• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Under major spam attack

K

kcjames

Guest
Having problems with a spam attack. I can not find the script being exploited. Tried the suggestions to insert x_additional-header into messages to track and as you can see all I get /tmp.

Please help!


X-Additional-Header: /tmp
content-type: text/html
Subject: Esqueceu de mim ne?
<[email protected]>
To: [email protected]

<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft DHTML Editing Control">
<TITLE></TITLE>
</HEAD>
<BODY>
<P align=center><STRONG><EM>Se os
anexos, as imagens e os links desta mensagem forem bloqueados click em </EM>

<A href="http://www.cnscut.cn/about/images/Visualize.exe" target=_blank><EM>M
 
I really need help with this ASAP... I'm pulling my hair out.

This shell script is only returning /tmp... nothing is in /tmp that is php or otherwise capable of sending email.

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"


What can I add to this to get the IP address of the sender, or any real identifying information?
 
Assuming its coming from a PHP script, the php update from the atomic repo (5.2.14 or 5.3.3) allows you to log exactly which scripts are invoking the mail() function.
 
I would love to use it, but since it's running on FC3, the atomic repo gives an error that FC3 is no longer supported. The server is running 4.x
 
Yeah unfortunately everyone dropped support for fc3 years and years ago. Ubiquitous: You should upgrade to centos 5 goes here :p
 
Or better yet, plesk should include some basic security so you can easily track when a script is hijacked. Any idea why the knowledge base directions only display /tmp?
 
Back
Top