Results 1 to 11 of 11

Thread: Major email abuse... Need help tracking it down.

  1. #1
    Join Date
    Jan 2008
    Posts
    295

    Major email abuse... Need help tracking it down.

    My sister has an account on my server. I have her DA password really complex (randomly generated) -- including upper case, lower case, numbers and special characters.

    I have setup DA to not use the MX records on the server because I have setup a Zimbra server that we use for email.

    At the beginning of October I received an email saying that 5626 emails were sent out. I immediated changed her password for the DA account including webmail. I changed the maximum emails to 500 per day.

    Now I'm still getting emails. Just got one today saying she sent 500 emails.

    I know that it is not possible for her to have sent them herself because she is the one that called me to give me the heads up that she received this email from my server first.

    Here are the stats from her DA account:
    Code:
    Date 	Apache 	Email 	Ftp 	Pop 	Imap 	DirectAdmin 	Other 	Total 	Email Deliveries (Sent)
    2012 10 08	759.4 MB	5.81 MB	0 B	0 B	0 B	0 B	0 B	765.3 MB	5361 (5361)
    2012 10 09	21.1 MB	98.5 KB	0 B	0 B	0 B	371 KB	0 B	21.5 MB	98 (98)
    2012 10 10	50.4 MB	14.0 KB	0 B	0 B	0 B	0.568 MB	0 B	51.0 MB	12 (12)
    2012 10 11	26.2 MB	5.48 KB	0 B	0 B	0 B	0 B	0 B	26.2 MB	5 (5)
    2012 10 12	17.5 MB	190 KB	0 B	0 B	0 B	211 KB	0 B	17.9 MB	181 (181)
    2012 10 13	18.1 MB	379 KB	0 B	0 B	0 B	0 B	0 B	18.5 MB	362 (362)
    2012 10 14	24.2 MB	5.55 KB	0 B	0 B	0 B	375 KB	0 B	24.6 MB	5 (5)
    2012 10 15	24.4 MB	5.48 KB	0 B	0 B	0 B	0 B	0 B	24.4 MB	5 (5)
    2012 10 16	32.5 MB	110 KB	0 B	0 B	0 B	0 B	0 B	32.6 MB	94 (94)
    2012 10 17	60.3 MB	498 KB	0 B	0 B	0 B	0 B	0 B	60.7 MB	456 (456)
    2012 10 18	58.6 MB	420 KB	0 B	0 B	0 B	0 B	0 B	59.0 MB	376 (376)
    total	1.07 GB	7.50 MB	0 B	0 B	0 B	1.50 MB	0 B	1.08 GB	6955 (6955)
    Could someone please help me figure out how these emails are getting sent out? I don't know where else to look.

  2. #2
    Join Date
    Aug 2008
    Posts
    4,697
    Read the logs and then you will know.

  3. #3
    Join Date
    Jan 2008
    Posts
    295
    Which logs and what am I looking for?

  4. #4
    Join Date
    Aug 2008
    Posts
    4,697
    /var/log/exim/mainlog

    You can see who is being emailed from that account.

    U= is the username sending the email.

    You can also look at /var/log/maillog or /var/log/mail.info and see who is logging in via pop3/imap.
    Last edited by scsi; 10-19-2012 at 10:22 AM.

  5. #5
    Join Date
    Jan 2008
    Posts
    295
    Okay I have reviewed the logs but I'm not sure the benefit in know "who" the emails were sent to. I know that it was spam and I know which account it is coming from. I'm not sure where it is coming from or how the abuser is gaining access to the account with such a complex password that has recently been changed.

    Is there a way to find out if someone has installed a script on to my server?

  6. #6
    Join Date
    Aug 2008
    Posts
    4,697
    Thats why you have to go through the logs to see which ip it is coming from. The logs will tell you everything.

  7. #7
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    What software is used to build her site? Perhaps there's an exploit, and her site has been hacked.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  8. #8
    Join Date
    Jan 2008
    Posts
    295
    Joomla, it is an older version. I'm in the process of upgrading it but is not ready yet.

    There is a comments component installed. I'm thinking this is the problem. There are a lot of spam comments on in this comments component so maybe these comments are sending out emails??

  9. #9
    Join Date
    Aug 2012
    Location
    everwhere
    Posts
    94
    the older version of any CMS may be the reason for what you are saying better you upgrade first and check that no one was sitting back by maintaining a backdoor and after all that things watch that the spamming out of your box or not
    Flerovium Uranus
    Ready to Learn ...... Ready to Help......
    Discuss and learn is the best way to find new solutions
    If you learn 10 things in a day think that 50 new things come in that day and i learn only 10 , how slow i am and this is the way to cover most

  10. #10
    Join Date
    Apr 2007
    Posts
    243
    Quote Originally Posted by jim.thornton View Post
    Joomla, it is an older version. I'm in the process of upgrading it but is not ready yet.

    There is a comments component installed. I'm thinking this is the problem. There are a lot of spam comments on in this comments component so maybe these comments are sending out emails??
    I guess you are using Joomla 1.5 with some installed extensions. Make sure you run the last version of 1.5 (upgrading to 2.5 would be better but more complex). And don't forget to update your extensions because that would probably been the reason for sending spam (not Joomla self but the installed extension, I guess). Also take a look at http://docs.joomla.org/Vulnerable_Extensions_List that might be useful for you

  11. #11
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Quote Originally Posted by jim.thornton View Post
    Okay I have reviewed the logs but I'm not sure the benefit in know "who" the emails were sent to. I know that it was spam and I know which account it is coming from. I'm not sure where it is coming from or how the abuser is gaining access to the account with such a complex password that has recently been changed.

    Is there a way to find out if someone has installed a script on to my server?

    Open /etc/exim.conf either in SSH or in File editor in directadmin and find line:

    Code:
    log_selector = \
    add after the line this code:

    Code:
      +arguments \
    save and restart exim. Since now all arguments will be logged, they include path to the script if an email is sent by a script. This will hep you to find malicious scripts on your server.

    Then you might need to use eximstats to find top senders, top locations, top destinations and other info.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Similar Threads

  1. Tracking down email bandwidth
    By Ord in forum E-Mail
    Replies: 0
    Last Post: 05-21-2010, 01:17 AM
  2. tracking email to sql
    By Gerd29 in forum E-Mail
    Replies: 0
    Last Post: 02-08-2009, 02:59 AM
  3. Major Problem with email
    By baggyn in forum E-Mail
    Replies: 35
    Last Post: 08-06-2008, 03:23 PM
  4. Single Email Account Tracking
    By rahulw in forum E-Mail
    Replies: 6
    Last Post: 03-15-2008, 04:36 PM
  5. Adding email track abuse
    By dannygoh in forum System-Level Technical Discussion
    Replies: 3
    Last Post: 06-14-2006, 07:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •