trace spammer

Bashed · 07-06-2015, 05:21 PM

So found out my IP is blacklisted with Spamhaus because of a CBL blacklisting.

Quote:

IP Address xxx.xxx.xxx is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2015-07-05 09:00 GMT (+/- 30 minutes), approximately 1 days, 13 hours ago.

Server Config
cPanel w/ Centos + CloudLinux 6
EXIM. suPHP. PHP 5.5.
'prevent 'nobody' user from sending..' enabled
Other Enabled Settings: CSF firewall (SMTP tweak enabled), CXS, suPHP, mail header tracking, 'nobody' prevented, max hourly at 100, and so many other tweaks in place.

In my EXIM config: "Send mail from account's dedicated IP address" is enabled. I've enabled DKIM and SPF on the below domains which I've masked for privacy reasons here only.

I emailed them couple weeks ago too about this.

Their response

Quote:

This definitely looks to be caused by your shared hosting:

Note: if you have received messages from us about IPSwitch/IMail before, please note that IPSwitch has finally implemented a workaround.
Please see below. We will no longer be perm-delisting IMail installations unless there's no alternative.

The CBL attempts to detect compromised machines in a number of ways based upon the email that the CBL's mail servers receive.

During this it tries distinguish whether the connections represent real mail servers by ensuring that each connection is claiming a plausible machine name for itself (via SMTP HELO), and not listing any IP that corresponds to a real mail server (or several mail servers if the IP address is a NAT firewall with multiple mail servers behind it).

xxx.xxx.33.191 was found to be using several different EHLO/HELO names during multiple connections on or about:

2015:06:12 ~23:30 UTC+/- 15 minutes (approximately 16 hours, 15 minutes ago).

The names seen included:

client.com, e-client.com, client.net, client.com, client.com, client.com, server.mydomain.com

Note that the above list may include one or more names that are not fully qualified DNS names (FQDNs). Host names (ie: Windows node names) without a dot are not FQDNs.

RFC2821 requires that the HELO be either an IP address literal - an IP address surrounded by square brackets (ie: "[1.2.3.4]"), or a FQDN.

To resolve this you need to identify whether these are real names of your machines. If not:

- you have an open proxy used for spamming on that IP, or
- you have a NAT firewall, and one or more machines behind it
have an open proxy used for spamming.
- if all of the names above are IP addresses belonging to you
(without the square brackets) you probably using Blue Squirrel's
"Spam Sleuth" "Turing" feature. You will need to turn the
"Turing" feature off until you can get a patched version that
doesn't do this (identifies itself consistently).

If they are real names, you need to consider whether one or more of these machines are supposed to be sending email to the Internet (this implies that xxx.xxx.33.191 is a NAT firewall.)

If not, one or more machines on your internal network has an open proxy used for spamming.

If these are real names corresponding to real mail servers behind a NAT firewall, we strongly suggest that you configure your machines to have consistent fully qualified domain names, like:

mail01.<your domain>, mail02.<your domain>

This is usually done by setting the machine's node name to be one of the above, but sometimes it's a configuration parameter for the mail server.

The final possibility is that xxx.xxx.33.191 is not a NAT firewall, and is instead a single box with many domains provisioned on it, some that send email directly, setting the HELO as the sending domain. If this is the case, to prevent a relisting we strongly recommend setting the mail software on the box so that a single identifying name is used in
outbound SMTP connections. As an alternate workaround, you can
configure the mail software to relay its outbound email through an intermediate mail server. Even a co-resident mail server package (such as IIS on Windows) will do fine.

Note: If you are running CPanel, this problem could be caused by CPanel bug #59785, whereby CPanel is unable to send emails associated with the virtual IP address assigned to the sender domain. In other words, CPanel (via exim most likely) is failing to bind to the sender domain's IP address before sending. You will want to turn this feature off until the bug is fixed. This "failure to bind" is the root cause of similar problems with older versions of IMail. This is apparently, in the case of CPanel, fixable in the Exim configuration, but we don't know the details, and CPanel may well clobber such changes next time you patch or upgrade.

Note: there is a fairly common belief that the HELO has to match the
From: line, otherwise mail server spam filtering will block it. This is mistaken. If it were true, large scale email hosting environments (such as Google, godaddy or mail.com/1and1 etc) would be unable to function.

If xxx.xxx.33.191 is a NAT firewall, we STRONGLY recommend that you configure it to prevent machines (except your real mail
servers) on your local network connecting to the Internet on port 25 (SMTP/email). In this way you can contain any insecure machines (either by open proxy/spam trojan or emailing worm like Netsky) from attacking others on the Internet.

I ran the recommended fintbot.pl file CBL's site provides, but I get a bunch of gibberish while tailing the process.

smallpond · 07-08-2015, 09:06 AM

What steps have you taken to address the points in the letter? All of those things are basics which should have been done when you set up email.

If you post the "bunch of gibberish" then maybe some people with experience as email admins can interpret it for you.

