Results 1 to 7 of 7
  1. #1

    Urgent: Need help to stop email hijacking

    Dear all,
    My server/website is now hijacking and they use my server for sanding spam.

    Please help me to fix this error.

    My server: Centos, Cpanel, Ldf
    Mysite: Joomla 1.0.13

    lfd email:
    HTML Code:
    Time:  Tue Aug 28 20:16:51 2007
    Path:  /home/longpt/public_html
    Count: 101 emails sent
    
    Sample of the first 10 emails:
    
    2007-08-28 20:16:40 1IQ7UO-0006AJ-Mf <= nobody@hn.luatgiapham.com U=nobody P=local S=6263 T="Automated Security Notice"
    2007-08-28 20:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006AC-Iy
    2007-08-28 20:16:40 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006AL-Od
    2007-08-28 20:16:40 1IQ7UO-0006Ae-ST <= nobody@hn.luatgiapham.com U=nobody P=local S=6263 T="Automated Security Notice"
    2007-08-28 20:16:40 1IQ7UO-0006Ag-Uk <= nobody@hn.luatgiapham.com U=nobody P=local S=6261 T="Automated Security Notice"
    2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UO-0006Ae-ST
    2007-08-28 20:16:41 1IQ7UP-0006Ak-1x <= <> R=1IQ7UO-00069O-06 U=mailnull P=local S=7333 T="Mail delivery failed: returning message to sender"
    2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006An-6F
    2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006At-B7
    2007-08-28 20:16:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1IQ7UP-0006BB-Dv
    
    
    Possible Scripts:
    
    /home/longpt/public_html/configuration.php
    /home/longpt/public_html/CHANGELOG.php
    /home/longpt/public_html/configuration.php-dist
    and I receive thousands of returning email but I don't send them.

    Code:
    This is the mail delivery agent at messagelabs.com.
    I was not able to deliver your message to the following addresses.
    
    <nolan1@mailbox.ulcc.ac.uk>:
    128.86.238.34 does not like recipient.
    Remote host said: 550 rejected
    
    
    --- Below this line is a copy of the message.
    
    Return-Path: <nobody@hn.luatgiapham.com>
    X-VirusChecked: Checked
    X-Env-Sender: nobody@hn.luatgiapham.com
    X-Msg-Ref: server-13.tower-82.messagelabs.com!1188346634!60747442!1
    X-StarScan-Version: 5.5.12.14.2; banners=-,-,-
    X-Originating-IP: [203.162.168.24]
    X-SpamInfo: filtered by Signaturing System
    X-Spam-Flag: YES
    X-SpamReason: Matched rules 111461236, 114223405
    Subject: {Spam?}  Automated Security Notice
    Received: (qmail 19117 invoked from network); 29 Aug 2007 00:17:31 -0000
    Received: from unknown (HELO hn.luatgiapham.com) (203.162.168.24)
      by server-13.tower-82.messagelabs.com with AES256-SHA encrypted SMTP; 29 Aug 2007 00:17:31 -0000
    Received: from nobody by hn.luatgiapham.com with local (Exim 4.63)
        (envelope-from <nobody@hn.luatgiapham.com>)
        id 1IQ8CZ-00071e-H1
        for nolan1@mailbox.ulcc.ac.uk; Tue, 28 Aug 2007 21:02:19 +0000
    To: nolan1@mailbox.ulcc.ac.uk
    From: NatWest Bank <online.security@natwest.com>
    MIME-Version: 1.0
    Content-Type: text/html;
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1IQ8CZ-00071e-H1@hn.luatgiapham.com>
    Date: Tue, 28 Aug 2007 21:02:19 +0000
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - hn.luatgiapham.com
    X-AntiAbuse: Original Domain - mailbox.ulcc.ac.uk
    X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12]
    X-AntiAbuse: Sender Address Domain - hn.luatgiapham.com
    X-Source: 
    X-Source-Args: 
    X-Source-Dir: 
    
    
    <html><head>
    <style><!-- 
    
    body,td{font-family: verdana, helvetica, sans-serif; font-size: 12px; line-height: 1.5;  color:#FFFFFF; text-decoration: none; }
    
    
    a:link{color: #FFFFFF; text-decoration:none;}
    a:visited{color: #FFFFFF; text-decoration:none;}
    a:hover{color: #FFFFFF;  text-decoration:underline;}
    
    
    
    --></style>
    
    </head><body bgcolor=white>
    <table width=754 cellspacing=0 cellpadding=0 height=120 background=http://www.natwest.com/images/header_bg.gif>
    <tr>
    <td height=60 valign=top>
    <table height=60 cellpadding=0 cellspacing=0> <td width=15></td> <td><img src=http://www.natwest.com/images/logo.gif></td>
    
