• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Strange mail behavior

N

NightMan

Guest
I am testing a php script, which is sending a mail to my self, but when I tried today, it was sending a mail to me, but it was sending a bounce as well. The mail bounce was generated from a unknown mail ID. How this can happen?

I have checked the PSA data base and search for the mail ID in all tables, but found none.

which file in the server include alises or groupe mail options?

SERVER : LINUX RHE/PSA 7.5.x
 
For aliases, check:

/etc/aliases

/etc/mail/aliases

Not sure about group mail
 
Ok, check for these:

/var/qmail/alias
/var/qmail/alias/.qmail-mailer-daemon
/var/qmail/alias/.qmail-postmaster
/var/qmail/alias/.qmail-root

(or similar named)
 
****, I gotta stop doing simultaneous checking/posting to so many support boards (doing 4 sites right now). Hard to keep things straight on no sleep and so many forum posts.. sorry

Plesk also has the following:
mySQL database: psa, table: mail_aliases
 
:) thanks. but the bounced mail ID is not in any of these files, just wondering... any suggestions?
 
I cross posted, please see my post (above) regarding mySQL database

What is the bounced mail ID name?

And have you checked the contents of the php.ini file?
 
Hi. This is the qmail-send program at myserver.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
66.54.152.4 does not like recipient.
Remote host said: 550 passing these spams on just makes it worse
Giving up on 66.54.152.4.

--- Below this line is a copy of the message.

I already checked the PSA database, the mail id is not there in that table or any other table.

PHP.INI does not have the mail ID mentioned in any place
 
Just trying to get a better feel for things:

<[email protected]>:
66.54.152.4 does not like recipient.
Remote host said: 550 passing these spams on just makes it worse
Giving up on 66.54.152.4.
Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)

Q2: Is that your IP? (I figure it's not yours)

Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)

Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)

Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?

I know these are standard questions, but it is possible you may have been breached coincidentally at the same time.
 
Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)
#No, never
Q2: Is that your IP? (I figure it's not yours)
#NOT mine
Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)
#not from my box
Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)
#yes, no issues found..
Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?
# I found a filed called bindz in /tmp folder and removed it, checked for any exploits, but not able to find any other tracks.
compiler was already disabled. the file been downloaded using a php include exploite..
 
The filename 'bindz' might indicate a Bind/named redirector of some sort (grasping at air).

After deleting the file, have you also checked the process list (ps -ax) and see if there are any funny processes running currently?
 
yes. I did find the bindz was running, So I killed that.
the mail also been received before I got it removed.
 
Just PM'd you this:

Other forums have reported same file found, script kiddie started out by exploiting exim systems.

http://www.webhostingtalk.com/archive/thread/407726-1.html
http://www.webhostingtalk.com/archive/thread/394689-1.html
http://lists.indymedia.org/pipermail/imc-tech/2005-May/0503-d1.html
http://forum.ev1servers.net/showthread.php?t=54849

One of these threads makes reference to additional files to check for. I just skimmed them (too tired to focus eyes), good luck in getting it cleaned up. (love your signature line)
 
Yes. got your pm. Thanks for the links, I already checked the google, but not able to find any useful info.
 
I found those by googling "bindz +script"

Sun come up, eyelids go down. Nighty night, Nightman....
 
Back
Top