| Question: |
Good morning! Stopped working website and email! |
| Answer: |
Hello. You were sent a notice about spamming Return-path: <EMAIL>
Envelope-to: EMAIL
Delivery-date: Sun, 08 Feb 2015 21:45:39 +0100
Received: from [IP] (helo=smr-m4.mx.aol.com)
by lms.your-server.de with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.74)
(envelope-from <EMAIL>)
id 1YKYja-0008B8-V6
for EMAIL; Sun, 08 Feb 2015 21:45:39 +0100
Received: from scmp-d010.mail.aol.com (scmp-d010.mail.aol.com [IP])
by smr-m4.mx.aol.com (AOL Mail Bouncer) with ESMTP id 2963238000454
for <EMAIL>; Sun, 8 Feb 2015 15:45:30 -0500 (EST)
Received: from MAIL by scmp-d010.mail.aol.com; Sun, 08 Feb 2015 15:45:25 EST
To: EMAIL
From: EMAIL
Date: Sun, 08 Feb 2015 15:45:25 EST
Subject: Email Feedback Report for IP IP
MIME-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report;
boundary=\"boundary-1138-29572-2659438-683\"
X-AOL-INRLY: static.IP.clients.your-server.de [IP] scmp-d010
X-Loop: scomp
X-Virus-Scanned: Clear (ClamAV 0.98.1/20046/Sun Feb 8 18:53:21 2015)
X-Spam-Score: 1.6 (+)
Delivered-To: EMAIL
--boundary-1138-29572-2659438-683
Content-Type: text/plain; charset=\"US-ASCII\"
Content-Transfer-Encoding: 7bit
This is an email abuse report for an email message with the message-id of
201502082039.t18KXUVWEMAIL received from the IP address
IP on Sun, 8 Feb 2015 15:39:39 -0500 (EST)
For information, please review the top portion of the following page:
http://postmaster.aol.com/Postmaster.FeedbackLoop.php
For information about AOL E-mail guidelines please see
http://postmaster.aol.com/Postmaster.Guidelines.php
If you would like to cancel or change the configuration for your FBL please use the
tool located at:
http://postmaster.aol.com/SupportRequest.FBL.php
--boundary-1138-29572-2659438-683
Content-Disposition: inline
Content-Type: message/feedback-report
Feedback-Type: abuse
User-Agent: AOL SComp
Version: 0.1
Received-Date: Sun, 8 Feb 2015 15:39:39 -0500 (EST)
Source IP: IP
Reported-Domain: static.IP.clients.your-server.de
Redacted-Address: redacted
Redacted-Address: redacted@
--boundary-1138-29572-2659438-683
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <EMAIL>
Received: from vps.baltsilver.com (static.IP.clients.your-server.de
[IP])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mtaig-aai06.mx.aol.com (Internet Inbound) with ESMTPS id 8592A70000088
for <redacted>; Sun, 8 Feb 2015 15:39:39 -0500 (EST)
Received: from avaserve-653d78 (199-127-99-4.static.avestadns.com [IP])
(authenticated bits=0)
by vps.baltsilver.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id t18KXUVW029465
for <redacted>; Mon, 9 Feb 2015 00:39:35 +0400
Message-Id: <201502082039.t18KXUVWEMAIL>
Reply-To: \"From Admin To You\" <EMAIL>
From: \"From Admin To You\" <EMAIL>
To: EMAIL
Subject: Re Admin
Date: Sun, 8 Feb 2015 12:39:18 -0800
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
x-aol-global-disposition: G
Authentication-Results: mx.aol.com
spf=none (aol.com the domain hp.com appears to have no SPF Record.)
