email failed due to suspicious file activity
I saw an failed email mesaage in my logs this morning, which would indicate that the root account had tried to send an email to a user on one of my domains.
I know without doubt that this wasn't initiated by me or anyone else for that matter, so I'm guessing some sort of hack or email security bypass.
Could someone take a look and see if they can decipher it please.
Return-path:
Received: from [101.251.xxx.xx] (port=58643 helo=example.com)
by my.servers.co.uk with esmtp (Exim 4.86)
(envelope-from )
id 1aT1UB-0007Cf-Bd
for email@oneofmydomains.co.uk; Tue, 09 Feb 2016 06:09:18 +0000
Received: from localhost.localdomain (localhost [127.0.0.1])
by example.com (Postfix) with ESMTP id 242C46946E
for ; Tue, 9 Feb 2016 12:46:50 +0800 (CST)
Received: (from www@localhost)
by localhost.localdomain (8.14.4/8.14.4/Submit) id u194knea002948;
Tue, 9 Feb 2016 12:46:49 +0800
To: email@oneofmydomains.co.uk
X-PHP-Originating-Script: 501:rripp1.php
Date: Tue, 9 Feb 2016 12:46:49 +0800
From: "DHL DeliverNow Network"
Message-ID: <9951138358.20160209124649@>
To: email@oneofmydomains.co.uk
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------505939FD9C2C326F7"
X-Spam-Status: Yes, score=6.4
X-Spam-Score: 64
X-Spam-Bar: ++++++
X-Spam-Report: Spam detection software, running on the system "my.servers.co.uk",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
-
Hello :), I can see your this mail has been sent from your rripp1.php file, which is present under your one of the user (USER id : 501). Please check this account and remove unwanted files this account and secure it. 0 -
I just looked and dont have an account under 501. Not that I can see anyway Incidentally, the IP 101.251.x.x is not my server I've googled this a few times, but cannot find anything definitive. Lots of posts mentioning hosts files. This is mine 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 213.xxx.xxx.xx my.server.co.uk my server213-xxx-xxx-xxx.hosts-servers.net server213-xxx-xxx-xx
Could there be some sort of bypass where the hacker, spammer, etc sends an email as localhost, and then my server interprets this as it'self, and that's why I recieved the failure notification ??0 -
I'd say search your filesystem for the file: rripp1.php find / -name rripp1.php -type -f | xargs ls -alt Might take a long time if you have a lot of files. 501 is usually clamav user on many of my machines, but on other machines its my first hosting account user. Look for 501 in your /etc/passwd and /etc/group M 0 -
I found an entry for 501 in the group file. It's saying Mailtrap Is there a syntax error in that find command as I get a message pop up about " Arguments to -type should contain only one letter", then a whole host of files and folders appear, but I don't see rripp1.php amongst them 0 -
I have CSF explorer installed and didn't realise that this had a search facility. It's coming back and saying no results for rripp1.php 0 -
Hello :) Is the "mlocate" package installed on your system? If so, you can try searching the file via a command such as: locate rripp1.php
The database is cached, so as long as it has not updated recently, it should show you if that file existed in the past and was recently deleted. Thank you.0
Please sign in to leave a comment.
Comments
6 comments