LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-20-2012, 07:04 PM   #1
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Rep: Reputation: 32
Exim - PHP - Cpanel - Hacked


Hello!

Status:
Centos 5
Exim
Cpanel/WHM
PHP vulnerability

Somewhere in my php code a hacker has placed a preg_replace statement allowing him to receive all the emails being sent out from my website. The first time he put in the preg_replace statement I found it and removed it. I cannot find it now - I am running cpanel/WHM to manage the site. I know what the hackers email is - is there a way I can block exim from sending mail to that address? I'm in the process of getting the site rebuilt by a professional. Looking for a fix for the interim though.
 
Old 11-20-2012, 08:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
Quote:
Originally Posted by kbscores View Post
(..) is there a way I can block exim from sending mail to that address? (..)
- Stop your MTA until you figured out what to do.
- Those preg_replace statements were just a symptom. Running bad homebrewn scripts, outdated software, risky 3rd party plugins, leeched FTP credentials, other malicious activity in a shared host etc, etc may be a few of the causes. Encountering them pregs twice could point to negligence. So don't wait for your "professional", be pro-active, act responsibly and FIX THE PROBLEM.
- See if you can enable the mail header function in php.ini (PHP >= 5.3: mail.add_x_header = on, mail.log = /tmp/php_headers.log) so you can trace back the script with the "X-PHP-Originating-Script" header.
- Configure an email limit for all accounts.
- Have Mailscanner + SpamAssassin scan all outbound email (also see EximConfig).

Last edited by unSpawn; 11-20-2012 at 08:42 PM. Reason: //More *is* more
 
Old 11-20-2012, 09:53 PM   #3
kbscores
Member
 
Registered: Oct 2011
Location: USA
Distribution: Red Hat
Posts: 259
Blog Entries: 9

Original Poster
Rep: Reputation: 32
Will do. Thanks.
 
Old 11-30-2012, 09:06 PM   #4
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,266

Rep: Reputation: 53
Also, in WHM there is an option to add tracking headers.

The root of the problem is likely a vulnerable php script though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
exim spamd on cpanel itdungpt Linux - Server 2 03-07-2012 07:39 PM
Cant access php.ini file, is there some cPanel restrictions? condoace Linux - Newbie 1 02-28-2010 10:33 AM
Cpanel/WHM Died at /usr/local/cpanel/Cpanel/Hulk.pm line 92. liang3391 Linux - Software 1 06-22-2009 02:02 PM
PHP mail() function not working with Exim Madone_SL_5.5 Programming 6 12-03-2006 09:05 PM
EXIM - sending spam from PHP scrips GRisha Linux - Software 0 06-05-2004 11:07 AM


All times are GMT -5. The time now is 07:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration