Jump to content
Sign in to follow this  
rwh

How is this happening?

Recommended Posts

Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned?

209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247

Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them.

How can I stop this?

Any help would be appreciated.

Share this post


Link to post
Share on other sites
Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned?

209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247

Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them.

How can I stop this?

Any help would be appreciated.

19369[/snapback]

Assigned or not (whatever that means) they're hacked. Probably SMTP/Auth. See FAQ. In the mean time disconnect the servers from the internet as the hackers have more control over them than do you.

Share this post


Link to post
Share on other sites
Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned?

209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247

Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them.

How can I stop this?

Any help would be appreciated.]

All the IP addresses you listed are active and route to a single Linux box. The box has a lot of ports exposed. Several of which should be firewalled:

PORT     STATE SERVICE
1/tcp    open  tcpmux
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
26/tcp   open  unknown
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
873/tcp  open  rsync
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
6666/tcp open  irc-serv
8009/tcp open  ajp13
8080/tcp open  http-proxy

The box also has SMTP AUTH enabled, though I wan't able to find a weak password. This doesn't mean that there isn't one, just that I couldn't find one.

The box in question hosts at least the following domains:

thebasscapital.com

physicalenhancement.com

Personal guess: You have a client on the box that is a spammer. Yipes has a long history of hosting spammers.

Share this post


Link to post
Share on other sites

In addition to all the above, I'm not sure yet what you mean by "not assigned" ... all share the same "access" point via a traceroute;

64.200.232.201 RTT: 47ms TTL:128 (IPP-dllstx9lce1-pos5-0.wcg.net bogus rDNS: host not found [authoritative])

64.200.226.118 RTT: 49ms TTL:128 (dllstx9lce1-yipes.wcg.net bogus rDNS: host not found [authoritative])

66.7.164.66 RTT: 91ms TTL:128 (No rDNS)

209.120.238.244 RTT: 60ms TTL: 47 (dorothea.rwhmax.net fraudulent rDNS)

209.120.238.245 RTT: 52ms TTL: 47 (thebasscapital.com ok)

209.120.238.246 RTT: 49ms TTL: 47 (physicalenhancement.com ok)

209.120.238.247 RTT: 52ms TTL: 47 (dorothea.rwhmax.net fraudulent rDNS)

10/30/04 11:14:51 Browsing http://209.120.238.244/

Fetching http://209.120.238.244/ ...

GET / HTTP/1.1

Host: 209.120.238.244

<TITLE>cPanel</TITLE>

209.120.238.244 listed in bl.spamcop.net (127.0.0.2)

SpamCop users have reported system as a source of spam less than 10 times in the past week

DNS error: 209.120.238.244 is dorothea.rwhmax.net but dorothea.rwhmax.net is 209.120.238.243 instead of 209.120.238.244

10/30/04 11:16:54 Browsing http://209.120.238.245/

Fetching http://209.120.238.245/ ...

GET / HTTP/1.1

Host: 209.120.238.245

<title>The Bass Capital.com. A PHP-Nuke Powered Site </title>

209.120.238.245 not listed in bl.spamcop.net

10/30/04 11:17:54 Browsing http://209.120.238.246/

Fetching http://209.120.238.246/ ...

GET / HTTP/1.1

Host: 209.120.238.246

HTTP/1.1 302 Found

209.120.238.246 listed in bl.spamcop.net (127.0.0.2)

SpamCop users have reported system as a source of spam less than 10 times in the past week

10/30/04 11:18:57 Browsing http://209.120.238.247/

Fetching http://209.120.238.247/ ...

GET / HTTP/1.1

Host: 209.120.238.247

<TITLE>cPanel</TITLE>

209.120.238.247 listed in bl.spamcop.net (127.0.0.2)

SpamCop users have reported system as a source of spam less than 10 times in the past week

DNS error: 209.120.238.247 is creativewebx.com. but creativewebx.com. is 69.93.241.198 instead of 209.120.238.247

Share this post


Link to post
Share on other sites

Hello,

All the IP addresses you listed are active and route to a single Linux box. The box has a lot of ports exposed. Several of which should be firewalled:

Yes, thats correct all the IPs are routed to the same Linux box, however MTA is configured to send out mail from just one IP address. We have only the necessary ports open, none of the unwanted ports are opened.

