Results 1 to 7 of 7
-
08-28-2007, 08:25 PM #1Newbie
- Join Date
- Feb 2006
- Posts
- 10
Urgent: Need help to stop email hijacking
Dear all,
My server/website is now hijacking and they use my server for sanding spam.
Please help me to fix this error.
My server: Centos, Cpanel, Ldf
Mysite: Joomla 1.0.13
lfd email:
HTML Code:Time: Tue Aug 28 20:16:51 2007 Path: /home/longpt/public_html Count: 101 emails sent Sample of the first 10 emails: 2007-08-28 20:16:40 1IQ7UO-0006AJ-Mf <= nobody@hn.luatgiapham.com U=nobody P=local S=6263 T="Automated Security Notice" 2007-08-28 20:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006AC-Iy 2007-08-28 20:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006AL-Od 2007-08-28 20:16:40 1IQ7UO-0006Ae-ST <= nobody@hn.luatgiapham.com U=nobody P=local S=6263 T="Automated Security Notice" 2007-08-28 20:16:40 1IQ7UO-0006Ag-Uk <= nobody@hn.luatgiapham.com U=nobody P=local S=6261 T="Automated Security Notice" 2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006Ae-ST 2007-08-28 20:16:41 1IQ7UP-0006Ak-1x <= <> R=1IQ7UO-00069O-06 U=mailnull P=local S=7333 T="Mail delivery failed: returning message to sender" 2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006An-6F 2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006At-B7 2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006BB-Dv Possible Scripts: /home/longpt/public_html/configuration.php /home/longpt/public_html/CHANGELOG.php /home/longpt/public_html/configuration.php-dist
Code:This is the mail delivery agent at messagelabs.com. I was not able to deliver your message to the following addresses. <nolan1@mailbox.ulcc.ac.uk>: 128.86.238.34 does not like recipient. Remote host said: 550 rejected --- Below this line is a copy of the message. Return-Path: <nobody@hn.luatgiapham.com> X-VirusChecked: Checked X-Env-Sender: nobody@hn.luatgiapham.com X-Msg-Ref: server-13.tower-82.messagelabs.com!1188346634!60747442!1 X-StarScan-Version: 5.5.12.14.2; banners=-,-,- X-Originating-IP: [203.162.168.24] X-SpamInfo: filtered by Signaturing System X-Spam-Flag: YES X-SpamReason: Matched rules 111461236, 114223405 Subject: {Spam?} Automated Security Notice Received: (qmail 19117 invoked from network); 29 Aug 2007 00:17:31 -0000 Received: from unknown (HELO hn.luatgiapham.com) (203.162.168.24) by server-13.tower-82.messagelabs.com with AES256-SHA encrypted SMTP; 29 Aug 2007 00:17:31 -0000 Received: from nobody by hn.luatgiapham.com with local (Exim 4.63) (envelope-from <nobody@hn.luatgiapham.com>) id 1IQ8CZ-00071e-H1 for nolan1@mailbox.ulcc.ac.uk; Tue, 28 Aug 2007 21:02:19 +0000 To: nolan1@mailbox.ulcc.ac.uk From: NatWest Bank <online.security@natwest.com> MIME-Version: 1.0 Content-Type: text/html; Content-Transfer-Encoding: 8bit Message-Id: <E1IQ8CZ-00071e-H1@hn.luatgiapham.com> Date: Tue, 28 Aug 2007 21:02:19 +0000 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hn.luatgiapham.com X-AntiAbuse: Original Domain - mailbox.ulcc.ac.uk X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12] X-AntiAbuse: Sender Address Domain - hn.luatgiapham.com X-Source: X-Source-Args: X-Source-Dir: <html><head> <style><!-- body,td{font-family: verdana, helvetica, sans-serif; font-size: 12px; line-height: 1.5; color:#FFFFFF; text-decoration: none; } a:link{color: #FFFFFF; text-decoration:none;} a:visited{color: #FFFFFF; text-decoration:none;} a:hover{color: #FFFFFF; text-decoration:underline;} --></style> </head><body bgcolor=white> <table width=754 cellspacing=0 cellpadding=0 height=120 background=http://www.natwest.com/images/header_bg.gif> <tr> <td height=60 valign=top> <table height=60 cellpadding=0 cellspacing=0> <td width=15></td> <td><img src=http://www.natwest.com/images/logo.gif></td> <td><img src=http://www.natwest.com/images/strapline_aw.gif></td></table> </td></tr> <tr><td valign=top> <table cellspacing=1 cellpadding=5> <td width=15></td> <td align=center bgcolor=#48497B width=80><a href="http://www.natwest.com/index.asp"><b>Personal</b></a></td> <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/private.asp">Private</a></td> <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/business.asp">Business</a></td> <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/commercial.asp">Commercial</a></td></table> <table