host account has been suspended! reason:spam/phishing by outgoing mail -please help

Discussion in 'Security' started by bosanci28, Mar 10, 2010.

  1. #1
    i got this message this morning from my host that my account has been suspended!
    reason: (reason: terms of service violation - spam/phishing)

    a talk to the support and they only give me this info:
    that someone is using one of my scripts to send emails out! ahhh,
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    ATTN:

    DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS.

    CLAIMS NAME: JANET WILLIAM
    BANK NAME: CITI BANK ARIZONA, USA.
    ACCOUNT NUMBER: 6503809428.

    PLEASE, DO RECONFIRM TO THIS OFFICE,AS A MATTER OF URGENCY IF THIS
    WOMAN IS FROM YOU. BEFORE WE PROCEED WITH THE TRANSFER TO HER ACCOUNT.

    REGARD

    REV MICHAEL JOVIA
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    It was sent out by a script on your account: X-Identified-User: {1240:host171.myhost.com:user:mydomain.com} {sentby:program running on server}
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    also that info,

    i have checked all morning,,and did not find anything that has to do whti that email,,
    maybe is a hidding code in a script,or...?

    can anyone give me a clue where to look,,
    any help,,i really appreciate!!!!

    thank you so much!
     
    bosanci28, Mar 10, 2010 IP
  2. Coponer

    Coponer Peon

    Messages:
    32
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    you're using shared hosting or some vps?
     
    Coponer, Mar 10, 2010 IP
  3. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #3
    shared hosting,
    hostmonster[.]com

    thanks
     
    bosanci28, Mar 10, 2010 IP
  4. Coponer

    Coponer Peon

    Messages:
    32
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    If You're not using by Yourself any messaging scripts, and You're sure that in www directory there isn't any other scripts, then yes, it can be placed in Your scripts.
     
    Coponer, Mar 10, 2010 IP
  5. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #5
    nope no ,messaging scripts,
    i have checked for any suspicios file or folders,,but i did not see any,
    i installed a script yesterday that i have purchase from here on dp, rss feed script ,,and i have contacted the guy ,,and he said that he sold about 30 of them ,,and no one had complain back to him,,i was the first,,
    and i did set the cron job every 5 minutes,,to update the rss feeds,,but i dont think that has anything to do with it,

    is there any word or anything should i look for ?

    here is what i got from support:
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    X-Apparently-To: via 206.190.37.37; Tue, 09 Mar 2010 09:20:43 -0800
    Return-Path: <bosangel@host171.hostmonster/./com>
    X-YMailISG: Ne6U5uEWLDtQAFzxAp3Lre7lns4zQdtp1LKe3IfxJ.yiKNCM8CTnqTSCVqaCKvzLNWNkQ4WYYexGlYu_YYyNVljYxEp09ds5o2rbzl4cfqAKF1Z.Ap6mpbvj.VdWPZ0zbbK.670xjBG.cERnFN1SoQMbfCN7nmbPI5W5K5X9rt6iDQGPE9xjMd65DEhQDlD4M7xTEkw02IQhsBuU6a47FPzjJZwvzE6_txKCk5j4bj1RaoILA9YTlYGwcfKJQS647DcZ1ynJB.Y2CWw4ZMC3V5hGrGYUYLsB99dV2a4Z6gNmfndJiXc5YICO2ZmDVqX5pKDkO5aJI7B6SmRW8.vLTSkbrKtBfWlSulolVW2TuHKM1kgR4_uRvKTnsqUG2g--
    X-Originating-IP: [74.220.216.238]
    Authentication-Results: mta1096.mail.sp2.yahoo.com from=; domainkeys=neutral (no sig); from=rediffmail.com; dkim=neutral (no sig)
    Received: from 127.0.0.1 (HELO outbound-ss-925.bluehost.com) (74.220.216.238)
    by mta1096.mail.sp2.yahoo.com with SMTP; Tue, 09 Mar 2010 09:20:41 -0800
    Received: (qmail 14532 invoked by uid 0); 9 Mar 2010 16:53:59 -0000
    Received: from unknown (HELO host171.hostmonster.com) (74.220.207.171)
    by cpsoproxy1.bluehost.com with SMTP; 9 Mar 2010 16:53:59 -0000
    Received: from localhost ([127.0.0.1] helo=host171.hostmonster.com)
    id 1Np2gw-00076E-Tt
    for ; Tue, 09 Mar 2010 09:53:58 -0700
    Date: Tue, 09 Mar 2010 09:53:58 -0700
    To:
    Subject: DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS.
    From: rev michael jovia <cbnpayment2010@rediffmail/./com>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: text/plain
    Content-Transfer-Encoding: 8bit
    X-Identified-User: {1240:host171.hostmonster.com:bosangel:bosangeles.com} {sentby:program running on server}
    Content-Length: 328

    ATTN:

    DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS.

    CLAIMS NAME: JANET WILLIAM
    BANK NAME: CITI BANK ARIZONA, USA.
    ACCOUNT NUMBER: 6503809428.

