rwh Posted October 30, 2004 Share Posted October 30, 2004 Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned? 209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247 Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them. How can I stop this? Any help would be appreciated. Link to comment Share on other sites More sharing options...
Derek T Posted October 30, 2004 Share Posted October 30, 2004 Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned? 209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247 Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them. How can I stop this? Any help would be appreciated. 19369[/snapback] Assigned or not (whatever that means) they're hacked. Probably SMTP/Auth. See FAQ. In the mean time disconnect the servers from the internet as the hackers have more control over them than do you. Link to comment Share on other sites More sharing options...
GraemeL Posted October 30, 2004 Share Posted October 30, 2004 Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned? 209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247 Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them. How can I stop this? Any help would be appreciated.] All the IP addresses you listed are active and route to a single Linux box. The box has a lot of ports exposed. Several of which should be firewalled: PORT STATE SERVICE 1/tcp open tcpmux 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 26/tcp open unknown 53/tcp open domain 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 465/tcp open smtps 873/tcp open rsync 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 6666/tcp open irc-serv 8009/tcp open ajp13 8080/tcp open http-proxy The box also has SMTP AUTH enabled, though I wan't able to find a weak password. This doesn't mean that there isn't one, just that I couldn't find one. The box in question hosts at least the following domains: thebasscapital.com physicalenhancement.com Personal guess: You have a client on the box that is a spammer. Yipes has a long history of hosting spammers. Link to comment Share on other sites More sharing options...
Wazoo Posted October 30, 2004 Share Posted October 30, 2004 In addition to all the above, I'm not sure yet what you mean by "not assigned" ... all share the same "access" point via a traceroute; 64.200.232.201 RTT: 47ms TTL:128 (IPP-dllstx9lce1-pos5-0.wcg.net bogus rDNS: host not found [authoritative]) 64.200.226.118 RTT: 49ms TTL:128 (dllstx9lce1-yipes.wcg.net bogus rDNS: host not found [authoritative]) 66.7.164.66 RTT: 91ms TTL:128 (No rDNS) 209.120.238.244 RTT: 60ms TTL: 47 (dorothea.rwhmax.net fraudulent rDNS) 209.120.238.245 RTT: 52ms TTL: 47 (thebasscapital.com ok) 209.120.238.246 RTT: 49ms TTL: 47 (physicalenhancement.com ok) 209.120.238.247 RTT: 52ms TTL: 47 (dorothea.rwhmax.net fraudulent rDNS) 10/30/04 11:14:51 Browsing http://209.120.238.244/ Fetching http://209.120.238.244/ ... GET / HTTP/1.1 Host: 209.120.238.244 <TITLE>cPanel</TITLE> 209.120.238.244 listed in bl.spamcop.net (127.0.0.2) SpamCop users have reported system as a source of spam less than 10 times in the past week DNS error: 209.120.238.244 is dorothea.rwhmax.net but dorothea.rwhmax.net is 209.120.238.243 instead of 209.120.238.244 10/30/04 11:16:54 Browsing http://209.120.238.245/ Fetching http://209.120.238.245/ ... GET / HTTP/1.1 Host: 209.120.238.245 <title>The Bass Capital.com. A PHP-Nuke Powered Site </title> 209.120.238.245 not listed in bl.spamcop.net 10/30/04 11:17:54 Browsing http://209.120.238.246/ Fetching http://209.120.238.246/ ... GET / HTTP/1.1 Host: 209.120.238.246 HTTP/1.1 302 Found 209.120.238.246 listed in bl.spamcop.net (127.0.0.2) SpamCop users have reported system as a source of spam less than 10 times in the past week 10/30/04 11:18:57 Browsing http://209.120.238.247/ Fetching http://209.120.238.247/ ... GET / HTTP/1.1 Host: 209.120.238.247 <TITLE>cPanel</TITLE> 209.120.238.247 listed in bl.spamcop.net (127.0.0.2) SpamCop users have reported system as a source of spam less than 10 times in the past week DNS error: 209.120.238.247 is creativewebx.com. but creativewebx.com. is 69.93.241.198 instead of 209.120.238.247 Link to comment Share on other sites More sharing options...
