Script Exploited for Spam Mail Abuse

Hi,
I started to receive some time ago emails that look like they are sent by one of my websites... I get one per day now.
i forwarded one for you. They use my account user name and my site url, i think to send emails for free or something...
I think my joomla installation is secure...
Do you know what this is about? what can I do to prevent this?
Kindly

    Posted On: 15 Jan 2008 04:14 AM
Hello M,

Could you please provide messages with full headers.

And, we would need main IP and root password for your server.

Best regards,
 
    Posted On: 15 Jan 2008 04:21 AM

hi,
the message i sent you was a forward, that is all the information i have (or i dont know how to retrieve additional header)
Please tell me:
Do you need ip and pass for this account or for main resellers account?for this account hotel-montpaisible.ch, ip is 216.246.77.64 and pass is
for main account rootshosting.net, ip is 64.202.120.110 and if you need password please tell me and I'll login ticket system and supply it there.... i start to be scared with mail things ^_^
Kindly
Matthieu

  
    Posted On: 15 Jan 2008 04:42 AM
Hi Matthieu,

We will need root password for your main account, as well as the username and password for the mail in question.
Best regards,
  
    Posted On: 15 Jan 2008 05:06 AM

hehe
i'm trying to put up a ticket but then... im trying to remember my webhost manager website
hang on a little, i got to wait 10mn... again
sorry
Matthieu


     
    Posted On: 15 Jan 2008 05:15 AM
Hi Matthieu,

When you remember the password, get back to us, and we'll look into the problem.
Best regards,
   
    Posted On: 15 Jan 2008 05:21 AM
   
    Posted On: 15 Jan 2008 06:04 AM
Hi again, Matthieu,

Can you please forward one of the mails in question to our mail? It would help us greatly to have full headers. We can't find any mails on the account you provided, they must've been deleted when you downloaded them.
Best regards,

 
    Posted On: 15 Jan 2008 07:15 AM

hi,
I get these mails on my hotmail account
Matthieu

 
    Posted On: 15 Jan 2008 07:31 AM
Hi again, Matthieu!

Please, don't open new tickets for this issue, it is causing great confusion. Just use reply in future refference to this matter. Just reply, and have your reply pointing This email address is being protected from spambots. You need JavaScript enabled to view it..

As per your problem, your site probably was not hacked. In the short headers you sent us the first time, you can see that the 'From' field is This email address is being protected from spambots. You need JavaScript enabled to view it.. That is the sender of the mail. I've asked for full headers to confirm it, but you can check it yourself in your mail client.
Also, feel free to contact us if you experience further problems.

  
    Posted On: 15 Jan 2008 08:24 AM

hi again,
thank you for investigating.
Unfortunately i can't see more than what i sent you because i'm using hotmail online...
am i going to see more if i can download the mail onto my pc's outlook?
also, i get these mails twice a day but not regularly, sender is always different, subject is always similar but with different code in it.
the mail used by this website is this email address (This email address is being protected from spambots. You need JavaScript enabled to view it.) but through another application, not joomla default mail while these mails i get don't come from the online mail extension.
also the only connection between my address This email address is being protected from spambots. You need JavaScript enabled to view it. and this website is that This email address is being protected from spambots. You need JavaScript enabled to view it. is the default email for the hosting account hotel-montpaisible.com... it's not joomla mail / not in db / not on the website's pages...
and somebody is using it to send spam obviously
and I dont know what to do
Thanks

    Posted On: 22 Jan 2008 07:59 PM

hi,
sorry, it looks like the problem is not yet solved for I received another of these mails today again.
Please tell me how it's possible that somebody is sending mails through on of my emails, and god knows how they got hold of my main email address
your colleagues appear to be saying that it's a minor issue... but for me it's still an issue and not that minor. Please give me a clue.
Kindly

 
    Posted On: 22 Jan 2008 08:49 PM
I've looked into this a bit deeper, what I dont see is a valid url, like http://hotel-montpaisible.ch/joomla is not valid, so where is your Joomla application?


Please let us know if we can further assist you.

Thanks,
     
    Posted On: 23 Jan 2008 12:54 PM

Hi,
Thanks so much for your reply.
http://hotel-montpaisible.ch/joomla is not a valid url, this is what I don't understand... there is a joomla installed there, but i only use a facile forms modules, nothing else.
Somehow somebody is using that send mail while the joomla default mail form is switched of as far as I can tell.
and i guess that what i receive in the default email address for the cpanel account is a copy of whatever is sent.... if not I have no clue what that is... I hope not a robot trying to break something...

