1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Is this a new hack?

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by Ritey, Apr 11, 2010.

  1. Ritey

    Ritey Guest

    0
     
    Hi,

    My plesk has "reject" set to all mail domains. Yet today i received two bounces. So i looked at the mail log.
    /usr/local/psa/log/maillog and found some strange enties.....

    I replaced my real domain with DOMAIN.
    I also added and x to the beggining of the URLs as i dont want anyone to goto that site by mistake!

    As you can see by the recipient it contains a wget... This to me is a little worrying!
    And also why did qmail decide to send a bounce?
    And why was my plesk domain name appended to the original recipient?

    My plesk is on the latest 9.3 version.

    Can anyone shed some light on this please?
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    It looks like that your server is compromised. Did you tried to check it with chkrootkit or rkhunter ?
     
  3. Ritey

    Ritey Guest

    0
     
    Thanks for your reply.

    I did try to emulate the issue (but obviously using a safe url that i can track). And found that the 'wget ...' in the recipient, is not actually executed. So that is one thing to be grateful for!

    But it does seem to create a bounce though which is a little worrying.

    I have checked the box and it seems fine.

    So the issue for me really is, how can i prevent ALL bounce mails?
     
  4. cepstrum

    cepstrum Guest

    0
     
    I got the same mail. On a test machine i downloaded the x1x.php using wget. What i get is a text string "xxx".

    Notes:
    1. three underscores in front of the "fortunes" domain
    2. replaced the real Hostname (actualy it was my reverse dns) with MY-REVERSE-DNS
    3. Seems i'm not compromised but i'm investigating.
    4. I'm not using parallels. It's a debian box latest patches applied

     
  5. Ritey

    Ritey Guest

    0
     
    It could well be that the sender expects the bounce message to be read by a certain mail client or webmail. In which case it may render the recipient name to be something clickable and once clicked, could then trigger some other nasty stuff. Such as vulnerabilities in mail/webmail clients.
     
  6. cepstrum

    cepstrum Guest

    0
     
    Hi,
    i found it. They try to exploit SpamAssassin's milter vulnerability.
    Spamassassin Milter Plugin Remote Root Attack
    http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

    Phew :) good i fixed that already.
     
  7. ChristopheP

    ChristopheP Guest

    0
     
    and the question is : does Plesk use this software embedded somewhere ??
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    No plesk does not use milter in any way in either qmail or postfix environments.
     
  9. Ritey

    Ritey Guest

    0
     
    Well found cepstrum.

    How a plugin be to for it to make a such a possible. The author of it should.

    But my original question is still as of yet unanswered. Is it possible to stop ALL.

    This little script hacker didnt get what he wanted but he did manage to make a bounce where bounces shouldnt happen.

    So it has exposed an issue in my thoughts, that needs fixing.
     
Loading...