Knowledgebase

Has my server really been hacked?

Posted by treehstn, 12-08-2008, 11:51 AM
Has my server really been hacked? Hi, I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on. When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up. I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts. During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new. As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam. I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others? Here are a couple of the headers. If anyone can help I'd be very grateful!! Return-path: Envelope-to: info@glassresearch.net Delivery-date: Mon, 08 Dec 2008 01:46:20 -0600 Received: from [218.77.202.52] (helo=alvearnet.com.ar) by server.glassresearch.net with smtp (Exim 4.69) (envelope-from ) id 1L9aot-0002ml-K1 for info@glassresearch.net; Mon, 08 Dec 2008 01:46:20 -0600 To: Subject: Delivery Status Notification From: MIME-Version: 1.0 Importance: High Content-Type: text/html ------------------------ Return-path: Envelope-to: info@glassresearch.net Delivery-date: Mon, 08 Dec 2008 07:13:23 -0600 Received: from ppp079166079114.dsl.hol.gr ([79.166.79.114]) by server.glassresearch.net with smtp (Exim 4.69) (envelope-from ) id 1L9fvO-0004Zs-0u for info@glassresearch.net; Mon, 08 Dec 2008 07:13:23 -0600 To: Subject: RE: Message From: MIME-Version: 1.0 Importance: High Content-Type: text/html
Posted by treehstn, 12-08-2008, 12:39 PM
I found a registry hack that displays the full headers. Here's the newest email that has come in: Return-path: Envelope-to: info@glassresearch.net Delivery-date: Mon, 08 Dec 2008 10:36:28 -0600 Received: from ppp-58-8-250-41.revip2.asianet.co.th ([58.8.250.41] helo=ppp-58-8-59-122.revip2.asianet.co.th) by server.glassresearch.net with esmtp (Exim 4.69) (envelope-from ) id 1L9j5v-0005MP-QO for info@glassresearch.net; Mon, 08 Dec 2008 10:36:28 -0600 Message-ID: From: "=?windows-1251?B?QWxsYXJkIENvcGVsYW5k?=" To: Subject: =?windows-1251?B?c3BhbTogT3ZlciAxMCBtaWxsaW9uIG1lbiA=?= =?windows-1251?B?bWFkZSB0aGVpciB3b21lbiBoYXBweSwgYW5kIHlvdT8=?= Date: Sat, 08 Nov 3609 23:36:45 +0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----=_NextPart_000_0023_85_85DDFBC3.BC7C6663 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-tis-spam: =?us-ascii?B?c2NvcmU9MzEuMjIyNzAgKDE0ODAzNiwxNDgw?= =?us-ascii?B?MzksMTQ0MDMxLDE0NjAwNyw3MDAwMjAsMTA2ODMwLDcwMDc1Miwx?= =?us-ascii?B?MDYyODAsMTA1MjAwLDcwNzczMSwxMDU4MzAsNzAxMDM1LDE4ODAx?= =?us-ascii?B?OSwxODgwMDgsMTExNjAwLDExMTYwNCwxODgxMTksNzA1NzE4LDEx?= =?us-ascii?B?MTYwNSw3MDAwNzQsMTg4MDA5LDE4ODEzMCwxMTE2MDgsMTg4MDU3?= =?us-ascii?B?LDcwMDgwMiw3MDI2MzgsNzAwNTI5LDE4ODAwMiw3MDAyNjQsMTg4?= =?us-ascii?B?MTM0LDE4ODAwNyw3MDA3NTgsNzA0NDI1LDE4ODEyMiw3MDA3MDgs?= =?us-ascii?B?MTg4MDkwLDcwMDczMiwxMzk3MDQsNzAwMDczLDExMTYxMCwxODgw?= =?us-ascii?B?NjIsMTExNjAzLDExMTYwMSwxMDAwMywyMjU3MSwzNjAwMSk=?=
Posted by larwilliams, 12-08-2008, 12:50 PM
Is this a cPanel server and being sent by a PHP script? If so, there is an option under the EasyApache setup process (during the configuration step for PHP4/5 and Apache itself) that will be helpful. It is called "Mail Headers" and is under both PHP4 and 5. What this does is add a header to each e-mail sent by a PHP script called "X-PHP-Script:" that shows exactly what script is being used to send the spam. The main thing I would do first, is tighten up your Exim configuration and limit how many e-mails can be sent per hour, to control the damage that can be done. Hope this helps! __________________LCWSoft - Canadian web hosting (based in Newfoundland)Uptime Report lawrencewilliams (at) lcwsoft.com
Posted by treehstn, 12-08-2008, 01:04 PM
It is an Apache server with cPanel loaded. And the emails are supposedly being sent through my exim service using a rogue script that's been loaded on the server. I have both WHM and cPanel. I don't see any options about Mail Headers.
Posted by xeno007, 12-08-2008, 01:16 PM
You will have to recompile apache with "Mail Headers" included. WHM -> Apache Update
Posted by larwilliams, 12-08-2008, 01:51 PM