    PLEASE, DO RECONFIRM TO THIS OFFICE,AS A MATTER OF URGENCY IF THIS
    WOMAN IS FROM YOU. BEFORE WE PROCEED WITH THE TRANSFER TO HER ACCOUNT.

    REGARD

    REV MICHAEL JOVIA

    Thank you,
    HostMonster.Com Support
    hostmonster[.]com
    For support go to hostmonster[.]com

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    i am using this soft " powergrep" to find anything anusual,,but dont know exactly,,what to look for,,ahhh o by,,,
    thank you,friend.
     
    bosanci28, Mar 10, 2010 IP
  6. Coponer

    Coponer Peon

    Messages:
    32
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    About what funds they'r talking (I am not familiar with the hostmonster)? Anyway You should need to change accessing passwords.
     
    Coponer, Mar 10, 2010 IP
  7. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #7
    well as i was downloading all my files from my ftp host,, the downloading stoped and a warning of a virus ,was trying to come to my pc!
    [​IMG]
    so,i just delete it,,,but,,it was still on my ftp,,i try to open it to see what code was inside,,but was giving me a error, so i just delete it,from my ftp,
    then i have remember that about 1 week ago ,i have had someone installing into that folder script a plugin for facebook,,so i ask him where did that file come on my host ftp,,and he said that he put it part of the plugin,,,and i told him,,,about the virus/backdoor,,and he said o just delete,,ohhh,man,,
    maybe that where my problem was,,
    will see if will work okay,now,,
    thanks for the info!!!!
     
    bosanci28, Mar 11, 2010 IP
  8. beaman4

    beaman4 Greenhorn

    Messages:
    80
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    20
    #8
    Guys i am having the same trouble. I got a mail my hostmonster today . anyone please help me

    i only use wordpress .please help me

     
    beaman4, Mar 18, 2010 IP
  9. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #9
    well,,download the files from your server all to your pc and scan them for any infection.
    if your security program jumps out to tell something about a file,,,then maybe there is the problem,
    after downloading you also can search for keywords from that email with a soft called "powergrep"

    i m looking thru your above lines,,did you had bluehost before?
    thanks
     
    bosanci28, Mar 18, 2010 IP
  10. beaman4

    beaman4 Greenhorn

    Messages:
    80
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    20
    #10
    no i used only hostmonster . Before host monster , i used dream host
     
    beaman4, Mar 20, 2010 IP
  11. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #11
    for me it was that backdoor,,and also i am not a pro,,so sometime is hard to find where the problem is,,,thanks
     
    bosanci28, Mar 21, 2010 IP
  12. plyrjohn404

    plyrjohn404 Peon

    Messages:
    115
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Someone may have access to your ftp, I suggest changing all your passwords and checking files on your server to make sure there are no php mailers.
     
    plyrjohn404, Mar 21, 2010 IP
  13. olddocks

    olddocks Notable Member

    Messages:
    3,275
    Likes Received:
    165
    Best Answers:
    0
    Trophy Points:
    215
    #13
    change the password of ALL your email accounts. It could have been breached.
     
    olddocks, Mar 22, 2010 IP
  14. bosanci28

    bosanci28 Well-Known Member

    Messages:
    857
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    105
    #14
    does anyone knows how a php mailer code looks if i look into a script? and where they may added?,,just for future reference?,,
    thanks
     
    bosanci28, Mar 22, 2010 IP
  15. SecureCP

    SecureCP Guest

    Messages:
    226
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #15
    I'm going to take a shot in the dark and guess that this is something that required open permissions on a directory that houses images, or some other user uploaded content. If you find a c99 shell, likely you will also find mailers and phishing sites. (bank of america, paypal, etc...) If such is the case regarding uploaded content, odds are you will not need to use php files or html, etc there. If so write a .htaccess rule that will not allow php to execute in that directory. (If you need help with this, check out my blog) Most programmers I've ran into do not see the security of the scripts, only functionality and neglect to add these for you.

    It's not that your email accounts passwords have been breached as they're sending from a php script since they are coming username@hostname rather than, johndoe@yourdomain name.

    Also, as plyrjohn404 said, just in case your permissions are *not* insecure, change the ftp passwords and scan your computer for viruses. There are many free options out there.
     
    SecureCP, Mar 25, 2010 IP
  16. adsenselabs

    adsenselabs Peon

    Messages:
    21
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #16
    you can call HM support
    backup file move to other server and sharing host corp
     
    adsenselabs, Mar 26, 2010 IP
  17. ChrisMiller

    ChrisMiller Prominent Member

    Messages:
    1,934
    Likes Received:
    81
    Best Answers:
    0
    Trophy Points:
    315
    #17
    I would suggest you look for something that doesn't belong there and remove it for example that c99 script you found, which can be used to gain access to the server and deface your sites and other sites which are hosted on that server and it is also commonly used to mass mail out spam.
     
    ChrisMiller, Apr 5, 2010 IP