Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

Is my server sending spam?

I have a FreeBSD server and according to Yahoo, it's sending spam:

http://cbl.abuseat.org/lookup.cgi?ip=216.55.161.147

Can someone help me look into this?  I have root access but not sure what to look for.
0
hrolsons
Asked:
hrolsons
2 Solutions
 
GaryCommented:
That IP is hosting multiple domains, I assume you manage the whole server?
Could be any of those domains that have been hacked, if any of them are running Wordpress, Drupal etc

You are only listed on one DB so it could be just Yahoo having a hissy fit
0
 
GaryCommented:
And the offending website seems to be
blueapplehouses.com
0
 
hrolsonsAuthor Commented:
Yes, I manage the whole server.  blueapplehouses.com just completed a transition to Wordpress from a paid web developer.  How can I look deeper into the problem and hopefully eradicate it.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
GaryCommented:
Check the index pages for any base64 code.
0
 
hrolsonsAuthor Commented:
due to .htaccess none of the index pages are available.  Everything forwards to www.blueappleproperties.com, which is the WordPress site that Dex made.
0
 
GaryCommented:
Uh?
0
 
R_EdwardsCommented:
Hrolsons,
     What Gary is trying to explain is to look at your index.php files and find a string that looks like the following:


<?php eval(base64 decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCPC9pZnJhbWU+PC9kaXY+JzsNCn0='));
the real code will be much longer.

in a nutshell your index.php files were modified by a virus or someone being malicious


/r
-= Richard
0
 
hrolsonsAuthor Commented:
I don't have any index.php file in the base directory.
0
 
GaryCommented:
There must be an index.php file in the WP root directory - if there wasn't it wouldn't work
0
 
hrolsonsAuthor Commented:
That file must be on the server that is redirected to, which I don't have access to.  I control blueapplehouses.com but in the .htaccess:

RewriteCond %{REQUEST_URI} !^/Intranet
RewriteCond %{REQUEST_FILENAME} .*\.html$
RewriteRule . http://blueappleproperties.com [L]

Open in new window


It sends users on to blueappleproperties.com, which I don't control.
0
 
GaryCommented:
It may not be that site, it was just an educated guess.

Check through your mail logs, see if you can identify any spam.
It could be that you have an open relay, if so you need to clamp down on your security and require authorisation for all email.
You can test for open relay's here
http://www.dnsgoodies.com/
0
 
hrolsonsAuthor Commented:
I ran 216.55.161.147 and blueapplehouses.com through the open relay check on the site you suggested and it was clean.

I can't figure out why Yahoo is rejecting mail from the server.
0
 
GaryCommented:
Check the other sites on the server as well
0
 
serialbandCommented:
It' possible that you didn't spam and yahoo filters went overboard.

Yahoo will sometimes block you even if you're not sending spam.  If you have a legitimate mailing list and it got sent out a little too quickly, yahoo will block you.  Even if you've done the throttling to not trigger yahoo right now, yahoo may someday just decide that you're still spamming, even after you've called them before and verified with them about the mailman mailing lists that people must manually sign up for and verify.  They're the only large company that causes problems for legitimate mailers.
0
 
Dirk MareSystems Engineer (Acting IT Manager)Commented:
Another site to test if your mail server is an open relay.
www.mxtoolbox.com

DirkMare
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now