spoofing / spam / qmail?

system · May 5, 2006, 3:25pm

I just had a major problem this morning.

A spammer sending out fraudulent Chase Card Services emails this morning somehow utilized my cluster manager to send out at least 2000 emails that I’m aware of, with about 616 still sitting in the remote queue.

I have since disabled double bouncebacks on the mail server (my admin account had around 2000 emails this morning from bouncebacks).

I’ve also shut off smtp inbound and outbound (this server is used only for internal web site testing, no clients, or email.)

Is this a case of spoofing and the default of double bounceback being on allowing for the spam to be relayed through the server? I’ve already had one spam complaint, the headers make it appear exactly as if my server sent the message out.

NEXCESS.NET_Greg · May 5, 2006, 3:32pm

FusionHosting:

I just had a major problem this morning.

A spammer sending out fraudulent Chase Card Services emails this morning somehow utilized my cluster manager to send out at least 2000 emails that I’m aware of, with about 616 still sitting in the remote queue.

If it were for the server locking up… probably would have been worse.

I have since disabled double bouncebacks on the mail server (my admin account had around 2000 emails this morning from bouncebacks).

I’ve also shut off smtp inbound and outband (this server is used only for internal web site testing, no clients, or email.)

Is this a case of spoofing and the default of double bounceback being on allowing for the spam to be relayed through the server? I’ve already had one spam complaint, the headers make it appear exactly as if my server sent the message out.

We’ve been seeing this quite a bit lately on the shared hosting side of things. 99% of the time, the cause is a security hole in some piece of software installed on an account (phpBB, coppermine, etc). The best thing to do to keep this from happening is to make sure that all your software is up to date with the latest version released by the company who makes it. And if only 2000 were sent, you got lucky. We’ve seen instances of 50-200k queued. Luckily, they were removed before going out

system · May 5, 2006, 4:25pm

I found where the scripts were setup.

In /tmp.

rw------- 1 iworx iworx 627 Mar 16 08:10 chase
-rw------- 1 iworx iworx 620 Mar 16 07:59 chase1
-rw------- 1 iworx iworx 628 Mar 16 08:02 chase2
-rw------- 1 iworx iworx 614 Mar 16 08:01 chase3
-rw------- 1 iworx iworx 629 May 5 06:30 chase4
-rw------- 1 iworx iworx 625 May 5 06:35 chase5
-rw------- 1 iworx iworx 724 Apr 22 2005 ini.inc
-rw------- 1 iworx iworx 216257 May 5 10:57 list.txt
-rw------- 1 iworx iworx 629 Mar 16 08:11 paypal.php
-rw------- 1 iworx iworx 2881 May 5 07:02 test.txt

system · May 5, 2006, 4:42pm

Going through the logs… possibly Horde or PhpMyadmin were exploited on May 3rd, and 5th.

IWorx-Paul · May 5, 2006, 4:43pm

FusionHosting, what version of InterWorx are you running? There was a Horde exploit, for which we released version 2.1.3 on April 15th.

Paul

system · May 5, 2006, 4:53pm

That could be it, my cluster manager is running 2.1.2

The update page never has listed any updates, or auto updated. This was a custom build by chris though for my 64bit os.

Going through the logs, it’s obvious the phisher was rotating through various scripts like phpadsnew, ads, horde, phpbb, etc.

IWorx-Paul · May 5, 2006, 5:06pm

Ok. We’ll have to figure out what’s preventing your server from updating. If you open a support ticket with your server login info we’d be happy to help figure it out and get you updated.

Paul

system · May 5, 2006, 5:26pm

Ok, ticket created, forgot the subject and some fields got messed up. Needless to say it is RHES4 64bit. Let me know if the password was lost in the refresh.