Why would all the IPs would be blacklisted on the server, usually the IP that would be resonsible for sending spam mails would be blacklised, is that correct?

We run on a shared hosting environment and use Cpanel based sever. The MTA is exim and exim is configured to send mails only from the main IP. The additional IPs will not be inolved in spamming by any chance.

My suspicion is that Phpnuke's webmail module might be causing problem. Any feedback is appreciated.

Regards

Share this post


Link to post
Share on other sites

AT the time of my last posting, the three listed IPs were there based on actual spam complaints (as compared to spamtrap hits, usually indicative of an SMTP/AUTH hack) .. but note that those "evidence" pages haven't been real-time in ages due to spammer abuse/exploitation.

209.120.238.244 not listed in bl.spamcop.net

209.120.238.245 listed in bl.spamcop.net (127.0.0.2)

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam about 10 times in the past week

209.120.238.246 listed in bl.spamcop.net (127.0.0.2)

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

209.120.238.247 not listed in bl.spamcop.net

So now one can say oooppps! Two IPs unlisted, one IP added, and now there is mention of spamtrap hits.

SenderBase stuff http://www.senderbase.org/?searchBy=ipaddr...209.120.238.246

Report on IP address: 209.120.238.246

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.7 .. 38695%

Last 30 days .. 2.3 .... 1328%

Average ........ 1.2

I don't see the need to go researching the rest of your IP situation. Your systems are compromised, end of story. If this thing is actually under your control, it might be wiser to disconnect it soon, before this spew gets you listed on many other BLs that aren't as easy to get off of as the one at SpamCop.

Share this post


Link to post
Share on other sites
Your systems are compromised, end of story

This was the problem we have found it, and the entire system was not compromised!

http://forums.realwebhost.net/showthread.php?t=92907

We have also enabled this

SMTP TweakThis SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.

Edited by rwh

Share this post


Link to post
Share on other sites

Chasing down the data, denying enough cookies to kill a 16=unit mule team .... very strange circumstances. You kind of hint that you found "the" problem, making it sound like you are speaking of at least one "famous" spammer getting a "valid" account on sa phpnuke site, then spewing spam like there was no tomorrow. This definitely sounds like a bit of administrative control issue, things like noticing the firewall (there isone, isn't there?) traffic going through the roof (evidenced by the SenderBase numbers) ... then trying to add in the "not even registered yet" and cpanel existence on the home-pages, leaving one to wonder why there'd be any reason for allowing sign-ups for e-mail to begin with ... but, not my concern.

On the other hand, the link you offered mentions serious exploits in the webmail portion of the phpnuke app, then pointing to the story of a Nigerian spammer using the story related above. But, when one goes looking for "current" exploits, it's not the web-mail portion being poked at, it's the whole dang package. I got tired of trying to chase down all the links. What I see is that the exploits seem to be based on the version of the app in use. Why am I going on and on? Because I thought we had a "new FAQ entry" here, but ..... from scanning through all the Forums, discussion Boards, support boards, security notices, one would simply want to point out that this is a bad product to install .. but I know that it's in use all over the place ... which seems to put the spam spew issue back into the administrator's lap apparently.

If you got it fixed, congrats! If it was fixed by removal of the app, sorry to hear about that.

Share this post


Link to post
Share on other sites
This was the problem we have found it, and the entire system was not compromised!

http://forums.realwebhost.net/showthread.php?t=92907

We have also enabled this

SMTP TweakThis SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.

19410[/snapback]

And all those wide-open ports that GraemeL found?

Share this post


Link to post
Share on other sites

Does make one wonder. Setting data points for all 4 IPs referenced.

Report on IP address: 209.120.238.244

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 3.8 .. 18932%

Last 30 days . 2.7 ... 1327%

Average ....... 1.6

Report on IP address: 209.120.238.245

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .. 13913%

Last 30 days .. 2.5 ... 1327%

Average ........ 1.3

Report on IP address: 209.120.238.246

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.7 .. 17416%

Last 30 days .. 2.6 ....1327%

Average ........ 1.4

Report on IP address: 209.120.238.247

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 3.7 .. 18117%

Last 30 days . 2.6 .. 1327%

Average ....... 1.5

Share this post


Link to post
Share on other sites

Damn guys give me a fricking break I came here asking for help that is all. I did not come here to get blasted.

