Results 1 to 4 of 4
  1. #1

    receive email from CSF

    i have received more than 100 Notification emails from my Firewall ( CSF )

    would you please check the emails and let me know what`s the problem ?



    Time: Tue Nov 3 01:47:23 2009 +0330
    Account: ..............
    Process Count: 152 (Not killed)

    User:......... PID:21400 Run Time:32(secs) Memory:6416(kb) exe:/usr/bin/perl cmd:/usr/bin/perl dm.cgi
    User:......... PID:21402 Run Time:32(secs) Memory:6416(kb) exe:/usr/bin/perl cmd:/usr/bin/perl dm.cgi
    User:......... PID:21403 Run Time:32(secs) Memory:6416(kb) exe:/usr/bin/perl cmd:/usr/bin/perl dm.cgi
    User:......... PID:21404 Run Time:32(secs) Memory:6416(kb) exe:/usr/bin/perl cmd:/usr/bin/perl dm.cgi
    User:......... PID:21405 Run Time:32(secs) Memory:6416(kb) exe:/usr/bin/perl cmd:/usr


    ---------------------------------------------------

    Time: Tue Nov 3 01:48:25 2009 +0330
    PID: 21412
    Account: .......
    Uptime: 92 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/bin/perl dm.cgi


    Network connections by the process (if any):

    tcp: ........:54856 -> ........:25


    Files open by the process (if any):

    /dev/null
    /home/......../public_html/sys/error.log
    /home/......./public_html/sys/error.log
    /tmp/ZCUDHqIRmu (deleted)


    Memory maps by the process (if any):

    00110000-0012c000 r-xp 00000000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    0012c000-0012d000 rw-p 0001b000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    001ee000-00319000 r-xp 00000000 fd:00 5899640 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    00319000-0031e000 rw-p 0012a000 fd:00 5899640 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    0031e000-00320000 rw-p 0031e000 00:00 0
    00320000-0045f000 r-xp 00000000 fd:00 38666470 /lib/libc-2.5.so
    0045f000-00461000 r--p 0013f000 fd:00 38666470 /lib/libc-2.5.so
    00461000-00462000 rw-p 00141000 fd:00 38666470 /lib/libc-2.5.so
    00462000-00465000 rw-p 00462000 00:00 0
    0053e000-00558000 r-xp 00000000 fd:00 38666465 /lib/ld-2.5.so
    00558000-00559000 r--p 00019000 fd:00 38666465 /lib/ld-2.5.so
    00559000-0055a000 rw-p 0001a000 fd:00 38666465 /lib/ld-2.5.so
    0056c000-0056d000 r-xp 0056c000 00:00 0 [vdso]
    005f4000-005f8000 r-xp 00000000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    005f8000-005f9000 rw-p 00003000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    006a3000-006a5000 r-xp 00000000 fd:00 38666485 /lib/libdl-2.5.so
    006a5000-006a6000 r--p 00001000 fd:00 38666485 /lib/libdl-2.5.so
    006a6000-006a7000 rw-p 00002000 fd:00 38666485 /lib/libdl-2.5.so
    006a9000-006bc000 r-xp 00000000 fd:00 38666491 /lib/libpthread-2.5.so
    006bc000-006bd000 r--p 00013000 fd:00 38666491 /lib/libpthread-2.5.so
    006bd000-006be000 rw-p 00014000 fd:00 38666491 /lib/libpthread-2.5.so
    006be000-006c0000 rw-p 006be000 00:00 0
    006c2000-006e7000 r-xp 00000000 fd:00 38666472 /lib/libm-2.5.so
    006e7000-006e8000 r--p 00024000 fd:00 38666472 /lib/libm-2.5.so
    006e8000-006e9000 rw-p 00025000 fd:00 38666472 /lib/libm-2.5.so
    0076d000-00780000 r-xp 00000000 fd:00 38666502 /lib/libnsl-2.5.so
    00780000-00781000 r--p 00012000 fd:00 38666502 /lib/libnsl-2.5.so
    00781000-00782000 rw-p 00013000 fd:00 38666502 /lib/libnsl-2.5.so
    00782000-00784000 rw-p 00782000 00:00 0
    00826000-0082f000 r-xp 00000000 fd:00 38667082 /lib/libcrypt-2.5.so
    0082f000-00830000 r--p 00008000 fd:00 38667082 /lib/libcrypt-2.5.so
    00830000-00831000 rw-p 00009000 fd:00 38667082 /lib/libcrypt-2.5.so
    00831000-00858000 rw-p 00831000 00:00 0
    0089b000-008aa000 r-xp 00000000 fd:00 38666509 /lib/libresolv-2.5.so
    008aa000-008ab000 r--p 0000e000 fd:00 38666509 /lib/libresolv-2.5.so
    008ab000-008ac000 rw-p 0000f000 fd:00 38666509 /lib/libresolv-2.5.so
    008ac000-008ae000 rw-p 008ac000 00:00 0
    009b7000-009b9000 r-xp 00000000 fd:00 38667106 /lib/libutil-2.5.so
    009b9000-009ba000 r--p 00001000 fd:00 38667106 /lib/libutil-2.5.so
    009ba000-009bb000 rw-p 00002000 fd:00 38667106 /lib/libutil-2.5.so
    00d52000-00d5b000 r-xp 00000000 fd:00 38667575 /lib/libnss_files-2.5.so
    00d5b000-00d5c000 r--p 00008000 fd:00 38667575 /lib/libnss_files-2.5.so
    00d5c000-00d5d000 rw-p 00009000 fd:00 38667575 /lib/libnss_files-2.5.so
    00dc0000-00dc5000 r-xp 00000000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    00dc5000-00dc6000 rw-p 00004000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    00e8f000-00e91000 r-xp 00000000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    00e91000-00e92000 rw-p 00001000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    00ee8000-00eec000 r-xp 00000000 fd:00 38666276 /lib/libnss_dns-2.5.so
    00eec000-00eed000 r--p 00003000 fd:00 38666276 /lib/libnss_dns-2.5.so
    00eed000-00eee000 rw-p 00004000 fd:00 38666276 /lib/libnss_dns-2.5.so
    08048000-0804b000 r-xp 00000000 fd:00 5809328 /usr/bin/perl
    0804b000-0804c000 rw-p 00002000 fd:00 5809328 /usr/bin/perl
    0925e000-094f2000 rw-p 0925e000 00:00 0 [heap]
    b7ed7000-b7efb000 rw-p b7ed7000 00:00 0
    b7f04000-b7f05000 rw-p b7f04000 00:00 0
    bf98a000-bf99f000 rw-p bffea000 00:00 0 [stack]
    Last edited by monitor2000com; 11-03-2009 at 03:18 AM.

