Techdesigns
07-02-2007, 04:47 PM
Apologies if this is in the wrong forum.
I rent a virtual server on which I have several online shops and blogs set up for clients, as well as a few static websites.
However I've been informed recently that someone is using a script on my account to send spam via the mailserver. I've been through every site I own and removed any unsecure scripts (formmails etc) and thought I'd fixed it yet the web host has again shut off scripting access to the mailserver due to e-mails apparently being sent via my script/server.
The only thing I can possibly think that might cause it (this might not be possible) but I found one of my MySQL databases had somehow been modified to allow remote access - I've since deleted this database as a precaution as it wasn't required anyway - is there anyway a database with remote access enabled could allow a connection to the mailserver??
Below are the mail headers (have edited out the recipients hopefully) of three of the Spam e-mails - is there any way that I can easily find out which script of mine or domain is trying to send through the mail server so I can prevent it from happening.
For the record the only scripts on my server are:
Cubecart
Snippetmaster
Wordpress
Spam complain recieved:rnrnX-Real-To: rnReturn-Path: rnX-Scanned-On: fe1rnReceived: from c11.servage.net ([77.232.66.165] verified)rn by fe1.cluster1.echolabs.net (CommuniGate Pro SMTP 5.0.11)rn with ESMTP id 384860 for ******@the-beach.net; Fri, 15 Jun 2007 14:06:41rn-0400rnReceived-SPF: nonern receiver=fe1.cluster1.echolabs.net; client-ip=77.232.66.165;rnenvelope-from=sc20493@servage-customer.netrnReceived: from node1.c11 (node1.c11 [192.168.101.1])rn by c11.servage.net (Postfix) with ESMTP id AF9D56880F4rn for ; Fri, 15 Jun 2007 18:06:39 +0000 (GMT)rnReceived: by node1.c11 (Postfix, from userid 99)rn id 9E694900A9; Fri, 15 Jun 2007 14:07:11 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzTw==; Fri Jun 15 18:07:11 2007rnTo: ******@the-beach.netrn
Offending message ]rn\"From sc20493@servage-customer.net Thu Jun 28 09:25:58 2007rn\"rnReturn-Path: rnReceived: from c11.servage.net (77-232-66-165.static.servage.net [77.232.66.165] (may be forged))rn by linode.web-select.co.za (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l5S7PmnN012328rn for ; Thu, 28 Jun 2007 09:25:58 +0200rnReceived: from node2.c11 (node2.c11 [192.168.101.2])rn by c11.servage.net (Postfix) with ESMTP id 189EB688120rn for ; Thu, 28 Jun 2007 07:25:33 +0000 (GMT)rnReceived: by node2.c11 (Postfix, from userid 99)rn id 3CD5290022; Thu, 28 Jun 2007 03:25:39 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzcw==; Thu Jun 28 07:25:39 2007rnTo: xrnSubject: Internet Banking Alert : Confirm Your Membership DetailsrnFrom: ABSA Internet Banking rnReply-To:rnMIME-Version: 1.0rnContent-Type: text/htmlrnContent-Transfer-Encoding: 8bitrnMessage-Id: <2007_________________0022@node2.c11>rnDate: Thu, 28 Jun 2007 03:25:39 -0400 (EDT)rnStatus: Rrn Simple headersrn rnNew Page 1rnrn
rnX-Message-Status: n:0rnX-SID-PRA: *********@ig.comrnX-Message-Info: LsUYwwHHNt0lA/ee4quQWqmYuvjZ3165YQklyzjreowAPD33Dl18aznF6xD825s+rnReceived: from c11.servage.net ([77.232.66.165]) by bay0-mc7-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);rn Fri, 29 Jun 2007 15:48:24 -0700rnReceived: from node1.c11 (node1.c11 [192.168.101.1])rn by c11.servage.net (Postfix) with ESMTP id C93146880E7rn for ; Fri, 29 Jun 2007 22:48:23 +0000 (GMT)rnReceived: by node1.c11 (Postfix, from userid 99)rn id 05698900AF; Fri, 29 Jun 2007 18:48:25 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzOA==; Fri Jun 29 22:48:24 2007rnTo: xrnSubject: to com xaudadesrnFrom: rnReply-To: *********@ig.comrnMIME-Version: 1.0rnContent-Type: text/htmlrnContent-Transfer-Encoding: 8bitrnMessage-Id: <2007_________________00AF@node1.c11>rnDate: Fri, 29 Jun 2007 18:48:25 -0400 (EDT)rnReturn-Path: sc20493@servage-customer.netrnX-OriginalArrivalTime: 29 Jun 2007 22:48:24.0816 (UTC) FILETIME=[99E9EF00:01C7BA9F]
Thanks in advance.
