Skip to main content

Find out where the hacker infiltrated through

Comments

4 comments

  • Prodisa
    Help to find spam origin I thought I had solved the spam flood in my server, but the email queue is filling again. Before I could identify the source: two malware scripts that I deleted. Now I need your help to locate the origin of that spam emails. All of them are sent from an inexistent account of one of the sites hosted to yahoo accounts. Here are the headers. For security purposes I have replaced the real server domain, the site domain and the cpanel account name of the site (marked in blue)
    Mail Control Data: [COLOR="#0000FF">cPanelSiteName 513 512 <[COLOR="#0000FF">cPanelSiteName@[COLOR="#0000FF">serverDomain> 1421755579 0 -ident [COLOR="#0000FF">cPanelSiteName -received_protocol local -aclc _outgoing_spam_scan 1 1 -body_linecount 23 -max_received_linelength 80 -auth_id [COLOR="#0000FF">cPanelSiteName -auth_sender [COLOR="#0000FF">cPanelSiteName@[COLOR="#0000FF">serverDomain -allow_unqualified_recipient -allow_unqualified_sender -local -spam_score_int 0 XX 1 [COLOR="#0000FF">yahooTargetAccount Date: Tue, 20 Jan 2015 13:06:19 +0100 From: "Ethan Jarvis" <[COLOR="#0000FF">siteInexistentEmailAccount> To: [COLOR="#0000FF">yahooTargetAccount Subject: Sexy Blonde Hot Toy Insertion Action Content-Type: multipart/alternative;boundary="----------142175557954BE44BB0C57D" Message-Id: serverDomain> Mime-Version: 1.0 Received: from [COLOR="#0000FF">cPanelSiteName by [COLOR="#0000FF">serverDomain with local (Exim 4.84) (envelope-from <[COLOR="#0000FF">cPanelSiteName@[COLOR="#0000FF">serverDomain>) id 1YDXZb-00006A-2t for [COLOR="#0000FF">yahooTargetAccount; Tue, 20 Jan 2015 13:06:31 +0100 Reply-To: "Ethan Jarvis" <[COLOR="#0000FF">siteInexistentEmailAccount> X-Mailer: Fscfz(ver.2.75) X-OutGoing-Spam-Status: No, score=0.0 X-PHP-Script: "Ethan Jarvis" <[COLOR="#0000FF">siteDomain>/ for 127.0.0.1
    Thank you in advance for your help.
    0
  • cPanelMichael
    Hello :) You may find this thread helpful: Logs to check after account is hacked As for determining the source of the SPAM, check this thread: Unknown Spam Source Thank you.
    0
  • Prodisa
    Michael, thank you for the links. This info helped me to keep the server spam free. Now my IP has been blacklisted. While I manage it to be deleted from several lists, could I use my free VPS secondary IP for email services? if the answer is yes, how can I do it? I'm afraid my reptilian hosting support agent's don't know the answer in a chat, and don't answer a two days old ticket :(. I need your help.
    0
  • cPanelMichael
    You can change the IP addressed used by Exim for outgoing email by following the instructions in the following document: How to Configure Exim's Outgoing IP Address Thank you.
    0

Please sign in to leave a comment.