Also list what PHP script you are using to send mail. 99 that is the culprit.

Bashed · 07-08-2015, 11:05 AM

Quote:

Originally Posted by smallpond

What steps have you taken to address the points in the letter? All of those things are basics which should have been done when you set up email.

If you post the "bunch of gibberish" then maybe some people with experience as email admins can interpret it for you.

Also list what PHP script you are using to send mail. 99 that is the culprit.

The steps I took are in my post to tweak the security.

Here's a tiny output of findbot.pl

Code:

/home/gaiai/public_html/wp-includes/class-phpmailer.php: Suspicious(root@):
     public $From = 'root@localhost';

/home/gaiai/public_html/wp-includes/js/tinymce/license.txt: Suspicious(Hacker):
   library `Frob' (a library for tweaking knobs) written by James Random Hacker.

/home/gaiai/public_html/wp-includes/js/plupload/license.txt: Suspicious(Hacker):
   `Gnomovision' (which makes passes at compilers) written by James Hacker.

/home/gaiai/public_html/wp-includes/class-wp-customize-widgets.php: Suspicious(base64_decode):
                $decoded = base64_decode( $value['encoded_serialized_instance'], true );

/home/gaiai/public_html/wp-includes/class-feed.php: Suspicious(fsockopen):
        public function __construct($url, $timeout = 10, $redirects = 5, $headers = null, $useragent = null, $force_fsockopen = false) {

/home/gaiai/public_html/wp-includes/ID3/getid3.php: Suspicious(open_basedir):
        // sys_get_temp_dir() may give inaccessible temp dir, e.g. with open_basedir on virtual hosts

/home/gaiai/public_html/wp-includes/ID3/module.audio-video.riff.php: Suspicious(hacked):
                        MDVD    Alex MicroDVD Video (hacked MS MPEG-4) (www.tiasoft.de)

/home/gaiai/public_html/wp-includes/ID3/module.audio.ogg.php: Suspicious(base64_decode):
                                        $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));

/home/gaiai/public_html/wp-includes/ID3/getid3.lib.php: Suspicious(Windows-1251):
                        case 'Windows-1251':

/home/gaiai/public_html/wp-includes/ID3/module.audio-video.quicktime.php: Suspicious(hacked):
                        $QuicktimeSTIKLookup[5]  = 'Whacked Bookmark';

/home/gaiai/public_html/wp-includes/class-pop3.php: Suspicious(fsockopen):
         $fp = @fsockopen("$server", $port, $errno, $errstr);

/home/gaiai/public_html/wp-includes/class-http.php: Suspicious(fsockopen):
  * @since 3.7.0 Combined with the fsockopen transport and switched to stream_socket_client().

/home/gaiai/public_html/wp-includes/class-snoopy.php: Suspicious(fsockopen):
                if($fp = fsockopen(

/home/gaiai/public_html/wp-includes/class-smtp.php: Suspicious(base64_decode):
                 $challenge = base64_decode($challenge);

/home/gaiai/public_html/wp-includes/functions.php: Suspicious(disable_functions):
        } elseif ( function_exists( 'phpinfo' ) && false === strpos( ini_get( 'disable_functions' ), 'phpinfo' ) ) {

/home/gaiai/public_html/wp-includes/class-IXR.php: Suspicious(base64_decode):
                 $value = base64_decode($this->_currentTagContents);

/home/gaiai/public_html/wp-includes/class-simplepie.php: Suspicious(fsockopen):
  * fsockopen() file source

/home/gaiai/tmp/awstats/awstats062013.---term.com.br.txt: Suspicious(c99):
 http://www.ado---.com/postx/e10b9ce09b68860871c9939b7497f61f/volvo_fh_12_380_6x2_20022003200420052006_consulte 1 1

 
 L‚Eê©¸4æ‹=Ä¿ê[ˆDm7°àŠÜÀÔ£«UuÉŽm!ô*Â*4ÔHBÚ]U3sSS¯°„‹äBó;:=&Dôû&9À.±‹†¢- ´”Ð@/TáŠ`Œ~„ÃM§‚ahi%«Žh™rWÒsªª HcìS.Šh¶-Üª‰¢[%T;Ôz:+Ø¡©*DQ½Ýí¶[{›½ÕÈÙ³f&w.LÄT’N  ¦¾ùùÓ>¯vçFôè¹ž<771:%{—1y]9ŽW^nî¿.õ½:>m&´äWMFýøn¡÷%¥þ ÞåEÑ©Ì‹’I

/home/serg/public_html/qon--/include/library/OS/Guess.php: Suspicious(root@):
 // FreeBSD host.example.com 3.3-STABLE FreeBSD 3.3-STABLE #0: Mon Feb 21 00:42:31 CET 2000     root@example.com:/usr/src/sys/compile/CONFIG  i386

/home/serg/public_html/qon--/include/library/PEAR/REST.php: Suspicious(fsockopen):
      *                       have the fsockopen error code available through

/home/serg/public_html/qon--/include/library/PEAR/Config.php: Suspicious(base64_decode):
                     $data[$key] = base64_decode($data[$key]);

/home/serg/public_html/qon--/include/library/PEAR/RunTest.php: Suspicious(open_basedir):
         'open_basedir=',

/home/serg/public_html/qon--/include/library/PEAR/Common.php: Suspicious(fsockopen):
      *                 have the fsockopen error code available through

/home/serg/public_html/qon--/include/library/PEAR/Downloader.php: Suspicious(fsockopen):
      *                       have the fsockopen error code available through

/home/serg/public_html/qon--/include/library/Smarty/libs/internals/core.create_dir_structure.php: Suspicious(open_basedir):
         $_open_basedir_ini = ini_get('open_basedir');

/home/serg/public_html/qon--/include/library/Smarty/libs/plugins/function.mailto.php: Suspicious(eval(unescape):
         return '<script type="text/javascript">eval(unescape(\''.$js_encode.'\'))</script>';

/home/serg/public_html/qon--/include/library/Smarty/libs/plugins/function.fetch.php: Suspicious(fsockopen):
                     $fp = fsockopen($proxy_host,$proxy_port,$errno,$errstr,$timeout);

/home/serg/public_html/qon--/include/library/HTTP.php: Suspicious(fsockopen):
         if (!$fp = @fsockopen($p['host'], $port, $eno, $estr, $timeout)) {

/home/serg/public_html/qon--/include/library/smtp.php: Suspicious(fsockopen):
                *             to fsockopen()

/home/serg/public_html/qon--/include/library/Net/Socket.php: Suspicious(fsockopen):
         $openfunc = $this->persistent ? 'pfsockopen' : 'fsockopen';

/home/serg/public_html/qon--/template/admin/image/icon/license.txt: Suspicious(Hacker):
   library `Frob' (a library for tweaking knobs) written by James Random Hacker.
   
   
/home/bemyst/public_html/wp-includes/class-phpmailer.php: Suspicious(root@):
     public $From = 'root@localhost';

/home/bemyst/public_html/wp-includes/js/tinymce/license.txt: Suspicious(Hacker):
   library `Frob' (a library for tweaking knobs) written by James Random Hacker.

/home/bemyst/public_html/wp-includes/js/plupload/license.txt: Suspicious(Hacker):
   `Gnomovision' (which makes passes at compilers) written by James Hacker.

/home/bemyst/public_html/wp-includes/class-wp-customize-widgets.php: Suspicious(base64_decode):
                $decoded = base64_decode( $value['encoded_serialized_instance'], true );

/home/bemyst/public_html/wp-includes/class-feed.php: Suspicious(fsockopen):
        public function __construct($url, $timeout = 10, $redirects = 5, $headers = null, $useragent = null, $force_fsockopen = false) {

/home/bemyst/public_html/wp-includes/ID3/getid3.php: Suspicious(open_basedir):
        // sys_get_temp_dir() may give inaccessible temp dir, e.g. with open_basedir on virtual hosts

/home/bemyst/public_html/wp-includes/ID3/module.audio-video.riff.php: Suspicious(hacked):
                        MDVD    Alex MicroDVD Video (hacked MS MPEG-4) (www.tiasoft.de)

/home/bemyst/public_html/wp-includes/ID3/module.audio.ogg.php: Suspicious(base64_decode):
                                        $flac->setStringMode(base64_decode($ThisFileInfo_ogg_comments_raw[$i]['value']));

/home/bemyst/public_html/wp-includes/ID3/getid3.lib.php: Suspicious(Windows-1251):
                        case 'Windows-1251':

/home/bemyst/public_html/wp-includes/ID3/module.audio-video.quicktime.php: Suspicious(hacked):
                        $QuicktimeSTIKLookup[5]  = 'Whacked Bookmark';

/home/bemyst/public_html/wp-includes/class-pop3.php: Suspicious(fsockopen):
         $fp = @fsockopen("$server", $port, $errno, $errstr);

/home/bemyst/public_html/wp-includes/class-http.php: Suspicious(fsockopen):
  * @since 3.7.0 Combined with the fsockopen transport and switched to stream_socket_client().

/home/bemyst/public_html/wp-includes/class-snoopy.php: Suspicious(fsockopen):
                if($fp = fsockopen(

/home/bemyst/public_html/wp-includes/class-smtp.php: Suspicious(base64_decode):
                 $challenge = base64_decode($challenge);

/home/bemyst/public_html/wp-includes/functions.php: Suspicious(disable_functions):
        } elseif ( function_exists( 'phpinfo' ) && false === strpos( ini_get( 'disable_functions' ), 'phpinfo' ) ) {

smallpond · 07-08-2015, 12:04 PM

You're running wordpress. Update to the latest version.

http://www.cvedetails.com/vulnerabil...oduct_id-4096/