[treehstn]

Hi,

I have a dedicated server on a web host. I have 3 domains hosted on the same server. One of the domains was apparently hacked and a rogue script was installed that was using the exim service to send out spam. At least that's what I thought was going on.

When I contacted tech support at the web host they confirmed that the emails were being sent through my server and told me that there was no way for them to tell me what script was doing it or where it was located in the domain files. At this point I had them stop the exim service on my server so I knew no more spam would be sent out until I could get this web space cleaned up.

I backed up all of my files and the database from that domain and wiped out every file in the domain space by having the web host delete everything from their end. Then I created a new web space for the domain. I didn't load any programs or files whatsoever. Just the bare minimum to support the domain. Then I created the email accounts.

During this process I made sure that I changed every password on the domain. I didn't even use the same login names except for the email accounts. The email account passwords were also new.

As soon as I had the email accounts turned on there was more spam. What I find curious is that I have several email accounts on this domain but it's only one that all of this spam is being sent through. I don't know enough about the mechanics to know if this really is being sent through my server or if someone is just plugging in my email address in the spam.

I have not done anything with the other two domains on the server. Is it possible that even though these are saying they are from the fresh domain space they could be from a script on one of the others?

Here are a couple of the headers. If anyone can help I'd be very grateful!!

Return-path: <info@glassresearch.net>
Envelope-to: info@glassresearch.net
Delivery-date: Mon, 08 Dec 2008 01:46:20 -0600
Received: from [218.77.202.52] (helo=alvearnet.com.ar)
by server.glassresearch.net with smtp (Exim 4.69)
(envelope-from <info@glassresearch.net>)
id 1L9aot-0002ml-K1
for info@glassresearch.net; Mon, 08 Dec 2008 01:46:20 -0600
To: <info@glassresearch.net>
Subject: Delivery Status Notification
From: <info@glassresearch.net>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

------------------------

Return-path: <info@glassresearch.net>
Envelope-to: info@glassresearch.net
Delivery-date: Mon, 08 Dec 2008 07:13:23 -0600
Received: from ppp079166079114.dsl.hol.gr ([79.166.79.114])
by server.glassresearch.net with smtp (Exim 4.69)
(envelope-from <info@glassresearch.net>)
id 1L9fvO-0004Zs-0u
for info@glassresearch.net; Mon, 08 Dec 2008 07:13:23 -0600
To: <info@glassresearch.net>
Subject: RE: Message
From: <info@glassresearch.net>
MIME-Version: 1.0
Importance: High
Content-Type: text/html

[treehstn]

I found a registry hack that displays the full headers. Here's the newest email that has come in:

Return-path: <tadlocko@kinki-kids.com>
Envelope-to: info@glassresearch.net
Delivery-date: Mon, 08 Dec 2008 10:36:28 -0600
Received: from ppp-58-8-250-41.revip2.asianet.co.th ([58.8.250.41] helo=ppp-58-8-59-122.revip2.asianet.co.th)
by server.glassresearch.net with esmtp (Exim 4.69)
(envelope-from <tadlocko@kinki-kids.com>)
id 1L9j5v-0005MP-QO
for info@glassresearch.net; Mon, 08 Dec 2008 10:36:28 -0600
Message-ID: <a1c0019dc529$980fd381$d7c8be80@kinki-kids.com>
From: "=?windows-1251?B?QWxsYXJkIENvcGVsYW5k?=" <tadlocko@kinki-kids.com>
To: <info@glassresearch.net>
Subject: =?windows-1251?B?c3BhbTogT3ZlciAxMCBtaWxsaW9uIG1lbiA=?=
=?windows-1251?B?bWFkZSB0aGVpciB3b21lbiBoYXBweSwgYW5kIHlvdT8=?=
Date: Sat, 08 Nov 3609 23:36:45 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=----=_NextPart_000_0023_85_85DDFBC3.BC7C6663
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-tis-spam: =?us-ascii?B?c2NvcmU9MzEuMjIyNzAgKDE0ODAzNiwxNDgw?=
=?us-ascii?B?MzksMTQ0MDMxLDE0NjAwNyw3MDAwMjAsMTA2ODMwLDcwMDc1Miwx?=
=?us-ascii?B?MDYyODAsMTA1MjAwLDcwNzczMSwxMDU4MzAsNzAxMDM1LDE4ODAx?=
=?us-ascii?B?OSwxODgwMDgsMTExNjAwLDExMTYwNCwxODgxMTksNzA1NzE4LDEx?=
=?us-ascii?B?MTYwNSw3MDAwNzQsMTg4MDA5LDE4ODEzMCwxMTE2MDgsMTg4MDU3?=
=?us-ascii?B?LDcwMDgwMiw3MDI2MzgsNzAwNTI5LDE4ODAwMiw3MDAyNjQsMTg4?=
=?us-ascii?B?MTM0LDE4ODAwNyw3MDA3NTgsNzA0NDI1LDE4ODEyMiw3MDA3MDgs?=
=?us-ascii?B?MTg4MDkwLDcwMDczMiwxMzk3MDQsNzAwMDczLDExMTYxMCwxODgw?=
=?us-ascii?B?NjIsMTExNjAzLDExMTYwMSwxMDAwMywyMjU3MSwzNjAwMSk=?=

[desinet1]

Keen to know some wise guy reply in this thread.
Interesting.

[treehstn]

desinet1... not sure what you are getting at.

Turns out it was a spammer using my not very secure (now IS!!) mail service for a relay.