  2. #2
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,722
    You are screwed, that's a dark mailer script that sends mass mail, remove the script, kill all the process running it, investigate how and from where it came in, also check if your IP has not been blacklisted, use the links below:
    http://www.myiptest.com/staticpages/...isted-IP-DNSBL
    http://www.kloth.net/services/dnsbl.php
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  3. #3
    Quote Originally Posted by vinsar View Post
    You are screwed, that's a dark mailer script that sends mass mail, remove the script, kill all the process running it, investigate how and from where it came in, also check if your IP has not been blacklisted, use the links below:
    http://www.myiptest.com/staticpages/...isted-IP-DNSBL
    http://www.kloth.net/services/dnsbl.php

    i found some files in Public_html/sys ( A.mx / B.mx / c.mx .......... ) which containing some ip addresses / Must of the IP addresses are belong to some popular Mail server ,

    There is another file in the same directory :

    # from.tmp
    # log.idx
    # proxy.idx
    # replyto.tmp
    # state.txt
    # subject.tmp



    Would you please help me in this issue ?, i have checked the subject of script and more sure that my customer has not uploaded the script ,

  4. #4
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,722
    In most of the cases these kind of scripts are not uploaded by the customer knowingly, hackers do that using exploits in a script.

    Remove all those suspicious files immediately, kill all the related running process. And then investigate how it got in.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

Similar Threads

  1. Acc can send email cannot receive email
    By cctv in forum Hosting Security and Technology
    Replies: 15
    Last Post: 01-03-2008, 04:59 AM
  2. can't receive email
    By gib65 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 02-14-2006, 04:30 AM
  3. Can't receive *some* email...
    By Devil Inside in forum Hosting Security and Technology
    Replies: 0
    Last Post: 09-23-2005, 04:18 AM
  4. Cannot receive email.
    By maxbear in forum Hosting Security and Technology
    Replies: 2
    Last Post: 05-30-2002, 05:32 AM
  5. Replies: 2
    Last Post: 05-26-2002, 11:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •