Results 1 to 13 of 13

Thread: Spam & Security

  1. #1
    Join Date
    Sep 2008
    Location
    Brazil
    Posts
    53

    Spam & Security

    Hello everyone,

    I run some cPanel servers with domains hosted in it, and mostly are php websites (stores, joomla, etc).

    I'm having problems with websites being exploited for the purpose of sending spam. I'm not sure how they make this, but i see files placed on the user folder and this files only have a script to send spam. This is happening a lot of times with different sites, different scripts.

    My servers have mod_security, CSF etc etc and this is not helping anyway. Also, cpanel builtin feature to limit the number of emails sent doesn't seems to work in that case.

    Anyone have a clue on how can i prevent that?

  2. #2
    Can't say without checking out the server, but most probably there is a vulnerability in a 3rd party plugin used by Joomla or other CMS you are using.

    The log files should tell you the whole story.

  3. #3
    Join Date
    Sep 2008
    Location
    Brazil
    Posts
    53
    Well, i already verified my server lots of times. Seems that they are breaking in ftp and sending using PHPMail. What can i do to secure more the server?

  4. #4
    So you know the issue already! Change the FTP passwords.

    Also, if possible, stop using FTP completely and switch to SFTP which is more secure.

  5. #5
    Join Date
    Sep 2008
    Location
    Brazil
    Posts
    53
    Is this easy to do on a cPanel server?

  6. #6
    Yes. Check the logs which accounts they have compromised and go and change those passwords.

    That will be the first step.

    Second step will be to make sure they have not installed any backdoors.

  7. #7
    Join Date
    Sep 2008
    Location
    Brazil
    Posts
    53
    Ok, thanks. I'm going to verify that.

    But my question is: is there any way to make the server limit the amount of sent mails using a php script?

  8. #8
    Obviously the best way is to get rid of the spammers completely, not to limit them.

    Good luck and keep me posted.

    I will be reachable at wht@kannayath.com

  9. #9
    Join Date
    Jul 2009
    Posts
    178
    use password generated using openssl tool for FTP these are difficult to crack

    openssl rand 12 -base6

  10. #10
    Check the maillog using the /var/log/exim_mainlog you will be able to trace the account responsible for this.
    SUPPORT FACILITY | 24/7 TECH SUPPORT
    SERVER MANAGEMENT | WEB HOSTING SUPPORT | WP EXPERTS

  11. #11
    Join Date
    Sep 2007
    Posts
    195
    Hi,

    Look here a good tip:


    ==============

    root@yourserver [~]# mv /usr/sbin/sendmail /usr/sbin/sendmail.real

    // backup your existing sendmail in the event of an error.

    root@yourserver [~]# pico /usr/sbin/sendmail

    // Open this badboy up, now paste the code below into it.

    Code:

    #!/usr/local/bin/perl
    # use strict;
    use Env;
    my $date = `date`;
    chomp $date;
    open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
    my $uid = $>;
    my @info = getpwuid($uid);
    if($REMOTE_ADDR) {
    print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
    }
    else {
    print INFO "$date - $PWD - @infon";
    }
    my $mailprog = '/usr/sbin/sendmail.real';
    foreach (@ARGV) {
    $arg="$arg" . " $_";
    }

    open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
    while ( ) {
    print MAIL;
    }
    close (INFO);
    close (MAIL);

    Now save the work above...

    root@yourserver [~]# chmod +x /usr/sbin/sendmail

    // make sendmail executable

    root@yourserver [~]# echo > /var/log/formmail.log
    root@yourserver [~]# chmod 755 /var/log/formmail.log (If no work change to chmod 777)
    root@yourserver [~]# pico /var/log/formmail.log

    // above is where all the data is stored, it may take up to a couple hours for it to begin filling with data. However if you notice an extreme amount of instances of a user sending mail, it may be spam.
    In the past without this script it would list them as "Nobody". With the script in place it lists the user
    and where the mail is being setn from.

    --------------------------------------------------------------------------
    As always it's a good idea to routinely check who and how many perl processes are running as this
    is also another large gateway for outgoing spam.

    root@yourserver [~]# ps aux | grep perl

    // if you see a user with one to many perl processes running, and nothing much going on at his site,
    in most cases that i've seen this is the source of spam.
    ==============

  12. #12
    Hi Starbolt,

    I know that our development teams are working on expanding the current filter they offer for outgoing mail. What it basically does is scan outgoing email from the cPanel users and if a certain user-account is flagged for sending out spam, this one account is temorarily locked for sending out further email, meanwhile the system administrator is notified about the spamming account. In this way you protect your IP reputation and have the other accounts on the same cPanel server not bothered with blacklisting issues etc due to 1 spamming account on your server.
    Well, as the product isn't officially launched as a stand-alone I believe it's included in our incoming filter-product. Regardless, if this is interesting to you maybe you should talk with some of our development staff to see and brainstorm on extra feature additions etc as to come to a 'perfect' solution for you.

    Hope that helps! Cheers and good luck!
    Leading Webhosting Email Security Solutions, Incoming & Outgoing Filtering + Email Archiving!
    Clusterable, Scalable, in the Cloud or on Premises, Fully Managed, 4-Tier Control, Plugins for all Major Control Panels, and an Extensive API!
    SpamExperts - "The way email was meant to be - Simply SpamFree"
    (www.spamexperts.com)

  13. #13
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    If your sites/servers are compromised and any type of malscript is placed on a site and you know it's done via FTP, then changing passwords, changing to SFTP, changing filters won't do a darn thing long term.

    Hackers have been infecting PCs with FTP stealing viruses/trojans all year. Often times malscripts are inserted into index.* pages with iframes, redirects and various obfuscated javascript. htaccess files have been added or modified to assist in redirects. These cybercriminals are good at what they do.

    Most recently these cybercriminals have been using websites/servers to send SPAM, but their methods are still the same - using stolen FTP credentials.

    So even if you change the FTP passwords, they're still going to steal them from their virus infected PCs either by finding the file with the stored usernames and passwords, or by sniffing the FTP traffic or by installing a keyboard logger or by using the PC itself to send the modified webpage to the website.

    Even if you change to SFTP, they're still going to use their keyboard logger to record the keystrokes. Or if you store the username and password for the SFTP account on the infected PC, they can still find the file with stored credentials and login through SFTP and use the site to send SPAM.

    You have to get down to the root of the problem which is cleaning all infected PCs with FTP/SFTP access to the site.

    Obviously the virus/trojan knows how to hide from whatever existing anti-virus program is on the PC(s). So a new one has to be installed, then scan and clean the PC.

    Many have had good luck with AVG, Avast, Avira or Malwarebytes. If the PC owner is already using one of these they must select a different one because the virus knows how to evade detection from whatever is being used currently.

    Then after each PC is scanned and cleaned, then and only then, can the FTP/SFTP passwords be changed.

    You can look at FTP logs all day long and if the cybercriminal has control of a PC, they can and do use it to add their malscripts to the website so the log will show that the FTP connection came from a legitimate source.

    The only way is to clean the PC.

    That's our two cents worth. Hopefully you found this more valuable than what you paid for it.

Similar Threads

  1. Spam and security issues
    By sharpnose in forum Hosting Security and Technology
    Replies: 10
    Last Post: 07-15-2009, 11:11 AM
  2. Server Administration - Security - FFMPEG - Spam
    By Steven in forum Systems Management Offers
    Replies: 1
    Last Post: 09-07-2008, 04:58 PM
  3. Webhosting Security . Spam , ETC
    By logo-one in forum Running a Web Hosting Business
    Replies: 1
    Last Post: 05-22-2005, 08:45 AM
  4. Spam email server security
    By kickster in forum Hosting Security and Technology
    Replies: 10
    Last Post: 03-13-2004, 01:02 PM
  5. Bia-Security.com... SPAM
    By JTY in forum Web Hosting Lounge
    Replies: 2
    Last Post: 08-09-2002, 01:28 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •