FRIHOST • FORUMS • SEARCH • FAQ • TOS • BLOGS • COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Unusual e-mail activity from my account





Blummer
Just received this message in my control panel telling me my account has just finished sending 200 emails (!!!!!!!!!!!!!!). It also says - "There could be a spammer, the account could be compromised, or just sending more emails than usual".

Also:

Quote:
After some processing of the /etc/virtual/usage/blummer.bytes file, it was found that the highest sender was blummer(at)host.frihost.org, at 201 emails. The top authenticated user was blummer, at 201 emails.


This is really a big surprise for me. I have never used this particular e-mail address manually. Also - I tried to log into this account - no luck, with any of the passwords I use. And I have never used my hosting account for spamming. Wonder what to do now...Looks like an unusual activity and I don't want my account to be shut. Mad
deanhills
I've e-mailed Bondings. Hope he'll see it.

In the meanwhile, what script are you using for your Website? What version is it? Is the script up to date?

What is the Website name?

Have the following suggestions:

1. Make a backup of your Website and save it to your hard disk. Just in case it is going to be suspended, and before trying to fix anything.

2. If you haven't tried this already, try and delete your e-mail account in DirectAdmin:
http://www.ipserverone.info/control-panel/how-to-delete-email-account-in-directadmin/

3. If that is not possible try to delete the e-mail account in FileZilla.

4. Change all of your passwords with really solid ones.
Blummer
Thank you for your assistance, deanhills. I'll try to explain further:

1. Backing up the site now.
2. There are two automatically created "blummer@domainnames" in my control panel - I host two separate domains on my account and both of these e-mail accounts were just automatically created during the domain addition process. I'm unable to log into any of those (however hard I try recalling any of the passwords I used in the past years inc. the ones I use with the hosted domains/e-mails). Furthermore - when I try deleting any of the e-mail accounts in DirectAdmin, the system tells me, blummer(at)domainname is linked to my system account - and I'm unable to delete it.
3. I'll try to change the password to everything hosted, but here comes another issue - the one I already mentioned - "blummer(at)host.frihost.org" (the one that sent the e-mails automatically) is out of my reach, I unable to log into this one. And it is also unlisted in my control panel (it was only the system message that informed me about this e-mail account).

Really confused with all this.. Rolling Eyes
deanhills
Is it possible to remove the two domains from your account? I.e., I assume they are add on domains? Can you delete the add on domains?

Otherwise, can you access the domains through FTP like FileZilla? That may be another way to remove the domains and their folders.

Idea is to remove the domains from your hosting account, and then to reinstall them with new passwords so you can get control back.
Blummer
deanhills wrote:
Is it possible to remove the two domains from your account? I.e., I assume they are add on domains? Can you delete the add on domains?


Thank you. I'd do that, but as I said - the spammy e-mail does not belong to any of them, it is tied to host.frihost.org, at least based on the report. Which is also why I don't personally see any use of deleting the domain folders.
deanhills
Aha, I thought you said you were unable to log into your two domains. OK now get it you're able to get into the domains, but not the e-mail accounts. For reason of not able to remember the passwords. Smile

Do you think the spam e-mails could have been triggered by a php script from your domains? What scripts are you using? Are you using Joomla? Is it up to date? Found the article below that provides clues of what to look for and how to fix the problem. The example shows contact forms, but it probably could easily refer to any other vulnerability - it may give you a clue where to look - particularly since the symptoms look the same as yours:

Quote:
If you happen to have installed Joomla based website and setup a contact form and everything worked fine until recently but suddenly the server starts mysteriously acting as a spam relay – even though email server is perfectly secured against spam.
You probably have some issue with a website email contact form hacked or some vulnerability which allowed hackers to upload spammer php script.

http://pc-freak.net/blog/joomla-disable-email-copy-message-address-stop-contact-form-spam-emails-joomla/
Blummer
I'm using Wordpress on both of the domains. I'll have a look, thank you for this link. If that's another and obvious solution, I'll try to start everything from the scratch, i.e. reinstall the CMS.
deanhills
Blummer wrote:
I'm using Wordpress on both of the domains. I'll have a look, thank you for this link. If that's another and obvious solution, I'll try to start everything from the scratch, i.e. reinstall the CMS.
Probably a good idea to do that with brand new passwords that are unhackable. Try and get the WordPress so it upgrades automatic. Also suggest you load WordFence and BruteForce plugins for security. They are both available in the WordPress Plugin section. I've been using them for two years and wish I'd known about them before.

I'm worried about disk space running out though. Crystalkey seems to have the same problem. I've written to Bondings again. Only Bondings can go into Server 4 and delete those pesky system spam mails - then possibly :blackhole: or :fail: the accounts so the spam mails stop. Between you updating the script fresh - and hopefully getting rid of a php script that may be responsible for the problem and Bondings mopping up the debris, it can sort all of it out.
Blummer
Ah I just saw that old thread, concerning the same issue.

