Knowledgebase

LOCALHOSTRELAY Alert for 127.0.0.1

Posted by AlphaDev, 03-21-2015, 10:01 PM
Hi guys I'm getting a lot of email alerts with this subject : LOCALHOSTRELAY Alert for 127.0.0.1 Email content : == Time: Sat Mar 21 18:29:17 2015 -0700 Type: LOCALHOSTRELAY, localhost - 127.0.0.1 Count: 101 emails relayed Blocked: No Sample of the first 10 emails: 2015-03-21 18:28:00 1YZUgK-0007DP-8M <= gena_chaney@reddxx.com H=localhost.localdomain (dev1.sam.net) [127.0.0.1]:42807 P=smtp S=1008 T="Hey" for munionterry@yahoo.com . . . . == gena_chaney@reddxx.com email does not exist. These mails are being sent out by a certain file : start.php This customer is using a shopping cart script. I have updated his script and removed all un necessary plugins etc. Some how a php file got uploaded to his account and that php file is sending out spam email. I was trying to find how how/who uploaded this PHP file but couldnt find. I changed his cpanel/FTP password. Which means no one have access to this acc. My PC is protected by Norton 2014 and Malwarebytes. root@dev1 [~]# grep "start.php" /usr/local/cpanel/logs/access_log Result : nothing I also checked /usr/local/cpanel/logs/access_log and found nothing related to this start.php Config server email queue manager log : 255 X-SG-Opt: SCRIPT_FILENAME=/home/reddotco/public_html/aspnet_client/system_web/2_0_50727/start.php REQUEST_URI=/aspnet_client/system_web/2_0_50727/start.php PWD=/home/reddotco/public_html/aspnet_client/system_web/2_0_50727 REMOTE_ADDR=184.168.193.181 As you can see mails are being sent out from : /home/reddotco/public_html/aspnet_client/system_web/2_0_50727/start.php 1) How can I identify who/how they are uploading this file 2) Why emails are being sent from H=localhost.localdomain (What is the meaning of this localhost.localdomain) 3) Can I disable ALL emailing capabilities of this certain cPanel account 4) For example gena_chaney@reddxx.com is not a valid email. its a spoofed email. How can I prevent emails being sent from unavailable email accounts? 5) Any other suggestion how can I over come this situation? P.S :This is randon. Now if i remove this file, spam email will stop. But a different file will be uploaded after 2 weeks or something. Please note that I've already done everything within my power/knowledge - Scanned / updated scripts / checked his mail scripts / even removed his email accounts. Thanks in advance.
Posted by Kailash12, 03-23-2015, 06:08 AM
If you have upgraded all third party scripts, plugins etc. and issue is still appearing after few days, that means something is wrong with one to the script in this account or there is an issue with server.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Recommendation needed (Views: 596)
How to create a .htaccess rewrite rule (or modsec) to stop a vulnerable script? (Views: 621)
requires the ionCube PHP Loader ioncube_loader_lin_5.2.so to be installed by the webs (Views: 615)
Cogent (Views: 620)
Reseller Billing/Bandwidth Management Software (Views: 615)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.