smtp.mailfrom=hp.com
x-aol-sid: 3039ac1b025a54d7c98b5451
X-AOL-IP: IP
X-AOL-SPF: domain : hp.com SPF : none
We offer non-collateral loans ranging from R 30,000.00 Thousand to the tune of R 200
Million between 1-20yrs at low interest rate of 7.5% with no collateral blacklisted
under administration you are welcome.Call our toll free line on 0875502273 extension
101 to speak to a staff from 9am to 5pm E-mail:EMAIL
--boundary-1138-29572-2659438-683-- what do You know? EO you sent out? |
| Question: |
I don`t understand it |
| Question: |
why doesn`t the site??? |
| Question: |
I installed it on all the mailboxes of the complex generated passwords a week ago |
| Answer: |
potamu that your server sent out spam. you sent spam? you need the distribution? |
| Question: |
no |
| Question: |
we now entourage will move to another server, it races you have constant problems. restore us to the job site! |
| Question: |
please lock us Suite unlock website |
| Answer: |
please Wait, the request is sent to the administrator. |
| Question: |
when will work the website?! Call us customers can`t come in |
| Answer: |
you nacherno not quite understand the problem. Here You slalom SPAM ! who will be watching your sites? who has access to them? who is responsible for updating them ? who work with e-mail? |
| Question: |
with mail, I only work and one Manager. with site work company that caters to sites we spam nobody sent |
| Question: |
what is the box referred spam? |
| Answer: |
not from the box, and with your sites. since access to the sites have strangers? |
| Question: |
outsiders do not have access. Maybe a hacked server? what do we do next? |
| Answer: |
server it is unlikely but your website is already likely. how long have the sites been updated? what kind of cms do they work? |
| Question: |
Well we will check the website for any extra scripts.How long have spammers and no way to know what scripts? |
| Answer: |
check that we also the ego check by antiviruses. save change all passwords |
| Question: |
now we understand |
| Answer: |
OK
|
| Question: |
Hello, we checked baltsilver.com and nothing malicious was found. Now check the other sites. Just in case we have migrated all mailboxes on ppd.yandex.ru. During the day rewritten MX records and it will be possible to block any communications from our IP.Postavte us know if anything else we`ll spam the mailing list. |
| Answer: |
anti-virus found nothing maldet(10806): {scan}: method loaded: 13716 (11815 MD5 / 1901 HEX)
maldet(10806): {scan} building file list for ./, this might take awhile...
maldet(10806): {scan} file list completed, found 21123 files...
maldet(10806): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(10806): {scan} scan of ./ (21123 files) in progress...
maldet(10806): {scan} processing scan results for hits: 0 hits 0 cleaned
maldet(10806): {scan} scan completed on ./: 21123 files, malware hits 0, cleaned hits 0
maldet(10806): {scan} scan report saved, to view run: maldet --report 020915-1736.10806 |
| Question: |
Hello, it is impossible to specify in the panel the MX record for the domain name baltsilver.com during the day she still has not applied.It has to be done through you? Required parameters:the name of the subdomain — @Type record — Mcdanie — mx.yandex.EN.Priority 10 |
| Answer: |
Hello. the record you specified. |
| Question: |
Hello. On the website baltsilver.com the message \"Account disabled by server administrator.\". You wrote that it was because of spam. But we have already translated all mail to yandex.ppd, even if someone got access to our boxes, then it can`t be from your server.You can just disable the ability to send letters with our hosting so you can make sure that we do not a helmet? |
| Answer: |
please Wait, the request is sent to the administrator. |
| Answer: |
spam is not sent with the boxes and with the help of hacked scripts. who is involved in the security of Your website? |
| Question: |
We already checked all scripts of the website, when you shut down the website last time malware was found. I understand you can`t tell what the script does newsletter. As you can see at least the period in which this happened?If you have any information about when he sent the spam, it is possible for logs to see which URLs of the site and accessed respectively to define the scripts.In a similar situation I advise you to look for POST requests:http://searchengines.guru/showthread.php?t=485877Еще would help if you in the file Manager got a list of all .php files and sorted them by date modified and put here or sent by EMAIL.And we would know at least which scripts to thoroughly test. |
| Answer: |
you can do this via ssh using the file Manager mc |
| Answer: |
now we check the server virus antivirus not found, the last time, either not all files were found by anti-virus |
| Question: |
I can`t even connect via FTP seem to be denied access. Can you open it?I would ask and run a website - customers complain.Don`t worry, the problem will not drop, will look for.Even if you don`t find the malicious script in the end will make the prohibition on running in General all php scripts, except index.php at the root (with the help of .htaccess). |
| Answer: |
open access including access to the shell / our antiviruses`ve found nothing yet |
| Answer: |
you have deleted the job scheduler? |
| Question: |
No, the last months of the scheduler is not edited. |
| Answer: |
OK
|
| Question: |
Checked almost all the files modified 2014.We have on the website is only one script - root index.php (everything works through it). Folder in which to upload the files in them .htaccess ban script execution (so if there is something loaded to do this is impossible).The only place that we had no blocking (is an exception) is a library of CKEditor4 for admin.Maybe it is just all dele:https://dh.it-patrol.ru/newsletters/%D0%BA%D1%80%D0%B8%D1%82%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%B0%D1%8F-%D1%83%D1%8F%D0%B7%D0%B2%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C-%D0%B2-fckeditor-%D0%B8-ckeditorСейчас we put the lock here (and do where possible). Even know where there may be a vulnerability check please continues to send spam. |
| Answer: |
while there is nothing we can`t proverit |
| Question: |
More important - to send emails we are using PHPMailer, so the standard php mail() function can turn off. |
| Answer: |
please Wait, the request is sent to the administrator. |
| Answer: |
check antivirusni nothing Ala. sendmail is stopped |
