i got this message this morning from my host that my account has been suspended! reason: (reason: terms of service violation - spam/phishing) a talk to the support and they only give me this info: that someone is using one of my scripts to send emails out! ahhh, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ATTN: DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS. CLAIMS NAME: JANET WILLIAM BANK NAME: CITI BANK ARIZONA, USA. ACCOUNT NUMBER: 6503809428. PLEASE, DO RECONFIRM TO THIS OFFICE,AS A MATTER OF URGENCY IF THIS WOMAN IS FROM YOU. BEFORE WE PROCEED WITH THE TRANSFER TO HER ACCOUNT. REGARD REV MICHAEL JOVIA >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It was sent out by a script on your account: X-Identified-User: {1240:host171.myhost.com:user:mydomain.com} {sentbyrogram running on server} >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> also that info, i have checked all morning,,and did not find anything that has to do whti that email,, maybe is a hidding code in a script,or...? can anyone give me a clue where to look,, any help,,i really appreciate!!!! thank you so much!
If You're not using by Yourself any messaging scripts, and You're sure that in www directory there isn't any other scripts, then yes, it can be placed in Your scripts.
nope no ,messaging scripts, i have checked for any suspicios file or folders,,but i did not see any, i installed a script yesterday that i have purchase from here on dp, rss feed script ,,and i have contacted the guy ,,and he said that he sold about 30 of them ,,and no one had complain back to him,,i was the first,, and i did set the cron job every 5 minutes,,to update the rss feeds,,but i dont think that has anything to do with it, is there any word or anything should i look for ? here is what i got from support: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> X-Apparently-To: via 206.190.37.37; Tue, 09 Mar 2010 09:20:43 -0800 Return-Path: <bosangel@host171.hostmonster/./com> X-YMailISG: Ne6U5uEWLDtQAFzxAp3Lre7lns4zQdtp1LKe3IfxJ.yiKNCM8CTnqTSCVqaCKvzLNWNkQ4WYYexGlYu_YYyNVljYxEp09ds5o2rbzl4cfqAKF1Z.Ap6mpbvj.VdWPZ0zbbK.670xjBG.cERnFN1SoQMbfCN7nmbPI5W5K5X9rt6iDQGPE9xjMd65DEhQDlD4M7xTEkw02IQhsBuU6a47FPzjJZwvzE6_txKCk5j4bj1RaoILA9YTlYGwcfKJQS647DcZ1ynJB.Y2CWw4ZMC3V5hGrGYUYLsB99dV2a4Z6gNmfndJiXc5YICO2ZmDVqX5pKDkO5aJI7B6SmRW8.vLTSkbrKtBfWlSulolVW2TuHKM1kgR4_uRvKTnsqUG2g-- X-Originating-IP: [74.220.216.238] Authentication-Results: mta1096.mail.sp2.yahoo.com from=; domainkeys=neutral (no sig); from=rediffmail.com; dkim=neutral (no sig) Received: from 127.0.0.1 (HELO outbound-ss-925.bluehost.com) (74.220.216.238) by mta1096.mail.sp2.yahoo.com with SMTP; Tue, 09 Mar 2010 09:20:41 -0800 Received: (qmail 14532 invoked by uid 0); 9 Mar 2010 16:53:59 -0000 Received: from unknown (HELO host171.hostmonster.com) (74.220.207.171) by cpsoproxy1.bluehost.com with SMTP; 9 Mar 2010 16:53:59 -0000 Received: from localhost ([127.0.0.1] helo=host171.hostmonster.com) id 1Np2gw-00076E-Tt for ; Tue, 09 Mar 2010 09:53:58 -0700 Date: Tue, 09 Mar 2010 09:53:58 -0700 To: Subject: DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS. From: rev michael jovia <cbnpayment2010@rediffmail/./com> Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-Identified-User: {1240:host171.hostmonster.com:bosangel:bosangeles.com} {sentbyrogram running on server} Content-Length: 328 ATTN: DID YOU AUTHORIZE MRS.JANET WILLIAM TO CLAIM YOUR FUNDS. CLAIMS NAME: JANET WILLIAM BANK NAME: CITI BANK ARIZONA, USA. ACCOUNT NUMBER: 6503809428. PLEASE, DO RECONFIRM TO THIS OFFICE,AS A MATTER OF URGENCY IF THIS WOMAN IS FROM YOU. BEFORE WE PROCEED WITH THE TRANSFER TO HER ACCOUNT. REGARD REV MICHAEL JOVIA Thank you, HostMonster.Com Support hostmonster[.]com For support go to hostmonster[.]com >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> i am using this soft " powergrep" to find anything anusual,,but dont know exactly,,what to look for,,ahhh o by,,, thank you,friend.
About what funds they'r talking (I am not familiar with the hostmonster)? Anyway You should need to change accessing passwords.
well as i was downloading all my files from my ftp host,, the downloading stoped and a warning of a virus ,was trying to come to my pc! so,i just delete it,,,but,,it was still on my ftp,,i try to open it to see what code was inside,,but was giving me a error, so i just delete it,from my ftp, then i have remember that about 1 week ago ,i have had someone installing into that folder script a plugin for facebook,,so i ask him where did that file come on my host ftp,,and he said that he put it part of the plugin,,,and i told him,,,about the virus/backdoor,,and he said o just delete,,ohhh,man,, maybe that where my problem was,, will see if will work okay,now,, thanks for the info!!!!
Guys i am having the same trouble. I got a mail my hostmonster today . anyone please help me i only use wordpress .please help me
well,,download the files from your server all to your pc and scan them for any infection. if your security program jumps out to tell something about a file,,,then maybe there is the problem, after downloading you also can search for keywords from that email with a soft called "powergrep" i m looking thru your above lines,,did you had bluehost before? thanks
for me it was that backdoor,,and also i am not a pro,,so sometime is hard to find where the problem is,,,thanks
Someone may have access to your ftp, I suggest changing all your passwords and checking files on your server to make sure there are no php mailers.
does anyone knows how a php mailer code looks if i look into a script? and where they may added?,,just for future reference?,, thanks
I'm going to take a shot in the dark and guess that this is something that required open permissions on a directory that houses images, or some other user uploaded content. If you find a c99 shell, likely you will also find mailers and phishing sites. (bank of america, paypal, etc...) If such is the case regarding uploaded content, odds are you will not need to use php files or html, etc there. If so write a .htaccess rule that will not allow php to execute in that directory. (If you need help with this, check out my blog) Most programmers I've ran into do not see the security of the scripts, only functionality and neglect to add these for you. It's not that your email accounts passwords have been breached as they're sending from a php script since they are coming username@hostname rather than, johndoe@yourdomain name. Also, as plyrjohn404 said, just in case your permissions are *not* insecure, change the ftp passwords and scan your computer for viruses. There are many free options out there.
I would suggest you look for something that doesn't belong there and remove it for example that c99 script you found, which can be used to gain access to the server and deface your sites and other sites which are hosted on that server and it is also commonly used to mass mail out spam.