Facebook
TwitterDeltaFox2211
New Pleskian
Hello
My VPS wich runs Centos6 with Plesk 11 has some seroius problems.
My customers called me that the mails arent going out.
So i looked at the log files and found the following out.
http://pastebin.com/5WBi8DuZ
I found out that some mails can't get through because the server is black-listed.
I was shocked an immediently runned the linux malware detector.
He first scanned the /home directory and two bad software's was found.
base64.inject.unclassed
gzbase64.inject.unclassed
This were the two things the scanner found.
I also figured out that the server is sending spam but in the mailquery there are only mails from my customers.
Usualy when a site is hacked the server i can trace it by looking for the id at the header wich user is spamming and then it's easy to find the bad script but in this case i can't do that because i can't see no spam..
Currently I am listed in the cbl and at the Hostkarma. At the hostkarma they also sended me this logs.
I hope you folks can help me..
My VPS wich runs Centos6 with Plesk 11 has some seroius problems.
My customers called me that the mails arent going out.
So i looked at the log files and found the following out.
http://pastebin.com/5WBi8DuZ
I found out that some mails can't get through because the server is black-listed.
I was shocked an immediently runned the linux malware detector.
He first scanned the /home directory and two bad software's was found.
base64.inject.unclassed
Code:
sed -i -e s/<?.*eval(base64_decode(.*?>// -e s/<?php.*eval(base64_decode(.*?>// -e s/eval(base64_decode([^;]*;//
Code:
sed -i -e s/// -e s///This were the two things the scanner found.
I also figured out that the server is sending spam but in the mailquery there are only mails from my customers.
Usualy when a site is hacked the server i can trace it by looking for the id at the header wich user is spamming and then it's easy to find the bad script but in this case i can't do that because i can't see no spam..
Currently I am listed in the cbl and at the Hostkarma. At the hostkarma they also sended me this logs.
Code:
/ip-log/karma.log.10:black 146.255.61.53 site-management.at auth-bad X=mxbackup H=web03.site-management.at [146.255.61.53] HELO=[KASHEV.COM] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B5=E2=80=8E=D0=87=E2=80=8E=E1=BE=B0=E2=80=8E=C4=A0=E2=80=8E=E1=B9=9A=E2=80=8E=E1=BE=B0?=]
/ip-log/karma.log.10:virus 146.255.61.53 site-management.at NOTQUIT [S=12 - NQ BlList SubEncoded RecBL NoQuit] X=mxbackup H=web03.site-management.at [146.255.61.53] HELO=[KASHEV.COM] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B5=E2=80=8E=D0=87=E2=80=8E=E1=BE=B0=E2=80=8E=C4=A0=E2=80=8E=E1=B9=9A=E2
/ip-log/karma.log.10:black 146.255.61.53 site-management.at auth-bad X=euclid H=web03.site-management.at [146.255.61.53] HELO=[miravillacarecenter.com] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B7=E2=80=A8=E1=BF=99=E2=80=A8=C6=9B=E2=80=A8=C4=A1=E2=80=A8=C5=94=E2=80=A8=C6=9B?=]
/ip-log/karma.log.10:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=euclid H=web03.site-management.at [146.255.61.53] HELO=[miravillacarecenter.com] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B7=E2=80=A8=E1=BF=99
/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=E4=E5=E9=F1=F2=E2=E8=F2=E5=EB=FC=ED=EE_=EF=F0=E8=EA=EE=EB=FC=ED=E0=FF_=F0__=E5__=EA__=EB__=E0__=EC__=E0?=]
/ip-log/karma.log.18:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=E4=E5=E9=F1=F2=E2=E8=F2=E5=EB=FC=ED
/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[kearney.net] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=E1=B9=BC=E2=80=8A=C3=8F=E2=80=8A=E1=BE=8B=E2=80=8A=E1=B8=A1=E2=80=8A=CA=80=E2=80=8A=E1=BE=8B?=]
/ip-log/karma.log.18:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=pascal H=web03.site-management.at [146.255.61.53] HELO=[kearney.net] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=E1=B9=BC=E2=80=8A=C3=8F=E2=80=8A=E1=BE=8B=E2=80=8A=E1=B8=A1=E2=
/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=euclid H=web03.site-management.at [146.255.61.53] HELO=[acronusa.com] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=EE=F7=E5=ED=FC_=EA=E0=F7=E5=F1=F2=E2=E5=ED=ED=E0=FF_=F0_=E5_=EA_=EB_=E0_=EC_=EE_=F7_=EA_=E0?=]
/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CF=EE_=ED=E0=F1=F2=EE=FF=F9=E5=EC=F3_=EE=F5=F3=E5=ED=ED=E0=FF_=F0.=E5.=EA.=EB.=E0.=EC.=EE.=F7.=EA.=E0?=]I hope you folks can help me..