Quote:
Also suggest you load WordFence and BruteForce plugins


I had Wordfence in the past. I just wonder about the server load, I hope it won't be too high with these two plugins.

Again, hoping Bondings will respond one of these days. Not without your help. Wink In the meantime I will at least reinstall the scripts.
deanhills
Blummer wrote:

I had Wordfence in the past. I just wonder about the server load, I hope it won't be too high with these two plugins.
I'm not aware of any extra load with WordFence. But yes, if you're maxing out on your disk space that is probably a risk.

I'm hopeful about Bondings too. Smile
Aredon
So I just happened to drop in and check on my site today. I haven't been terribly active on these forums but it appears that my email account (which I haven't touched in easily two years) has been sending 500 messages every day or so. I have changed the passwords on these accounts, but no new scripts or files have been added to my site in easily four or five years. I hate to say it, but there's a chance the server is compromised.

Sorry! It appears to have started in May sometime.
deanhills
Aredon wrote:
So I just happened to drop in and check on my site today. I haven't been terribly active on these forums but it appears that my email account (which I haven't touched in easily two years) has been sending 500 messages every day or so. I have changed the passwords on these accounts, but no new scripts or files have been added to my site in easily four or five years. I hate to say it, but there's a chance the server is compromised.

Sorry! It appears to have started in May sometime.

Hi Aredon. Can you please do all of us a HUGE favour and shut down your hosting account. Not sure how DirectAdmin works as I'm a cPanel user, but is there anyway you can disable your system mail account? Or create a situation that could automatically get your hosting account suspended?

Your system mail account must have been compromised, probably through an out of date script. Could be the perpetrators found a way to take control of your e-mail box through phpBB. Which version of phpBB are you on? Is it up to date? As what you describe is a well known occurrence, which is why up to date scripts these days aren't a luxury any longer, but a necessity.

Problem is that if there are huge spam mails coming from your e-mail box, then Spamhaus is going to blacklist the IPs of Server 2, which are the same ones for our Forum. I don't know where Bondings is, but this could have serious consequences for all of us. Not only for your account. I've written an e-mail to Bondings and hope he will read it, but in case he does not, can you please remove everything that is in your account that you possibly can and find a way to disable your system mail box by creative means - i.e. so that it would break the hacker script and stop the flood of spam mail.

Your Website seems to be OK as I checked for malware. But of course the script must be badly out of date. By way of an alternative, I can arrange that you get hosting space on Server 1, but only with an up to date script of phpBB, and only if you undertake to be active and keep the script up to date. Which could turn out in a challenge for you as phpBB has made a major departure from Version 2.0 to version 3.0 and especially from 3.0 to 3.1.6.
Aredon
deanhills wrote:

Hi Aredon. Can you please do all of us a HUGE favour and shut down your hosting account. Not sure how DirectAdmin works as I'm a cPanel user, but is there anyway you can disable your system mail account? Or create a situation that could automatically get your hosting account suspended?


I have suspended all but the administrator email account as that's all I have the ability to do. I would prefer not to get my hosting account suspended.

Quote:

If your main domain is not a Frihost sub-domain, could you try and remove the frihost name servers from the domain at the domain registrar? I'm hoping if you can disable the domain you would be able to disable your system mail account at the same time and stop the flood of spam mails from your system mail account.


I don't believe I have the power to do that, but I will try.

Quote:

Your system mail account must have been compromised, probably through an out of date script. Could be the perpetrators found a way to take control of your e-mail box through phpBB. Which version of phpBB are you on? Is it up to date? As what you describe is a well known occurrence, which is why up to date scripts these days aren't a luxury any longer, but a necessity.


The part about phpBB seems unlikely to me. New accounts have been locked down for the better part of 4 years, and all the scripts and modifications to phpBB were written by me. I know each one of the users that do exist on the forum personally, and I'm pretty dang confident in the security of my code. The version is currently: 3.0.7-PL1, but I have no intention of updating unless a specific vulnerability is found that caused this issue. Again, sorry. A great deal of my changes would be deleted with an update since I used phpBB as a construct. I do intend to rework things at some point, but I lack the time these days and I can't promise when that will be.

Quote:

Problem is that if there are huge spam mails coming from your e-mail box, then Spamhaus is going to blacklist the IPs of Server 2, which are the same ones for our Forum. I don't know where Bondings is, but this could have serious consequences for all of us. Not only for your account. I've written an e-mail to Bondings and hope he will read it, but in case he does not, can you please remove everything that is in your account that you possibly can and find a way to disable your system mail box by creative means - i.e. so that it would break the hacker script and stop the flood of spam mail.


I'll dig through my custom scripts tomorrow sometime and disable what I can. Unfortunately my evening is booked up. I'm kind of going out of my way to reply here because I love you guys. Very Happy

Quote:

Your Website seems to be OK as I checked for malware. But of course the script must be badly out of date. By way of an alternative, I can arrange that you get hosting space on Server 1, but only with an up to date script of phpBB, and only if you undertake to be active and keep the script up to date.