rwh Posted October 31, 2004 Author Share Posted October 31, 2004 Hello, All the IP addresses you listed are active and route to a single Linux box. The box has a lot of ports exposed. Several of which should be firewalled: Yes, thats correct all the IPs are routed to the same Linux box, however MTA is configured to send out mail from just one IP address. We have only the necessary ports open, none of the unwanted ports are opened. Why would all the IPs would be blacklisted on the server, usually the IP that would be resonsible for sending spam mails would be blacklised, is that correct? We run on a shared hosting environment and use Cpanel based sever. The MTA is exim and exim is configured to send mails only from the main IP. The additional IPs will not be inolved in spamming by any chance. My suspicion is that Phpnuke's webmail module might be causing problem. Any feedback is appreciated. Regards Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2004 Share Posted October 31, 2004 AT the time of my last posting, the three listed IPs were there based on actual spam complaints (as compared to spamtrap hits, usually indicative of an SMTP/AUTH hack) .. but note that those "evidence" pages haven't been real-time in ages due to spammer abuse/exploitation. 209.120.238.244 not listed in bl.spamcop.net 209.120.238.245 listed in bl.spamcop.net (127.0.0.2) System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam about 10 times in the past week 209.120.238.246 listed in bl.spamcop.net (127.0.0.2) System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week 209.120.238.247 not listed in bl.spamcop.net So now one can say oooppps! Two IPs unlisted, one IP added, and now there is mention of spamtrap hits. SenderBase stuff http://www.senderbase.org/?searchBy=ipaddr...209.120.238.246 Report on IP address: 209.120.238.246 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.7 .. 38695% Last 30 days .. 2.3 .... 1328% Average ........ 1.2 I don't see the need to go researching the rest of your IP situation. Your systems are compromised, end of story. If this thing is actually under your control, it might be wiser to disconnect it soon, before this spew gets you listed on many other BLs that aren't as easy to get off of as the one at SpamCop. Link to comment Share on other sites More sharing options...
rwh Posted October 31, 2004 Author Share Posted October 31, 2004 Your systems are compromised, end of story This was the problem we have found it, and the entire system was not compromised! http://forums.realwebhost.net/showthread.php?t=92907 We have also enabled this SMTP TweakThis SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers. Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2004 Share Posted October 31, 2004 Chasing down the data, denying enough cookies to kill a 16=unit mule team .... very strange circumstances. You kind of hint that you found "the" problem, making it sound like you are speaking of at least one "famous" spammer getting a "valid" account on sa phpnuke site, then spewing spam like there was no tomorrow. This definitely sounds like a bit of administrative control issue, things like noticing the firewall (there isone, isn't there?) traffic going through the roof (evidenced by the SenderBase numbers) ... then trying to add in the "not even registered yet" and cpanel existence on the home-pages, leaving one to wonder why there'd be any reason for allowing sign-ups for e-mail to begin with ... but, not my concern. On the other hand, the link you offered mentions serious exploits in the webmail portion of the phpnuke app, then pointing to the story of a Nigerian spammer using the story related above. But, when one goes looking for "current" exploits, it's not the web-mail portion being poked at, it's the whole dang package. I got tired of trying to chase down all the links. What I see is that the exploits seem to be based on the version of the app in use. Why am I going on and on? Because I thought we had a "new FAQ entry" here, but ..... from scanning through all the Forums, discussion Boards, support boards, security notices, one would simply want to point out that this is a bad product to install .. but I know that it's in use all over the place ... which seems to put the spam spew issue back into the administrator's lap apparently. If you got it fixed, congrats! If it was fixed by removal of the app, sorry to hear about that. Link to comment Share on other sites More sharing options...
Derek T Posted October 31, 2004 Share Posted October 31, 2004 This was the problem we have found it, and the entire system was not compromised! http://forums.realwebhost.net/showthread.php?t=92907 We have also enabled this SMTP TweakThis SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers. 19410[/snapback] And all those wide-open ports that GraemeL found? Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2004 Share Posted October 31, 2004 Does make one wonder. Setting data points for all 4 IPs referenced. Report on IP address: 209.120.238.244 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ....... 3.8 .. 18932% Last 30 days . 2.7 ... 1327% Average ....... 1.6 Report on IP address: 209.120.238.245 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.5 .. 13913% Last 30 days .. 2.5 ... 1327% Average ........ 1.3 Report on IP address: 209.120.238.246 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.7 .. 17416% Last 30 days .. 2.6 ....1327% Average ........ 1.4 Report on IP address: 209.120.238.247 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ....... 3.7 .. 18117% Last 30 days . 2.6 .. 1327% Average ....... 1.5 Link to comment Share on other sites More sharing options...
rwh Posted October 31, 2004 Author Share Posted October 31, 2004 Damn guys give me a fricking break I came here asking for help that is all. I did not come here to get blasted. Link to comment Share on other sites More sharing options...
Derek T Posted October 31, 2004 Share Posted October 31, 2004 Damn guys give me a fricking break I came here asking for help that is all. I did not come here to get blasted. 19423[/snapback] Sorry if you feel we're 'blasting' you: far from it we're only trying to help! Those figures that Wazoo quotes on throughput are down by a factor of two since yesterday so you may well have fixed 'the problem'. However, if those ports remain open it may only be a matter of time before some low-life exploits them. It gives us no pleasure to see IP's listed, it gives a real warm feeling when we can help identify current and possible future security breaches because that's better for the whole internet community. Thank you the constructive way you have engaged with 'us'. Link to comment Share on other sites More sharing options...
