Need some help/advice!

Atlbsky · 03-25-2005, 11:05 AM

Was a former client of John's at V7 - now on dedicated hosting at the planet, and having a problem. As soon as we imported our site from V7, we started seeing in the WHM panel email that is constantly being sent through our domain - even though none of the accounts exist with us!

I'm guessing we had some sort of script inserted, but I really am at a loss to explain these emails. Worst of all, they are all infected with a netsky variant.

Can any of you masters point me down a path of enlightenment as to what to look for with this, how to stop it, and what antivirus solutions are best for a dedicated server (linux).

Thanks for any/all help!

PS - that earlier line sounded bad - I in no way suspect this had anything to do with V7, whose service was the best we ever had - just wanted to clear that up!

Thermit · 03-25-2005, 11:50 AM

Install and run a root kit checker ( chkrootkit ).

Look in every tmp directory on the machine for any hidden files or directories ( ... = bad news )

Look for infected files, check the datestamps.

A few of many things to do...

Jonathan VanSchaack · 03-25-2005, 04:58 PM

cpanel run basic allows ppl to route through yourdomain without securelogin, just enable secure login for email, this way pplneedtologin to send not just receive

docquesting · 03-26-2005, 03:00 PM

I dont know anything about this much myself but if they are able to do the above perhaps the may have access to the whole system?

Just trying to think how a hacker would do things.

Jonathan VanSchaack · 03-26-2005, 03:17 PM

nope, they would just have access to the SMTP