I appreciate that but it won't be necessary. While my users do occasionally drop by to touch base, I'm not incredibly concerned with parts of the site being nonfunctional due to whatever email problems there are. Email accounts can be locked down for now, no worries.

Code:

The top sending host was 46.160.67.145, at 339 emails (67%).

The most common path that the messages were sent from is /, at 854 emails (170%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

This warning was generated because the 500 email threshold was hit.


Some Observations:
- The IPs keep shifting (probably botnet or proxy)
- The path is root level

I don't believe phpBB itself is compromised or I'd expect to see someone mailing through phpBB's mail script. My hunch as a programmer is that someone obtained access to SMTP information and is throwing a botnet at it.

Hope this helps, sorry if I'm being difficult about some things. I want to help but I also want to resist change. xD
Aredon
Also, I will let you know if the DirectAdmin warnings persist tomorrow after disabling the email accounts. (Currently it looks like they stopped October 30th)
deanhills
Aredon wrote:
Also, I will let you know if the DirectAdmin warnings persist tomorrow after disabling the email accounts. (Currently it looks like they stopped October 30th)
Thanks for responding so fast. I really like your Website! Didn't realize you constructed it bottom up yourself. And that parts have been locked down. Good for you!

And yes, it would be great if you could keep in touch.

Let's cross fingers Bondings responds. But I'm almost certain if he does, your hosting account will be suspended so I suggest you make a serious backup as soon as you can. (You probably already have Razz)

BTW if you check with the DNS inspector, there are two old IPs mixed in with the new ones that aren't situated at the Data Center. They somehow got mixed in. They're making the DNS propagate less than perfect. Some of the older Frihost members of 2006/7 also lost access to their DirectAdmin as a consequence as their logins are with those old IPs. Technically those IPs don't exist and are left behind somewhere in cyber space in the US where our Data Center used to be before. The migration to our current Data Center in Germany happened during 2014, Bondings had to fix some leftover details and never quite got to fixing those. He must be as busy as you are! Razz

You can check how frih.net propagates here:
http://www.dnsinspect.com/

I checked up on the two old IPs:
64.120.224.220
64.120.224.221

This is where they are floating around these days (our current Data Center is situated in Germany):

Continent: North America
Country: United States us flag
State/Region: Delaware
City: Wilmington
Latitude: 39.7157 (39° 42′ 56.52″ N)
Longitude: -75.5281 (75° 31′ 41.16″ W)
Postal Code: 19801

BTW if you are interested in Frihost history with the migration, this may give you an idea of what had happened. Bondings got us out in a nick of time:
http://www.frihost.com/users/deanhills/blog/vp-158925.html
Aredon
deanhills wrote:
Thanks for responding so fast. I really like your Website! Didn't realize you constructed it bottom up yourself. And that parts have been locked down. Good for you!
Well you know, I try. Cool

Quote:

Let's cross fingers Bondings responds. But I'm almost certain if he does, your hosting account will be suspended so I suggest you make a serious backup as soon as you can. (You probably already have Razz)
I don't think I have any recent backups but I can probably arrange one tonight or tomorrow. Why exactly would my hosting be suspended? D:

I'm actually familiar with the server migration! I still lurk around these parts, just not usually much for me to add. This seemed like a good time to chime in!

Also, neither of those IPs were listed in the mail warnings. I'll see about getting a list over lunch.
deanhills
Aredon wrote:
I'm actually familiar with the server migration! I still lurk around these parts, just not usually much for me to add. This seemed like a good time to chime in!

Also, neither of those IPs were listed in the mail warnings. I'll see about getting a list over lunch.
Well there must be a miracle at work here then. As no other reports have been received, AND better yet, the two IPs associated with Server 2 are squeaky clean. I just checked them with Spamhaus.

With regard to suspension, I've seen Admin suspending accounts for spam mail coming from the system account as that is the quickest way to end the spam. The only way really. Very rarely that they will check further. Particularly for free hosting accounts.

Yours couldn't have been as bad as it sounded though as otherwise we'd have been in trouble a long time ago and people wouldn't have been able to receive mail through Server 2, due to the IPs being blacklisted.

It's pretty amazing these days how quickly places like Spamhaus are picking up on those type of spam mails. But they're lenient with false positives for the first three occurrences.
Related topics
Australian state to ban workplace e-mail spying
Web e-mail !
Neat e-mail account
Play bay E-Mail (PBeM)
e-mail problems
Paypal E-Mail Scam
E-mail Account Forwarding [RESOLVED]
[suporte] E-mail não envia e não recebe???
My E-mail Has Never Worked.
Sorry......E-mail not working
Setting up E-mail Problems
e-mail account
450,000 E-mail Passwords Were Stolen From Yahoo!
Require E-mail verification
Just give me a clue about this e-mail I received :)
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Web Hosting Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.