Ellen Posted October 31, 2004 Share Posted October 31, 2004 Below are some ips from one of our servers that started showing on your list today/tonight. Problem is that some of these ips are not even assigned? 209.120.238.244 209.120.238.245 209.120.238.246 209.120.238.247 Looks like the same email address is being used in the header of the spam emails and showhow he is stealing the ips and using them. How can I stop this? Any help would be appreciated. 19369[/snapback] Looks like a virus/worm from here -- open proxy/cache or maybe php-nuke or other ctgi. it's not real obvious from the headers. Not sure what you mean by not assigned but I looked at the spams for a couple of them and the headers are all consistent. Reports were being sent to joseq[at]speedhost.com but I just changed that to speedhost.com[at]abuse.net which might help to get someone to look at the problem. If these are all managed servers than I suspect that whatever the problem is that it is consistent across the servers perhaps. There certainly are a number of IPs in that /24 with reports. Well bah -- should really read the whole thread before posting :-) Anyway seeing a lot of php-nuke exploits nowadays -- beginning to rival the Matt's scri_pt problems of a couple of years ago ... Link to comment Share on other sites More sharing options...
rwh Posted October 31, 2004 Author Share Posted October 31, 2004 Looks like a virus/worm from here -- open proxy/cache or maybe php-nuke or other ctgi. it's not real obvious from the headers. Not sure what you mean by not assigned but I looked at the spams for a couple of them and the headers are all consistent. Reports were being sent to joseq[at]speedhost.com but I just changed that to speedhost.com[at]abuse.net which might help to get someone to look at the problem. If these are all managed servers than I suspect that whatever the problem is that it is consistent across the servers perhaps. There certainly are a number of IPs in that /24 with reports. Well bah -- should really read the whole thread before posting :-) Anyway seeing a lot of php-nuke exploits nowadays -- beginning to rival the Matt's scri_pt problems of a couple of years ago ... 19437[/snapback] The ip that I was talking about was the 247 ip, because we had it on the server but the ip was not assigned to anyone, it was unused. Link to comment Share on other sites More sharing options...
Derek T Posted November 1, 2004 Share Posted November 1, 2004 The ip that I was talking about was the 247 ip, because we had it on the server but the ip was not assigned to anyone, it was unused. 19438[/snapback] except by the spammers! Link to comment Share on other sites More sharing options...
rwh Posted November 1, 2004 Author Share Posted November 1, 2004 except by the spammers! 19459[/snapback] Found The spammer was using cgi scripts injecting the mails into them. Domain name productsrus.biz Ip 63.184.17.27 Link to comment Share on other sites More sharing options...
Merlyn Posted November 1, 2004 Share Posted November 1, 2004 Found The spammer was using cgi scripts injecting the mails into them. Domain name productsrus.biz Ip 63.184.17.27 19467[/snapback] That is a dynamic IP. They are using many other IP's also............. Link to comment Share on other sites More sharing options...
Wazoo Posted November 1, 2004 Share Posted November 1, 2004 But I have a feeling that if I ask where these cgi scripts are located and how they were being accessed to send spew out from an "unassigned IP on your box" .. you might take it as additional pounding on you ... so I guess I won't ask .... Link to comment Share on other sites More sharing options...
Merlyn Posted November 1, 2004 Share Posted November 1, 2004 But I have a feeling that if I ask where these cgi scripts are located and how they were being accessed to send spew out from an "unassigned IP on your box" .. you might take it as additional pounding on you ... so I guess I won't ask .... 19472[/snapback] Then I won't say mail in the last day from this IP is up 5762% Link to comment Share on other sites More sharing options...
Wazoo Posted November 2, 2004 Share Posted November 2, 2004 Data points a day later; Report on IP address: 209.120.238.244 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 0.0 .. -100% Last 30 days .. 2.7 .. 1332% Average ........ 1.5 Report on IP address: 209.120.238.245 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 0.0 .. -100% Last 30 days .. 2.5 .. 1332% Average ........ 1.3 Report on IP address: 209.120.238.246 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 0.0 .. -100% Last 30 days .. 2.6 .. 1332% Average ........ 1.4 Report on IP address: 209.120.238.247 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.1 .. 3772% Last 30 days .. 2.7 .. 1332% Average ........ 1.6 209.120.238.247 not listed in bl.spamcop.net Progress made. Congrats! Link to comment Share on other sites More sharing options...
Jeff G. Posted November 2, 2004 Share Posted November 2, 2004 I'd suggest using a firewall to block 209.120.238.247's access to the outside world, or at least treating it as a honeypot and logging/analyzing all connections to it until you can identify who is abusing it and how, and then track/prosecute the who and fix the how. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.