• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Specific Domain send spam with unknown way....

A

Andrew_Pa

Regular Pleskian
Hello to the team.

I have a very strange problem and I would like your help.

Let's say that my server name is server.com and a specific domain I use is domain.com

The server has port 25 closed and need authentication for using SMTP.

The domain has no email accounts and also the Mail service has been disabled.. So they can't use email.

Also I have add the following PHP directives

disable_functions = mail,exec,shell_exec,passthru,system,proc_open,popen
Click to expand...

I also check if php mail working and it doesn't work.

But this specific domain continue saturated my qmail queue with thousand of spam! I check the UID and I found that the specific domain sent them (I follow this http://kb.parallels.com/en/766 )

The sender always is "[email protected]" .

When I disable the subscription the spam is stop.

Please can you help me how this domain can send emails and how can I stop it?

Thank you very much!!!
 
Check the access logs for that domain, there may be a CGI or PHP script being used to exploit the mail server.
 
CoreyT said:
Check the access logs for that domain, there may be a CGI or PHP script being used to exploit the mail server.
Click to expand...

Thank you very much for your quick answer! Can you please help me what should I expect to see inside access log file?
 
Look for multiple POSTs to the same script or file. Then search the http(s)docs directory for scripts that look suspicious such as PHP scripts that start with eval(), gzinflate(), str_rot13(), str_replace() or base64_decode().

Also try sorting by date modified in the web directory to see what was changed recently.
If you are using SSH try the command: ls -alrth
This will sort all recently modified files at the bottom.
 
CoreyT said:
Look for multiple POSTs to the same script or file. Then search the http(s)docs directory for scripts that look suspicious such as PHP scripts that start with eval(), gzinflate(), str_rot13(), str_replace() or base64_decode().

Also try sorting by date modified in the web directory to see what was changed recently.
If you are using SSH try the command: ls -alrth
This will sort all recently modified files at the bottom.
Click to expand...


Indeed there was a specific php file which inside has base64_decode() . I delete it and I change the folder permissions.

I will watch now to see if the problem solved!

But I have a technical question. How it's possible to use PHP for sending emails??? I have disabled the functions...


Thank you very much for your quick answer and thank you so much for helping me solving my problem!!!!
 
There are ways to bypass disabling the use of certain functions depending on the PHP version used. Most often these scripts that get dropped in have a whole set of exploits for PHP/Apache and even the OS itself.
 
CoreyT said:
There are ways to bypass disabling the use of certain functions depending on the PHP version used. Most often these scripts that get dropped in have a whole set of exploits for PHP/Apache and even the OS itself.
Click to expand...

You are Perfect! Thank you again for one more time!!!!
 
You must log in or register to reply here.

Similar threads

A
Question Disable local mail delivery
Replies
3
Views
257
Kaspar
K
M
Question Sitejet Builder extension requires allow_url_fopen to be enabled
Replies
0
Views
895
Maarten.
M
L
Question System Emails Marked as Spam
Replies
2
Views
312
Leighton Thompson
L
M
Issue 503 error when overriding php.ini xdebug.mode in a specific domain
Replies
0
Views
375
mavalentin
M
CobraArbok
Question Gmail Error unsolicited emails. What value in TXT?
Replies
15
Views
755
CobraArbok
CobraArbok
Back
Top