I rent a virtual server on which I have several online shops and blogs set up for clients, as well as a few static websites.
However I've been informed recently that someone is using a script on my account to send spam via the mailserver. I've been through every site I own and removed any unsecure scripts (formmails etc) and thought I'd fixed it yet the web host has again shut off scripting access to the mailserver due to e-mails apparently being sent via my script/server.
The only thing I can possibly think that might cause it (this might not be possible) but I found one of my MySQL databases had somehow been modified to allow remote access - I've since deleted this database as a precaution as it wasn't required anyway - is there anyway a database with remote access enabled could allow a connection to the mailserver??
Below are the mail headers (have edited out the recipients hopefully) of three of the Spam e-mails - is there any way that I can easily find out which script of mine or domain is trying to send through the mail server so I can prevent it from happening.
For the record the only scripts on my server are:
Cubecart
Snippetmaster
Wordpress
Spam complain recieved:rnrnX-Real-To: rnReturn-Path: rnX-Scanned-On: fe1rnReceived: from c11.servage.net ([77.232.66.165] verified)rn by fe1.cluster1.echolabs.net (CommuniGate Pro SMTP 5.0.11)rn with ESMTP id 384860 for ******@the-beach.net; Fri, 15 Jun 2007 14:06:41rn-0400rnReceived-SPF: nonern receiver=fe1.cluster1.echolabs.net; client-ip=77.232.66.165;rnenvelope-from=sc20493@servage-customer.netrnReceived: from node1.c11 (node1.c11 [192.168.101.1])rn by c11.servage.net (Postfix) with ESMTP id AF9D56880F4rn for ; Fri, 15 Jun 2007 18:06:39 +0000 (GMT)rnReceived: by node1.c11 (Postfix, from userid 99)rn id 9E694900A9; Fri, 15 Jun 2007 14:07:11 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzTw==; Fri Jun 15 18:07:11 2007rnTo: ******@the-beach.netrn
Offending message ]rn\"From sc20493@servage-customer.net Thu Jun 28 09:25:58 2007rn\"rnReturn-Path: rnReceived: from c11.servage.net (77-232-66-165.static.servage.net [77.232.66.165] (may be forged))rn by linode.web-select.co.za (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l5S7PmnN012328rn for ; Thu, 28 Jun 2007 09:25:58 +0200rnReceived: from node2.c11 (node2.c11 [192.168.101.2])rn by c11.servage.net (Postfix) with ESMTP id 189EB688120rn for ; Thu, 28 Jun 2007 07:25:33 +0000 (GMT)rnReceived: by node2.c11 (Postfix, from userid 99)rn id 3CD5290022; Thu, 28 Jun 2007 03:25:39 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzcw==; Thu Jun 28 07:25:39 2007rnTo: xrnSubject: Internet Banking Alert : Confirm Your Membership DetailsrnFrom: ABSA Internet Banking rnReply-To:rnMIME-Version: 1.0rnContent-Type: text/htmlrnContent-Transfer-Encoding: 8bitrnMessage-Id: <2007_________________0022@node2.c11>rnDate: Thu, 28 Jun 2007 03:25:39 -0400 (EDT)rnStatus: Rrn Simple headersrn rnNew Page 1rnrn
rnX-Message-Status: n:0rnX-SID-PRA: *********@ig.comrnX-Message-Info: LsUYwwHHNt0lA/ee4quQWqmYuvjZ3165YQklyzjreowAPD33Dl18aznF6xD825s+rnReceived: from c11.servage.net ([77.232.66.165]) by bay0-mc7-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);rn Fri, 29 Jun 2007 15:48:24 -0700rnReceived: from node1.c11 (node1.c11 [192.168.101.1])rn by c11.servage.net (Postfix) with ESMTP id C93146880E7rn for ; Fri, 29 Jun 2007 22:48:23 +0000 (GMT)rnReceived: by node1.c11 (Postfix, from userid 99)rn id 05698900AF; Fri, 29 Jun 2007 18:48:25 -0400 (EDT)rnReceived: from localhostrn by localhost (MailRouter)rn id bDIwNDkzOA==; Fri Jun 29 22:48:24 2007rnTo: xrnSubject: to com xaudadesrnFrom: rnReply-To: *********@ig.comrnMIME-Version: 1.0rnContent-Type: text/htmlrnContent-Transfer-Encoding: 8bitrnMessage-Id: <2007_________________00AF@node1.c11>rnDate: Fri, 29 Jun 2007 18:48:25 -0400 (EDT)rnReturn-Path: sc20493@servage-customer.netrnX-OriginalArrivalTime: 29 Jun 2007 22:48:24.0816 (UTC) FILETIME=[99E9EF00:01C7BA9F]
Thanks in advance.