• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Compromised System by base64.inject.unclassed

D

DeltaFox2211

New Pleskian
Hello

My VPS wich runs Centos6 with Plesk 11 has some seroius problems.
My customers called me that the mails arent going out.
So i looked at the log files and found the following out.

http://pastebin.com/5WBi8DuZ

I found out that some mails can't get through because the server is black-listed.
I was shocked an immediently runned the linux malware detector.
He first scanned the /home directory and two bad software's was found.

base64.inject.unclassed
Code: 
sed -i -e s/<?.*eval(base64_decode(.*?>// -e s/<?php.*eval(base64_decode(.*?>// -e s/eval(base64_decode([^;]*;//
gzbase64.inject.unclassed
Code: 
sed -i -e s/// -e s///

This were the two things the scanner found.

I also figured out that the server is sending spam but in the mailquery there are only mails from my customers.
Usualy when a site is hacked the server i can trace it by looking for the id at the header wich user is spamming and then it's easy to find the bad script but in this case i can't do that because i can't see no spam..

Currently I am listed in the cbl and at the Hostkarma. At the hostkarma they also sended me this logs.
Code: 
/ip-log/karma.log.10:black 146.255.61.53 site-management.at auth-bad X=mxbackup H=web03.site-management.at [146.255.61.53] HELO=[KASHEV.COM] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B5=E2=80=8E=D0=87=E2=80=8E=E1=BE=B0=E2=80=8E=C4=A0=E2=80=8E=E1=B9=9A=E2=80=8E=E1=BE=B0?=]

/ip-log/karma.log.10:virus 146.255.61.53 site-management.at NOTQUIT [S=12 - NQ BlList SubEncoded RecBL NoQuit] X=mxbackup H=web03.site-management.at [146.255.61.53] HELO=[KASHEV.COM] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B5=E2=80=8E=D0=87=E2=80=8E=E1=BE=B0=E2=80=8E=C4=A0=E2=80=8E=E1=B9=9A=E2

/ip-log/karma.log.10:black 146.255.61.53 site-management.at auth-bad X=euclid H=web03.site-management.at [146.255.61.53] HELO=[miravillacarecenter.com] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B7=E2=80=A8=E1=BF=99=E2=80=A8=C6=9B=E2=80=A8=C4=A1=E2=80=A8=C5=94=E2=80=A8=C6=9B?=]

/ip-log/karma.log.10:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=euclid H=web03.site-management.at [146.255.61.53] HELO=[miravillacarecenter.com] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=D1=B7=E2=80=A8=E1=BF=99

/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=E4=E5=E9=F1=F2=E2=E8=F2=E5=EB=FC=ED=EE_=EF=F0=E8=EA=EE=EB=FC=ED=E0=FF_=F0__=E5__=EA__=EB__=E0__=EC__=E0?=]

/ip-log/karma.log.18:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=E4=E5=E9=F1=F2=E2=E8=F2=E5=EB=FC=ED

/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[kearney.net] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=E1=B9=BC=E2=80=8A=C3=8F=E2=80=8A=E1=BE=8B=E2=80=8A=E1=B8=A1=E2=80=8A=CA=80=E2=80=8A=E1=BE=8B?=]

/ip-log/karma.log.18:virus 146.255.61.53 site-management.at NOTQUIT [S=14 - HeloImper NQ BlList SubEncoded RecBL NoQuit] X=pascal H=web03.site-management.at [146.255.61.53] HELO=[kearney.net] F=[[email protected]] T=[[email protected]] S=[=?utf-8?Q?=E1=B9=BC=E2=80=8A=C3=8F=E2=80=8A=E1=BE=8B=E2=80=8A=E1=B8=A1=E2=

/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=euclid H=web03.site-management.at [146.255.61.53] HELO=[acronusa.com] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CD=F3_=EF=F0=EE=F1=F2=EE_=EE=F7=E5=ED=FC_=EA=E0=F7=E5=F1=F2=E2=E5=ED=ED=E0=FF_=F0_=E5_=EA_=EB_=E0_=EC_=EE_=F7_=EA_=E0?=]

/ip-log/karma.log.18:black 146.255.61.53 site-management.at auth-bad X=pascal H=web03.site-management.at [146.255.61.53] HELO=[cabinc.org] F=[[email protected]] T=[[email protected]] S=[=?windows-1251?Q?=CF=EE_=ED=E0=F1=F2=EE=FF=F9=E5=EC=F3_=EE=F5=F3=E5=ED=ED=E0=FF_=F0.=E5.=EA.=EB.=E0.=EC.=EE.=F7.=EA.=E0?=]

I hope you folks can help me..
 
You must log in or register to reply here.

Similar threads

Epic Voyage
Issue PHP imap_open + ADDTrust External CA Root Expiration
Replies
1
Views
2K
Epic Voyage
Epic Voyage
websavers
Forwarded to devs PHP libcurl fails to populate certinfo array
Replies
2
Views
4K
websavers
websavers
S
is this agent.php file hacked?
Replies
0
Views
3K
socalheel
S
T
Apache.php broken / criyptic content
Replies
1
Views
845
UFHH01
U
Back
Top