There are 2 things you really should do first. In WHM, access "Tweak Settings". You should see an option talking about preventing the user "nobody" from sending e-mail. Enable it. You should also see an option that talks about limiting the number of e-mails a domain can send per hour. Set it to something reasonable like 300. Doing this should limit the potential damage that will be done while you are hunting down the culprit. __________________LCWSoft - Canadian web hosting (based in Newfoundland)Uptime Report lawrencewilliams (at) lcwsoft.com
Posted by larwilliams, 12-08-2008, 01:56 PM
Quote: Originally Posted by xeno007 You will have to recompile apache with "Mail Headers" included. WHM -> Apache Update Actually, it's PHP that supports Mail Headers. In WHM, run "Apache Update" and select Previously Saved Config. In the 4th step, opt to view the Exhaustive list of options. This last step, before PHP and Apache get recompiled, will ask you what Apache modules and PHP options you want to enable. It is a fairly long list, but just search for "Mail Headers" and check off the 2 occurrences that you will see. __________________LCWSoft - Canadian web hosting (based in Newfoundland)Uptime Report lawrencewilliams (at) lcwsoft.com
Posted by treehstn, 12-08-2008, 02:50 PM
Lar, Thanks for the help! I was able to turn on the mail headers and the tweak for "nobody". There were several other options in the tweak settings that I set also. I was also looking at this option but couldn't get it to work:http://httpd.apache.org/docs/2.0/mod/mod_status.html I really need to figure out if there really is a rogue script on the server or if I'm just being fooled by the spammer. And if there is a rogue script how to find it!
Posted by treehstn, 12-08-2008, 03:00 PM
Oh crap. I changed the dns hostname this morning. This new email that just came through has the new hostname in it. Return-path: Envelope-to: info@glassresearch.net Delivery-date: Mon, 08 Dec 2008 12:57:30 -0600 Received: from [189.70.36.196] (helo=amerion.com) by bach.glassresearch.net with smtp (Exim 4.69) (envelope-from ) id 1L9lIM-0002Ym-3t for info@glassresearch.net; Mon, 08 Dec 2008 12:57:30 -0600 To: Subject: Re: Order status From: MIME-Version: 1.0 Importance: High Content-Type: text/html
Posted by treehstn, 12-08-2008, 03:05 PM
Isn't there some type of a server log that lists what scripts have been executed for a give time period?
Posted by larwilliams, 12-08-2008, 03:42 PM
Quote: Originally Posted by treehstn Lar, Thanks for the help! I was able to turn on the mail headers and the tweak for "nobody". There were several other options in the tweak settings that I set also. I was also looking at this option but couldn't get it to work:http://httpd.apache.org/docs/2.0/mod/mod_status.html I really need to figure out if there really is a rogue script on the server or if I'm just being fooled by the spammer. And if there is a rogue script how to find it! I am not particular about that module, but in WHM, go to "Exim Configuration" and enable the following options:ACL Options SpamAssassinTM: Reject mail with a spam score is greater then 10.0 at SMTP time. Attempt to block dictionary attacks Blacklist: Reject mail sent directly to addresses at the primary hostname from remote servers. Ratelimit: incoming SMTP connections that do not send QUIT, have recently matched an RBL, or have attacked the server. SpamAssassin TM: Ratelimit hosts that transport messages with a spam score is greater then 10.0. Require incoming SMTP connection to send HELO before MAIL Require incoming SMTP connection to send a HELO that does not appear to be forged Require incoming SMTP connection to send a HELO that does not match this servers local domains. Require incoming SMTP connection to send a HELO confirming to internet standard (RFC2821 4.1.1.1)RBLs RBL: zen.spamhaus.org and rbl.spamcop.net __________________LCWSoft - Canadian web hosting (based in Newfoundland)Uptime Report lawrencewilliams (at) lcwsoft.com


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Exclude folder and subfolders from csf (Views: 618)
index files got infected " Need Help " (Views: 582)
Lost and then some (Views: 628)
Need: Geographic Loadbalancing (Views: 605)
Advice please am about to buy!!! (Views: 660)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.