Share this post


Link to post
Share on other sites
Damn guys give me a fricking break I came here asking for help that is all. I did not come here to get blasted.

19423[/snapback]

Sorry if you feel we're 'blasting' you: far from it we're only trying to help! Those figures that Wazoo quotes on throughput are down by a factor of two since yesterday so you may well have fixed 'the problem'. However, if those ports remain open it may only be a matter of time before some low-life exploits them. It gives us no pleasure to see IP's listed, it gives a real warm feeling when we can help identify current and possible future security breaches because that's better for the whole internet community. Thank you the constructive way you have engaged with 'us'. ;)

Share this post


Link to post
Share on other sites
Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned?

209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247

Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them.

How can I stop this?

Any help would be appreciated.

19369[/snapback]

Looks like a virus/worm from here -- open proxy/cache or maybe php-nuke or other ctgi. it's not real obvious from the headers. Not sure what you mean by not assigned but I looked at the spams for a couple of them and the headers are all consistent.

Reports were being sent to joseq[at]speedhost.com but I just changed that to speedhost.com[at]abuse.net which might help to get someone to look at the problem. If these are all managed servers than I suspect that whatever the problem is that it is consistent across the servers perhaps.

There certainly are a number of IPs in that /24 with reports.

Well bah -- should really read the whole thread before posting :-)

Anyway seeing a lot of php-nuke exploits nowadays -- beginning to rival the Matt's scri_pt problems of a couple of years ago ...

Share this post


Link to post
Share on other sites
Looks like a virus/worm from here -- open proxy/cache or maybe php-nuke or other ctgi. it's not real obvious from the headers. Not sure what you mean by not assigned but I looked at the spams for a couple of them and the headers are all consistent.

Reports were being sent to joseq[at]speedhost.com but I just changed that to speedhost.com[at]abuse.net which might help to get someone to look at the problem. If these are all managed servers than I suspect that whatever the problem is that it is consistent across the servers perhaps.

There certainly are a number of  IPs in that /24 with reports.

Well bah -- should really read the whole thread before posting :-)

Anyway seeing a lot of php-nuke exploits nowadays -- beginning to rival the Matt's scri_pt problems of a couple of years ago ...

19437[/snapback]

The ip that I was talking about was the 247 ip, because we had it on the server but the ip was not assigned to anyone, it was unused.

Share this post


Link to post
Share on other sites
The ip that I was talking about was the 247 ip, because we had it on the server but the ip was not assigned to anyone, it was unused.

19438[/snapback]

except by the spammers!

Share this post


Link to post
Share on other sites
except by the spammers!

19459[/snapback]

Found The spammer was using cgi scripts injecting the mails into them.

Domain name productsrus.biz

Ip

63.184.17.27

Share this post


Link to post
Share on other sites
Found The spammer  was using cgi scripts injecting the mails into them.

Domain name productsrus.biz

Ip

63.184.17.27

19467[/snapback]

That is a dynamic IP. They are using many other IP's also.............

Share this post


Link to post
Share on other sites

But I have a feeling that if I ask where these cgi scripts are located and how they were being accessed to send spew out from an "unassigned IP on your box" .. you might take it as additional pounding on you ... so I guess I won't ask ....

Share this post


Link to post
Share on other sites
But I have a feeling that if I ask where these cgi scripts are located and how they were being accessed to send spew out from an "unassigned IP on your box" .. you might take it as additional pounding on you ... so I guess I won't ask ....

19472[/snapback]

Then I won't say mail in the last day from this IP is up 5762%

Share this post


Link to post
Share on other sites

Data points a day later;

Report on IP address: 209.120.238.244

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.7 .. 1332%

Average ........ 1.5

Report on IP address: 209.120.238.245

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.5 .. 1332%

Average ........ 1.3

Report on IP address: 209.120.238.246

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.6 .. 1332%

Average ........ 1.4

Report on IP address: 209.120.238.247

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.1 .. 3772%

Last 30 days .. 2.7 .. 1332%

Average ........ 1.6

209.120.238.247 not listed in bl.spamcop.net

Progress made. Congrats!

Share this post


Link to post
Share on other sites

I'd suggest using a firewall to block 209.120.238.247's access to the outside world, or at least treating it as a honeypot and logging/analyzing all connections to it until you can identify who is abusing it and how, and then track/prosecute the who and fix the how.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×