    <td><img src=http://www.natwest.com/images/strapline_aw.gif></td></table>
    </td></tr>
    <tr><td valign=top>
    <table cellspacing=1 cellpadding=5>
    <td width=15></td>
    <td align=center bgcolor=#48497B width=80><a href="http://www.natwest.com/index.asp"><b>Personal</b></a></td>
    <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/private.asp">Private</a></td>
    <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/business.asp">Business</a></td>
    
    <td align=center width=80 bgcolor=#B7B7DB><a style="color: #000000" href="http://www.natwest.com/commercial.asp">Commercial</a></td></table>
    
    
    
    <table bgcolor=#48497B width=754 cellspacing=0 cellpadding=0> <td valign=top height=30 width=39></td> <td><a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/DAY_TO_DAY">Day to day</a>  |  <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/SAVE_AND_INVEST">Save and invest</a>  |  <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/BORROW">Borrow</a>  |  <a style="font-size:11px" href="http://www.natwest.com/personal01.asp?id=PERSONAL/INSURE">Insure</a>  |  <a style="font-size:11px" href="http://www.natwest.com/microsites/personal/latest_deals/index.asp">Latest deals</a> </td> </table>
    
    
    </td></tr>
    </table>
    
    </td></table>
    
    <table width=754 bgcolor=#7474AA><td><table cellspacing=25 cellpadding=5 width=100%><tr><td style="color:#FF0000;font-family: Verdana; font-size:25px;" align=center>&bull; Automated Security Notice<br></td></tr>
    
    <tr><td align="center" style="font-family: Verdana; font-size:13px; color:#FFFFFF">
    
    
    &bull; As part of our security measures, We believe that, in everything else,<br>
      you deserve the best in banking too. Therefore protective measures is<br>
      been applied to satisfy our striving costumer needs. Our technical<br>
      service department is currently upgrading our SSL servers to enhance<br>
      adequate banking security, to give our costumers a better, fast and<br>
      secure online banking service. We noticed several unsuccessful login<br>
      attempts and therefore have decided to temporarily restrict your online<br>
      access. To regain access to your online banking Please click on<br>
      &bull; <a style="color:blue" href=http://wvps212-241-211-59.vps.webfusion.co.uk/www.nwolb.com/default.aspx_refererident=D4192A3F6A30F53C28B76B43BED95AAF202CFA8E&cookieid=84781/Login.html>Online Banking Logon</a> to continue the verification process.<br>
      &bull; (Failure to verify your Online Access service changes will lead to account<br>
                                                        disconnection)<br>
    
    <br>
    <br>
    <br>
                                                   Thank you.<br>
                                     Online Banking Security Team<br>
                                          NatWest Internet Banking.<br>
                                       (c)2007 All Rights Reserved<br>
    
    
    </table></td></table>
    
    <table width=754 cellpadding=1 cellspacing=0 height=120> <td><img src=http://www.natwest.co
    
    --Message Truncated--
    
    ______________________________________________________________________
    This email has been scanned by the MessageLabs Email Security System.
    For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
    Please help me urgent
    Thank you in advance
    Longpt

  2. #2
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Hacks on Joomla sites are often due to insecure components - remove any you're not using and check for updates to the ones you are.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  3. #3
    I am have uninstall and check component but still being hijaked.
    Any one can help me?

  4. #4
    Join Date
    Dec 2006
    Posts
    480
    Check your web access log for incoming HTTP requests at the times the spam is sent - see if there is a correlation and it should tell you which page is being used.

  5. #5
    Join Date
    Jun 2007
    Location
    India
    Posts
    25
    which components are you using ? can you list them ?
    Joomla services :: Joomla consultant :: Joomla Hosting :: Joomla Live Support
    http://www.joomlian.com

  6. #6
    Join Date
    Mar 2004
    Location
    Sweden
    Posts
    72

    apache running?

    Sometimes it could be hard to find theright process. Here is a one that workes for me. ( must be done while spammer is working)

    If apache is running on the infected host.

    use the http://<serverip>/server-status page.
    ( enable it first in httpd.conf )

    You will see a "w" with the process that is currently working hard to process all email, besides that process you can see what virutal host that is connected to that process.

    Now you know what is cousing this...

    / Jonas

  7. #7
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    Quote Originally Posted by longpt View Post
    I am have uninstall and check component but still being hijaked.
    Any one can help me?
    Check the stats of the domain that is affected. Block the IPs that you find suspicious. Install mod_security to the server and tighten mod_sec with strong rules. Recompile php to run as CGI.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •