgi scripts generally run as nobody if you are not using phpsuexec and
    suexec respectively.)

    [x] Track the origin of messages sent though the mail server by adding the
    X-Source headers (exim 4.34+ required)

    Main >> Security >> Fix Insecure Permissions (Scripts)

    Main >> Security >> Tweak Security

    "Compilers are disabled for unpriviledge users"

    Main >> Service Configuration >> Enable/Disable SuExec

    suexec Status "enabled"

    Main >> Account Functions >> Disable or Enable Demo Mode

    Select from "Users" the "demo" account and click
    "Modify" then click "Disable" if it exists

    Thank you
    Last edited by sakibin; 01-26-2007 at 03:09 AM.

  2. #2
    Join Date
    Sep 2004
    Seoul, Korea (London, UK)
    Means that a script could have been compromised on your server to send out SPAM. Could also be a client of yours who is just a plain scum spammer.

    You need a sys admin to look at your server right away. Preferrably within the next 2 hours or so.

  3. #3
    Join Date
    May 2005
    New York
    also, be aware that LT requires you to respond and acknowledge the Abuse complaint and outline that you intend to take action, NOT that you have it completely fixed.
    Perigee Global Corporation
    Design, Development and Hosting Solutions
    Dedicated Servers, CDN, Hosted E-Mail, Web Hosting, VPS & Cloud Servers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts