exim like open relay problem
hi,
i have cpanel with exim as mail server i checked if it is open relay and it is not i disable user nobody to send mails (php and cgi) but i have spammers in my server, don't know how they send mails from my server, when i check the cpanel mail queue i saw that thay send mails from domains doesn't exists in my server,so i telnet to myserver telnet localhost 25 helo localhost mail from:m@hotmail.com rcpt to:m@hotmail.com accepted data test . quit and it send the mail,so localhost can send any emails he wants (m@hotmail.com) is not localdomain!!!! so how i disable localhost from sending mails except if the sender is a real user @ my real local domain please help me, my server now in blocked, because it send more and more spams. thanks. |
The better approach is to determine how these people have access to send mail via your localhost (which means your machine is already compromised) then sort that out.
|
hi,
yes thanks my issue i am new to exim and cpanel i just prefare sendmail with my manual configuration . so i run netstat -panel | grep :25 and i saw perl (x.pl) scripts run on port 25 so i did ps -ef | grep x.pl and saw the user how run the scripts and suspend his account and closed port 25 from remote connection too by iptables . till now tho spammer stopped, so my be it solved . |
The question is how was a normal user able to escalate their privileges to bind to port 25 ? You need to investigate that and fix that vulnerability.
|
hi,
thanks for your support as you said i don't know how this could be before i suspend his account i search the entire file system for that script and didn't find it, so could be a hidden perl script in his site code (php forums)? |
All times are GMT -5. The time now is 01:53 AM. |