Kindly 
    Posted On: 23 Jan 2008 01:32 PM
Hi,

If you do not want this joomla install at that URL, is it OK if we delete it to prevent these exploits?
Please let us know if there is anything further we can do.

Thanks,
  
    Posted On: 24 Jan 2008 12:27 AM

Hi,
no, that I could do myself, thanks.
i am using the joomla there because it's managing some forms (email / reservation).
but it is ONLY managing forms.... the normal email form from joomla is de-activated....
sorry... but are you reading my mails?
Matthieu
     
    Posted On: 24 Jan 2008 12:37 AM
Hello,

As the issue you are describing pertains to joomla, you would have to contact them for assistance as we do not provide direct support for third party softwares such as this. If there is anything else we can help you with, please feel free to let us know!


Regards,   
    Posted On: 24 Jan 2008 11:05 AM

thanks for your kind answer
yes, you are right, if this is purely a joomla problem, it is not your problem.
If I can't use joomla safely with your hosting company, i should think about decentralising my websites.
I'm going to contact sales to start to reduce my accounts quotas, thanks for your help
Kindly     
    Posted On: 24 Jan 2008 11:48 AM
Hiya,

If you need anything further, do let us know and as always, thanks for choosing HostForWeb! Have a great day! :-)

If you need anything else, please don't hesitate to let us know.

Thanks,
    
    Posted On: 24 Jan 2008 12:24 PM

hi,
I see that last mail was answered by "Dayshift Support Manager" and I guess that it's because my last mail was not very nice, sorry for that.
Please understand that I'm now working very hard on a booking software for a website that will use url securehotelbooking.com and that will use joomla.

I've looked around a lot to compare hosting companies and I also have been thinking about hosting it with you because you have attractive VPS packages and that I think you are the best.
But I'm very concerned about security and I'd have hoped that in awkward cases like this one support could step over the line a little and give me an answer such as "that's got to be something with that or that, check on that and that that'll do it" or "there's a way to track down the origin of the mail and ...."

because without some kind of support like that, I think I'll be unable to secure my website completely myself
... so I have to consider options...
all that long mail to say that I was not being moody about my last mail and it doesn't need to go to the boss ^_^
Kindly
    Posted On: 24 Jan 2008 12:59 PM
Greetings,

With a VPS, there is much more capabilities for security as we can secure the environment just for you and not have to worry about other client needs as we would on a shared / reseller server.

If you need anything else, please don't hesitate to let us know.

Thanks,
   
    Posted On: 24 Jan 2008 01:14 PM

^_^
that sure sounds good but I'm not sure what it means... I'll have a developer install all that for me.
I'll put the thing online in about 2 months and need private SSL / IP ... and hopefully it should need VPS after 6 months of operation.
All I'll ask is that if one day some hacker targets me you guys will be there to help me out...
well.. that's what's happening to me now though, because it looks like somebody is using my sendmail to send spam or something... and this website is currently my only real customer...
sorry to ask one last time... isnt' there a way to trace this kind of mail? to see how many copies are being sent and to who...? how...? nothing proves that it's from the joomla install... it would be a widespread issue...
Kindly   
    Posted On: 24 Jan 2008 01:14 PM

^_^
that sure sounds good but I'm not sure what it means... I'll have a developer install all that for me.
I'll put the thing online in about 2 months and need private SSL / IP ... and hopefully it should need VPS after 6 months of operation.
All I'll ask is that if one day some hacker targets me you guys will be there to help me out...
well.. that's what's happening to me now though, because it looks like somebody is using my sendmail to send spam or something... and this website is currently my only real customer...
sorry to ask one last time... isnt' there a way to trace this kind of mail? to see how many copies are being sent and to who...? how...? nothing proves that it's from the joomla install... it would be a widespread issue...
Kindly
    Posted On: 24 Jan 2008 01:26 PM
Greetings,

Can you provide copies of these messages with full headers?

If you need anything else, please don't hesitate to let us know.

Thanks,  
    Posted On: 24 Jan 2008 01:30 PM

Hi,
What I sent in the forward mail is all I got... I recieve these mails on my hotmail account and sent you a copy... I do not know how to retrieve more information, sorry.
  
    Posted On: 24 Jan 2008 01:40 PM
Hi,

Unfortunately, it will be impossible for us to tell where they are coming from without a bounceback or a sent message with full headers. Let us know if you find one!
Please let us know if there is anything further we can do.

Thanks,
    
    Posted On: 24 Jan 2008 01:55 PM

Hi,
Thanks for your reply.
Unfortunately that's all I have. and hotmail doesn't seem to offer more information about mails anywhere...
wouldn't there be a way to intercept the mails as they are being sent?
It might not be sent the same way other mails are sent for this website... in that case they'd be the only ones using this channel... other mails for this website are using a different module. (i use this module in many websites and never had such problems)
Please tell me any information or password you'd need if u have time to inquire.
Thanks
Kindly
    Posted On: 24 Jan 2008 02:06 PM
Greetings,

There really is no way to intercept them per-say. Where are you seeing them at?

