Recently I've got the message marked as spam with SPAMASSASSIN.
from Andrew Lloyd <[email protected]>
from Andrew Lloyd <[email protected]>
"DirectAdmin Client Message" Email - Scam/Real?
- Thread starter pluk
- Start date
nealdxmhost
Verified User
Yep, I got one of these jokers as well too
Messages
Here is the page used to send out this new emails... it is the same as last time, only the host is changed: http://creativno.net/wp-content/plugins/sendme.php
And, yes, i got this new one too... so it's sent only to DA account holders.
Here is the page used to send out this new emails... it is the same as last time, only the host is changed: http://creativno.net/wp-content/plugins/sendme.php
And, yes, i got this new one too... so it's sent only to DA account holders.
LawsHosting
Verified User
They must be exploiting an exploit somewhere, maybe a 777 one, as I keep seeing this sendme.php file within directories that, if using mod_php, need 777 permissions.
Arieh
Verified User
Anyone warned the owner of creativno.net yet?
LawsHosting
Verified User
Arieh
Verified User
The website is now suspended, so I guess they found out. 
LawsHosting
Verified User
Its back, so must have fixed/patched it (WordPress).
I doubt this sendme.php is just for this DA spam, if you search "sendme.php" in the big G, it is widely used in random directories for different scams.
I've now set up a crude daily bash script to find this file in /home/, then email me. I'm not sure of the legalities of searching customers files, but its better than being RBL'd.
I doubt this sendme.php is just for this DA spam, if you search "sendme.php" in the big G, it is widely used in random directories for different scams.
I've now set up a crude daily bash script to find this file in /home/, then email me. I'm not sure of the legalities of searching customers files, but its better than being RBL'd.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
@bartkob:
Please in the future do not save links in spam emails sent to the list. You should post by the reply button, not the quick reply, and choose to not convert links. Otherwise we may not bother to approve the post when blocked by the forum spamblock software.
@everyone:
Does anyone know with certainty if this particular email has anything to do with the DirectAdmin site compromise? Or is it just coincidentally happening at the same time? Why are you calling it DA spam?
Jeff
Please in the future do not save links in spam emails sent to the list. You should post by the reply button, not the quick reply, and choose to not convert links. Otherwise we may not bother to approve the post when blocked by the forum spamblock software.
@everyone:
Does anyone know with certainty if this particular email has anything to do with the DirectAdmin site compromise? Or is it just coincidentally happening at the same time? Why are you calling it DA spam?
Jeff
LawsHosting
Verified User
Well, I've never seen this spam email before this happened, this is why I call it DA spam - but it could be global, the email I use with JBMC is personal, only certain people know it.
The hackers may have sold our email addresses to someone, but I've never seen this type of spam email before the compromise.
UpAllNight
Verified User
- Joined
- May 23, 2005
- Messages
- 45
Received this copyright email only at my email address that I have registered with, and only with, Direct admin. It's only used for DA and the DA forums. It's the only email address I have that has received the email and until this and the earlier email has never been compromised with spam. Pretty well narrows it down for me.