Results 1 to 7 of 7
  1. #1

    Backscatter / Server rooted or hacked?

    This morning, I noticed that my Google Apps account showed 12000 e-mails in the SPAM folder. Checking into it, I saw that the spam were all undeliverables/ndr received back from my dedicated server with IP aa.bb.cc.dd that I've changed in the header.

    I've been running RKhunter and Clamav which have been coming back clean.

    I've blocked inbound SMTP.

    There was a few thousand (at least) messages in /var/spool/mqueue and /var/spool/clientmqueue which I deleted and restarted sendmail after.

    I need to run to a meeting but will be back to check on this ... the header looks legit in every way that it's from my dedicated server.

    ----



    Delivered-To: [email protected]
    Received: by 10.90.106.3 with SMTP id e3cs91435agc;
    Thu, 2 Jul 2009 11:53:06 -0700 (PDT)
    Received: by 10.141.41.12 with SMTP id t12mr362057rvj.127.1246553987615;
    Thu, 02 Jul 2009 09:59:47 -0700 (PDT)
    Return-Path: <>
    Received: from xyz (mail.xyz [aa.bb.cc.dd])
    by mx.google.com with ESMTP id 29si4186558yxe.9.2009.07.02.09.59.47;
    Thu, 02 Jul 2009 09:59:47 -0700 (PDT)
    Received-SPF: pass (google.com: domain of xyz designates aa.bb.cc.dd as permitted sender) client-ip=aa.bb.cc.dd;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of xyz designates aa.bb.cc.dd as permitted sender) smtp.mail=
    Received: from localhost (localhost)
    by xyz (8.13.1/8.13.1) id n62IxEbU021883;
    Thu, 2 Jul 2009 14:59:14 -0400
    Date: Thu, 2 Jul 2009 14:59:14 -0400
    From: Mail Delivery Subsystem <[email protected]>
    Message-Id: <[email protected]>
    To: <[email protected]>
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    boundary="n62IxEbU021883.1246561154/xyz"
    Content-Transfer-Encoding: 8bit
    Subject: Returned mail: see transcript for details
    Auto-Submitted: auto-generated (failure)

    This is a MIME-encapsulated message

    --n62IxEbU021883.1246561154/xyz

    The original message was received at Thu, 2 Jul 2009 14:59:11 -0400
    from localhost.localdomain [127.0.0.1]

    ----- The following addresses had permanent fatal errors -----
    <[email protected]>
    (reason: 550-5.1.1 The email account that you tried to reach does not exist. Please try)

    ----- Transcript of session follows -----
    ... while talking to aspmx.l.google.com.:
    >>> DATA
    <<< 550-5.1.1 The email account that you tried to reach does not exist. Please try
    <<< 550-5.1.1 double-checking the recipient's email address for typos or
    <<< 550-5.1.1 unnecessary spaces. Learn more at
    <<< 550 5.1.1 http://mail.google.com/support/bin/a...py?answer=6596 16si318649yxe.3
    550 5.1.1 <[email protected]>... User unknown
    <<< 503 5.5.1 RCPT first. 16si318649yxe.3

    --n62IxEbU021883.1246561154/xyz
    Content-Type: message/delivery-status

    Reporting-MTA: dns; xyz
    Received-From-MTA: DNS; localhost.localdomain
    Arrival-Date: Thu, 2 Jul 2009 14:59:11 -0400

    Final-Recipient: RFC822; [email protected]
    Action: failed
    Status: 5.1.1
    Remote-MTA: DNS; aspmx.l.google.com
    Diagnostic-Code: SMTP; 550-5.1.1 The email account that you tried to reach does not exist. Please try
    Last-Attempt-Date: Thu, 2 Jul 2009 14:59:14 -0400

    --n62IxEbU021883.1246561154/xyz
    Content-Type: message/rfc822
    Content-Transfer-Encoding: 8bit