If you need anything else, please don't hesitate to let us know.

Thanks,
    Posted On: 24 Jan 2008 02:13 PM

hi,
apparently they are sent using a borrowed address from the same domain xmymail-in.net
they arrive on my hotmail (which is my default email for all websites admin... and they use hotelmon in subject which is a my joomla user as well as my cpanel user...)
my hotmail is a webmail so I can't see more information.
Kindly
Matthieu


    Posted On: 24 Jan 2008 02:25 PM
Hi,

It may be spoofing. This is when someone enters any email they want in the From and Reply To fields such as bill.gatesxmicrosoft.com. Then, if the message bounces back, it will return to the actual bill.gatesxmicrosoft.com. This doesn't mean a account is compromised, it is just being spoofed. Unfortunately, there is no real way to stop this.

Please let us know if there is anything further we can do.

Thanks,
  
    Posted On: 24 Jan 2008 02:33 PM

hi,
Thanks for the explenation.
what I dont understand is that there is no email form in that directory (or at least not that one) and the email address is not the joomla email address... if a form was used in joomla I should get it at infoxmont-paisible.ch, not on my hotmail... this is the worrying thing
Kindly

    Posted On: 24 Jan 2008 03:16 PM
Greetings,

I'm not really familiar with how Joomla works. However, spoofing, like Rick explained, is probably the cause here.

If you need anything else, please don't hesitate to let us know.

Thanks,
    Posted On: 25 Jan 2008 01:01 AM

Thank you very much for your time.
I'll find a way to put the whole mail system of joomla off and will contact you it i still get mails after that.
Kindly
Matthieu

    Posted On: 25 Jan 2008 01:02 AM
No problem! If you need anything else, please do let us know!


    Posted On: 24 Mar 2008 03:25 PM
Hi,
I re-open this ticket which was about the fact that somebody's using my accounts to send his spam.
I've just upgraded to VPS and I've setup redirection of mails to "nobody" to my main email account and I start to receive these:


Warning: message 1Jd7IA-00045X-Kc delayed 48 hours?
From: Mail Delivery System (Mailer-Daemonxserver.rootshosting.net)
Sent: Tuesday, March 25, 2008 3:19:12 AM
To: nobodyxserver.rootshosting.net

This message was created automatically by mail delivery software.A message that you sent has not yet been delivered to one or more of itsrecipients after more than 48 hours on the queue on server.rootshosting.net. The message identifier is: 1Jd7IA-00045X-KcThe subject of the message is: Online Access SuspendedThe date of the message is: Sat, 22 Mar 2008 12:14:02 -0500 The address to which the message has not yet been delivered is: trevor.lazell1xbtinernet.com No action is required on your part. Delivery attempts will continue forsome time, and this warning may be repeated at intervals if the messageremains undelivered. Eventually the mail delivery software will give up,and when that happens, the message will be returned to you.


Can that help to try to resolve the case of who/how somebody's using my accounts?

Kindly  
    Posted On: 24 Mar 2008 03:40 PM
Greetings,

What is your main IP and root pass?


Thanks,

    Posted On: 24 Mar 2008 04:19 PM
Greetings,

Thanks for the info. Can you provide a full message with all headers or message ID of a message still in the queue.



Thanks,
   
    Posted On: 24 Mar 2008 04:39 PM
hi,
thanks for reply
I think all mails from queue manager are from this same issue:

