Hi.
Im running Directadmin 1.33.4 on a CentOS release 5 (Final).
Looking at the Mail Queue Administration i've notice some SPAM comming out from my server.
Some examples:
---------------------------------------------------------------
ID Time Size Sender Frozen Recipient(s)
...
1LySql-000774-1d 23h 1.6K <> no gamer@48vip63.com
1LyT5U-00089K-Ck 23h 1.6K <> no gamer@48vip63.com
1LyRpV-0002DJ-MY 24h 1.6K <> no gamer@48vip63.com
...
(The "Recipient(s)" changes all the days).
---------------------------------------------------------------
One of the Emails details:
---------------------------------------------------------------
• E-Mail Headers
1LySql-000774-1d-H
mail 8 12
<>
1240846471 0
-ident mail
-received_protocol local
-body_linecount 29
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
gamer@48vip63.com
152P Received: from mail by MY.SERVER.com with local (Exim 4.67)
id 1LySql-000774-1d
for gamer@48vip63.com; Mon, 27 Apr 2009 12:34:31 -0300
042 X-Failed-Recipients: swart@geowizards.com
029 Auto-Submitted: auto-replied
072F From: Mail Delivery System <Mailer-Daemon@MY.SERVER.com>
022T To: gamer@48vip63.com
059 Subject: Mail delivery failed: returning message to sender
061I Message-Id: <E1LySql-000774-1d@MY.SERVER.com>
038 Date: Mon, 27 Apr 2009 12:34:31 -0300
• E-Mail Body Chunk
1LySql-000774-1d-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
swart@geowizards.com
all relevant MX records point to non-existent hosts
------ This is a copy of the message, including all the headers. ------
Return-path: <gamer@48vip63.com>
Received: from localhost ([127.0.0.1])
by MY.SERVER.com with smtp (Exim 4.67)
(envelope-from <gamer@48vip63.com>)
id 1LySqk-000772-Oi
for swart@geowizards.com; Mon, 27 Apr 2009 12:34:31 -0300
Received: (tjbzhcvnu@localhost) by localhost (8.12.11.20060614) id n26yvze8od; Mon, 27 Apr 2009 12:34:29 -0300
Date: Mon, 27 Apr 2009 12:34:29 -0300
Message-Id: <200904271234.n26yvze8od@localhost>
To: swart@geowizards.com
Subject: Free Bonus for Casinos
From: gamer@48vip63.com
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
<font color="#8B0A50" size="4"><b><a href="http://noche-salon.com.ar/win.html">BEST CASINO</a></b></font>
• Log
2009-04-27 12:34:31 Received from <> R=1LySqk-000772-Oi U=mail P=local S=1638
2009-04-27 12:35:06 gamer@48vip63.com R=lookuphost defer (-1): host lookup did not complete
2009-04-28 05:12:23 gamer@48vip63.com R=lookuphost defer (-1): host lookup did not complete
---------------------------------------------------------------
Resuming...
For what i've understand the problem is this: A website of one domain in my server has a form with security problems (Maybe some PHP form without CAPTCHA that its being exploted).
I've benn reading a lot of LOGs of Apache and EXIM, however i couldnt find any domain or any IP related to the EMails that Email.
This is REALLY difficult to resolve, cause its easy to resolve the SPAM problem (just deleting all those junk EMails) however the form with the vulnerability is still around and i can see in all the domains cause i have a lot of them!
Any ideas?
Thanks in advance.
Bye!
PD: Sorry for my poor English, im from Argentina.
Im running Directadmin 1.33.4 on a CentOS release 5 (Final).
Looking at the Mail Queue Administration i've notice some SPAM comming out from my server.
Some examples:
---------------------------------------------------------------
ID Time Size Sender Frozen Recipient(s)
...
1LySql-000774-1d 23h 1.6K <> no gamer@48vip63.com
1LyT5U-00089K-Ck 23h 1.6K <> no gamer@48vip63.com
1LyRpV-0002DJ-MY 24h 1.6K <> no gamer@48vip63.com
...
(The "Recipient(s)" changes all the days).
---------------------------------------------------------------
One of the Emails details:
---------------------------------------------------------------
• E-Mail Headers
1LySql-000774-1d-H
mail 8 12
<>
1240846471 0
-ident mail
-received_protocol local
-body_linecount 29
-allow_unqualified_recipient
-allow_unqualified_sender
-localerror
XX
1
gamer@48vip63.com
152P Received: from mail by MY.SERVER.com with local (Exim 4.67)
id 1LySql-000774-1d
for gamer@48vip63.com; Mon, 27 Apr 2009 12:34:31 -0300
042 X-Failed-Recipients: swart@geowizards.com
029 Auto-Submitted: auto-replied
072F From: Mail Delivery System <Mailer-Daemon@MY.SERVER.com>
022T To: gamer@48vip63.com
059 Subject: Mail delivery failed: returning message to sender
061I Message-Id: <E1LySql-000774-1d@MY.SERVER.com>
038 Date: Mon, 27 Apr 2009 12:34:31 -0300
• E-Mail Body Chunk
1LySql-000774-1d-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
swart@geowizards.com
all relevant MX records point to non-existent hosts
------ This is a copy of the message, including all the headers. ------
Return-path: <gamer@48vip63.com>
Received: from localhost ([127.0.0.1])
by MY.SERVER.com with smtp (Exim 4.67)
(envelope-from <gamer@48vip63.com>)
id 1LySqk-000772-Oi
for swart@geowizards.com; Mon, 27 Apr 2009 12:34:31 -0300
Received: (tjbzhcvnu@localhost) by localhost (8.12.11.20060614) id n26yvze8od; Mon, 27 Apr 2009 12:34:29 -0300
Date: Mon, 27 Apr 2009 12:34:29 -0300
Message-Id: <200904271234.n26yvze8od@localhost>
To: swart@geowizards.com
Subject: Free Bonus for Casinos
From: gamer@48vip63.com
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
<font color="#8B0A50" size="4"><b><a href="http://noche-salon.com.ar/win.html">BEST CASINO</a></b></font>
• Log
2009-04-27 12:34:31 Received from <> R=1LySqk-000772-Oi U=mail P=local S=1638
2009-04-27 12:35:06 gamer@48vip63.com R=lookuphost defer (-1): host lookup did not complete
2009-04-28 05:12:23 gamer@48vip63.com R=lookuphost defer (-1): host lookup did not complete
---------------------------------------------------------------
Resuming...
For what i've understand the problem is this: A website of one domain in my server has a form with security problems (Maybe some PHP form without CAPTCHA that its being exploted).
I've benn reading a lot of LOGs of Apache and EXIM, however i couldnt find any domain or any IP related to the EMails that Email.
This is REALLY difficult to resolve, cause its easy to resolve the SPAM problem (just deleting all those junk EMails) however the form with the vulnerability is still around and i can see in all the domains cause i have a lot of them!
Any ideas?
Thanks in advance.
Bye!
PD: Sorry for my poor English, im from Argentina.