bgcolor=#48497B width=754 cellspacing=0 cellpadding=0> <td valign=top height=30 width=39></td> <td><a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/DAY_TO_DAY">Day to day</a> | <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/SAVE_AND_INVEST">Save and invest</a> | <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/BORROW">Borrow</a> | <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/INSURE">Insure</a> | <a style="font-size:11px" href="http://www.natwest.com/microsites/personal/latest_deals/index.asp">Latest deals</a> </td> </table> </td></tr> </table> </td></table> <table width=754 bgcolor=#7474AA><td><table cellspacing=25 cellpadding=5 width=100%><tr><td style="color:#FF0000;font-family: Verdana; font-size:25px;" align=center>• Automated Security Notice<br></td></tr> <tr><td align="center" style="font-family: Verdana; font-size:13px; color:#FFFFFF"> • As part of our security measures, We believe that, in everything else,<br> you deserve the best in banking too. Therefore protective measures is<br> been applied to satisfy our striving costumer needs. Our technical<br> service department is currently upgrading our SSL servers to enhance<br> adequate banking security, to give our costumers a better, fast and<br> secure online banking service. We noticed several unsuccessful login<br> attempts and therefore have decided to temporarily restrict your online<br> access. To regain access to your online banking Please click on<br> • <a style="color:blue" href=http://wvps212-241-211-59.vps.webfusion.co.uk/www.nwolb.com/default.aspx_refererident=D4192A3F6A30F53C28B76B43BED95AAF202CFA8E&cookieid=84781/Login.html>Online Banking Logon</a> to continue the verification process.<br> • (Failure to verify your Online Access service changes will lead to account<br> disconnection)<br> <br> <br> <br> Thank you.<br> Online Banking Security Team<br> NatWest Internet Banking.<br> (c)2007 All Rights Reserved<br> </table></td></table> <table width=754 cellpadding=1 cellspacing=0 height=120> <td><img src=http://www.natwest.co --Message Truncated-- ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Thank you in advance
Longpt
-
08-28-2007, 09:24 PM #2Retired Moderator
- Join Date
- Feb 2005
- Location
- Australia
- Posts
- 5,849
Hacks on Joomla sites are often due to insecure components - remove any you're not using and check for updates to the ones you are.
Chris
"Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter
-
08-29-2007, 02:09 AM #3Newbie
- Join Date
- Feb 2006
- Posts
- 10
I am have uninstall and check component but still being hijaked.
Any one can help me?
-
08-29-2007, 11:45 AM #4Web Hosting Evangelist
- Join Date
- Dec 2006
- Posts
- 480
Check your web access log for incoming HTTP requests at the times the spam is sent - see if there is a correlation and it should tell you which page is being used.
-
08-30-2007, 07:44 AM #5Newbie
- Join Date
- Jun 2007
- Location
- India
- Posts
- 25
which components are you using ? can you list them ?
Joomla services :: Joomla consultant :: Joomla Hosting :: Joomla Live Support
http://www.joomlian.com
-
08-30-2007, 04:43 PM #6Junior Guru Wannabe
- Join Date
- Mar 2004
- Location
- Sweden
- Posts
- 72
apache running?
Sometimes it could be hard to find theright process. Here is a one that workes for me. ( must be done while spammer is working)
If apache is running on the infected host.
use the http://<serverip>/server-status page.
( enable it first in httpd.conf )
You will see a "w" with the process that is currently working hard to process all email, besides that process you can see what virutal host that is connected to that process.
Now you know what is cousing this...
/ Jonas
-
08-31-2007, 07:20 AM #7Web Hosting Master
- Join Date
- Oct 2004
- Location
- Kerala, India
- Posts
- 4,771
David | www.cliffsupport.com
Affordable Server Management Solutions sales AT cliffsupport DOT com
CliffWebManager | Access WHM from iPhone and Android