Loading.....
There are currently 37 messages in the mail queue.
1Jcogc-0004gM-91 3.2K 72h Delete Deliver Now
xenihomixgmail.com
1JcuhP-00032k-OS 3.2K 66h Delete Deliver Now
xoxaxsinxgmail.com
1Jcxi0-0001Su-V0 3.2K 63h Delete Deliver Now
negapubixgmail.com
1Jd1DT-0007JX-BK 3.3K 59h Delete Deliver Now
sehcaxtexgmail.com
1Jd4Ci-0000p4-4J 3.3K 56h Delete Deliver Now
kepafihdxgmail.com
1Jd7D5-0007Rr-6a 2.9K 52h Delete Deliver Now
tom.mccannxcelare.co.uk
1Jd7D9-0007jb-TZ 2.9K 52h Delete Deliver Now
tom.shipleyxv21mail.co.uk
1Jd7E7-0008Q1-65 2.9K 52h Delete Deliver Now
tommy_g25xhotmal.com
1Jd7Em-0000zt-OM 2.9K 52h Delete Deliver Now
tonyxdealgroupmedia.com
1Jd7FJ-0001Ty-Py 2.9K 52h Delete Deliver Now
tony.colebrookxin-sourced.com
1Jd7HJ-0003T9-NU 2.9K 52h Delete Deliver Now
tracey.oneillxisl-online.com
1Jd7HR-0003Vd-TR 2.9K 52h Delete Deliver Now
tracy.lambxprovidenthims.co.uk
1Jd7IA-00045X-Kc 2.9K 52h Delete Deliver Now
trevor.lazell1xbtinernet.com
1Jd7JE-0005Fp-W8 2.9K 52h Delete Deliver Now
tsvixnetrigon.com
1Jd7Kl-0006h9-VD 2.9K 52h Delete Deliver Now
unbreakable000xhotmial.com
1Jd7L5-0006nq-7D 2.9K 52h Delete Deliver Now
tom.mccannxcelare.co.uk
1Jd7L9-0006pC-Vi 2.9K 52h Delete Deliver Now
tom.shipleyxv21mail.co.uk
1Jd7M2-0007QZ-IT 2.9K 52h Delete Deliver Now
tommy_g25xhotmal.com
1Jd7Ma-0007wW-2Y 2.9K 52h Delete Deliver Now
tonyxdealgroupmedia.com
1Jd7N3-0008RP-Sy 2.9K 52h Delete Deliver Now
tony.colebrookxin-sourced.com
1Jd7Pu-0002cW-72 2.9K 52h Delete Deliver Now
tracey.oneillxisl-online.com
1Jd7Q3-0002wg-8F 2.9K 52h Delete Deliver Now
tracy.lambxprovidenthims.co.uk
1Jd9xf-0005FA-97 2.6K 50h Delete Deliver Now
pilobeiexgmail.com
1JdCeJ-0001yv-6R 2.6K 47h Delete Deliver Now
qimuwibixgmail.com
1JdFbd-0007M5-SD 3.2K 44h Delete Deliver Now
xecivinixgmail.com
1JdLVy-0006sC-Rc 3.2K 37h Delete Deliver Now
nahafaepxgmail.com
1JdOXU-0007tm-ES 3.3K 34h Delete Deliver Now
gizakiuexgmail.com
1JdRYV-0005cI-F0 3.2K 31h Delete Deliver Now
tuyuqxukxgmail.com
1JdUdn-0001WB-94 3.2K 27h Delete Deliver Now
nfuxigewxgmail.com
1JdXfT-0006kw-6c 3.1K 24h Delete Deliver Now
hpanibovxgmail.com
1Jdaie-0008Sv-BU 3.1K 21h Delete Deliver Now
hahonesoxgmail.com
1Jddlm-0006Nr-6k 3.1K 18h Delete Deliver Now
hovaguilxgmail.com
1Jdglx-00027N-Gp 3.2K 15h Delete Deliver Now
keqojevoxgmail.com
1JdjrX-0006BI-PJ 3.3K 11h Delete Deliver Now
wmanowumxgmail.com
1JdmtR-0006on-8m 3.1K 8h Delete Deliver Now
gebanbamxgmail.com
1JdpsV-0005hq-1U 3.2K 5h Delete Deliver Now
biveyehexgmail.com
1Jdt9B-0000t2-IR 3.1K 77m Delete Deliver Now

    Posted On: 24 Mar 2008 05:20 PM
Hello,

I've enabled daily cPanel backups and verified these are enabled. VPS backup images are also taken twice weekly to NAS. These can't be specially configured, they're done on the same schedule for all VEs.
    
    Posted On: 24 Mar 2008 05:34 PM
Hello,

These messages are being generated by the following script:

X-PHP-Script: hotel-a-to-z.com/index.php
   
    Posted On: 24 Mar 2008 05:36 PM
I'm sorry...
I don't understand your reply...
this ticket is not about backup but about spoofing(or any other kind mail server exploit) on some of my accounts.
Kindly 
    Posted On: 24 Mar 2008 06:04 PM
Hello,

Pardon me, my first reply was in error. The second reply indicates the correct source of these queued messages. It appears the script itself is exploited.
    
    Posted On: 24 Mar 2008 06:08 PM

Thanks,
I'll look around tomorrow.
I installed an application that I purchased online for this website.
I hope it's not some malicious thing hidden in the software...
Thanks a lot
Matthieu

    
    Posted On: 24 Mar 2008 06:30 PM
Hello,

Okay, just let us know if you need anything else.

Thanks.

HostForWeb Support

This website uses Cookies