    Return-Path: <[email protected]>
    Received: from xyz (localhost.localdomain [127.0.0.1])
    by xyz (8.13.1/8.13.1) with ESMTP id n62IxBbU021881
    for <[email protected]>; Thu, 2 Jul 2009 14:59:11 -0400
    Received: (from [email protected])
    by xyz (8.13.1/8.13.1/Submit) id n62IxAFj021880;
    Thu, 2 Jul 2009 14:59:10 -0400
    Date: Thu, 2 Jul 2009 14:59:10 -0400
    Message-Id: <[email protected]>
    To: [email protected]
    Subject: MasterCard No. 5148654789406543
    From: MasterCard® / Word Mega Jackpot Lottery UK <[email protected]>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit

    MasterCard® / Word Mega Jackpot Lottery MALAYSIA.<BR>
    HSBC BANK PLATINUM VISA CARD.<BR>
    HSBC PREMIERSHIP.<BR>
    MasterCard® OFFICE, MALAYSIA.<BR>
    PRESENT DIRECTOR; MR. Dennes Vandergate.<BR>
    PHONE: +60 172 797395.<P><BR>

    Dear Cash Winner,<P><BR>

    Finally,Your email has brought you luck in the just concluded MASTERCARD MEGAJACKPOT MID-YEAR LOTTERY, You are therefore been approved by MasterCard Int. the sum of $800,000 (EIGHT HUNDRED THOUSAND US DOLLAR).In cash Credited to MasterCard No. 5148 6547 8940 6543, and Reg. No. MCIMJ: 5148/4178<P><BR>

    Please contact us with Your Details for claims informations.<P><BR>
    MR MORGAN WALES<BR>
    Email: [email protected]<P><BR>

    Program Warning!!! Fraudulent emails are circulating that appears to be impersonator using our names and addresses, but are not from the MASTERCARD MEGAJACKPOT MID-YEAR LOTTERY OFFICE.<BR>
    ----------------------------------------------------------<BR>
    Material Copyright © 2009 Mastercard. Ltd.




    --n62IxEbU021883.1246561154/xyz--

  2. #2
    Join Date
    Nov 2004
    Location
    Toronto
    Posts
    161
    i had similar situation where one of my client had wrongly permission a folder which someone uploaded some scripts and executed spam emails through that.

    is this shared hosting server? possible bad scripts are uploaded,

    mine was detected right away since i was using CSF firewall which emailed me which script sending out emails.

    look for newly uploaded files perhaps today or yesterday based on dates and examine them.

  3. #3
    Join Date
    Jun 2004
    Location
    Canada
    Posts
    132
    I've seen this a lot. It's most likely an exploited PHP or Perl script. The process might still be running. Have you tried a "ps -auxwwf".

  4. #4
    It seems to have stopped and I see no errant processes. I've attached a sendmail wrapper to my php.ini. Hopefully this will help if there's a next time.

  5. #5
    Join Date
    Jun 2004
    Location
    Canada
    Posts
    132
    You run a find with something like -ctime or -mtime. Also running a grep -R 'MasterCard Int. the sum of $800,000' might turn up some files.

    However, most of the time the files are dropped into /tmp and deleted after they have been ran. You should consider changing the permissions on your /tmp partition to noexec when its mounted

  6. #6
    The sendmail wrapper helped me track this down. It was a old vbulletin forum I had up that had the attachments directory that was open. They uploaded a php file that was base64 encoded.

  7. #7
    Join Date
    May 2005
    Location
    Chicago, IL USA
    Posts
    1,428
    Ahhhh, that is usually the case. Old, outdated PHP scripts. Good idea about the wrapper though. I had not thought of that.
    ||| Mike Bowers - Marketing Director
    ||| atOmicVPS LTD
    ||| OnApp Powered Linux & Windows Cloud Hosting ► [Shared] ► [Reseller] ► [VPS]
    ||| Follow the atOmicVPS Blog

Similar Threads

  1. Someone's dedicated server at burstnet has probably been rooted.
    By Technolojesus in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-21-2008, 12:29 PM
  2. Server rooted please help
    By servermaze in forum Hosting Security and Technology
    Replies: 12
    Last Post: 08-05-2006, 11:20 AM
  3. Hacked or Rooted how long does it take?
    By SaloraHosting in forum Hosting Security and Technology
    Replies: 6
    Last Post: 09-14-2004, 06:10 PM
  4. Rackshack Server "Rooted" --- Need help...
    By Garrett in forum Hosting Security and Technology
    Replies: 22
    Last Post: 08-24-2004, 10:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •