Webserver Blacklisted ?!?!

[Tweak]

Hello, can someone tell me what to do, it seems that our webserver running Debian with Directadmin is blacklisted now. Where can i find the smtp log? its not exim/mainlog i think?
and how do i get our ip from the blacklist. now its not possible to send to hotmail adresses and more.

 

[floyd]

its not exim/mainlog i think?

You mean it is.

 

[Tweak]

Yeah, i already found it with exim, there where allot of messages waiting to be send... someone with a mail.php file that is being abused... but now how do i get of the blacklist?

 

[floyd]

You have to follow the directions of whatever blacklists you are on.

 

[LawsHosting]

Would be good to be able to disable mail() per domain by default, then enable it for people that ask or know they're tech savvy - I know it won't be any good if a site is compromised, but it could be useful.

I found this interesting article http://www.davelachapelle.ca/2009/08/05/php-mail-abuse/

I know this would be easy in PHP as CGI

 

[nobaloney]

From that article:

So, after a bit of searching, I decided to just add the following to each site’s .htaccess files:

php_admin_value sendmail_path "/dev/null"

It's a good quick fix as long as your user isn't sending the mail intentionally. Of course you can also make the setting change in a site-specific php.ini file if you're using them.

Jeff

 

[Tweak]

What the, its still sending spam :| i really dont get it i moved the mail.php file from his public to /home/user

and still there is spam being send?


web1:/home/user/public_html# cat /var/log/exim/mainlog | grep "domaincustomer" | grep "yahoo"
2010-03-03 19:54:07 1Nmthv-0007z7-Ag <= [email protected] H=localhost (www.domainuser.nl) [127.0.0.1] P=smtp S=760 [email protected] T="__(MEN'S HEALTH!)__" from <[email protected]> for [email protected]


?!?! how is is this possible... any idea how to trace the file?

that was not the only mail there allot of more.

Edit:

In his cg-bin folder i found some "strange" files to? i really dont know what it is, but it seems to connect to an smtp?

web1:/home/rest.../public_html/cgi-bin# ls
0149473177.pl 1369850438.pl 2223308405.pl 3278074576.pl 4096587683.pl 5118987555.pl 6983394532.pl 8043065090.pl 9376862427.pl
0198072822.pl 1598032145.pl 2372452954.pl 3414560372.pl 4378476837.pl 5164604612.pl 7093457570.pl 8099539420.pl 9400638440.pl
0712109293.pl 1628968207.pl 2484882274.pl 3460315616.pl 4481344873.pl 5514103331.pl 7566262008.pl 8318404272.pl 9414179644.pl
0752440773.pl 2037553322.pl 2538309976.pl 3832245847.pl 4495114980.pl 5661746056.pl 7715645337.pl 8375376788.pl 9550412823.pl
0996696766.pl 2060332563.pl 2558700647.pl 3840434450.pl 4897731522.pl 5987494921.pl 7806735242.pl 8731057684.pl 9719337400.pl
1138020095.pl 2137633408.pl 3216565113.pl 3878928943.pl 5101979718.pl 6476800741.pl 7866169826.pl 9023566219.pl
1170755314.pl 2180295571.pl 3220968952.pl 3941329732.pl 5111562660.pl 6861598451.pl 8013781734.pl 9284099353.pl


some text from one .pl file:

print "Server test\n";
print "-----------\n\n";
my $s = IO::Socket::INET->new(Proto => "tcp", LocalPort => 36000, Listen => SOMAXCONN, Reuse => 1);
unless ($s) { print "Error"; } else { close $s; print "Ok"; }
print "\n\n";

print "Client test\n";
print "-----------\n\n";
my $r = (gethostbyname "smtp.mail.ru")[4];
unless ($r) { print "Error > Can't resolve hostname"; exit; }
$s = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
unless ($s) { print "Error > Can't create socket > $!"; exit; }
unless ($s->connect(pack ("Sna4x8", 2, 25, $r))) { close $s; print "Error > Can't connect > $!"; exit; }
$r = <$s>; close $s;
if (length $r) { print "Ok\n$r"; } else { print "Error > Can't read response"; }

 

[floyd]

Look for running processes connecting to foreign port 25

netstat -np

Kill the ones that should not be running.

 

[scsi]

If you know the user is doing it then just suspend the user and disable his account. If someone hacked his account or found a way to exploit it then you have more digging to do.

You can disable execution of perl, but you should find out why those files are there in the first place.

 

[Tweak]

I removed the .pl files etc, and turned CGI off on his account, and PHP acces to. it seems it is stopped now... and i found how to get off the blacklist, but there is only 1 thing i dont know how... people cant send mail to hotmail anymore (blacklisted to i think..) and to kpn.blackberry.com but i cant find where to ask removal?

someone that can tell me how?

 

[scsi]

http://postmaster.hotmail.com/

I have no clue for blackberry where their abuse site is.

 

[nobaloney]

There are at least two circumstances under which your server could still be sending email even after you've done things like suspend the user and even remove the .pl files:

1) files may be running in memory; you'll need to find them (man ps) and kill them.

2) files may be still queued and therefore retried every few minutes.

Make sure these issues are resolved before asking for removal from blocklists, or you'll be added again, and next time they won't be so quick to reinstate you.

Jeff

 

[Tweak]

EH thnx scsi, allot of stupid story's on that page but where to ask for unblock eh?

Ehm, it stopped already jlasman... and i already checked for running processes nothing wrong