Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Is my server sending spam?

Posted on 2014-10-07
15
117 Views
Last Modified: 2016-02-11
I have a FreeBSD server and according to Yahoo, it's sending spam:

http://cbl.abuseat.org/lookup.cgi?ip=216.55.161.147

Can someone help me look into this?  I have root access but not sure what to look for.
0
Comment
Question by:hrolsons
15 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40366524
That IP is hosting multiple domains, I assume you manage the whole server?
Could be any of those domains that have been hacked, if any of them are running Wordpress, Drupal etc

You are only listed on one DB so it could be just Yahoo having a hissy fit
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366531
And the offending website seems to be
blueapplehouses.com
0
 

Author Comment

by:hrolsons
ID: 40366578
Yes, I manage the whole server.  blueapplehouses.com just completed a transition to Wordpress from a paid web developer.  How can I look deeper into the problem and hopefully eradicate it.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 58

Expert Comment

by:Gary
ID: 40366603
Check the index pages for any base64 code.
0
 

Author Comment

by:hrolsons
ID: 40366621
due to .htaccess none of the index pages are available.  Everything forwards to www.blueappleproperties.com, which is the WordPress site that Dex made.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366626
Uh?
0
 
LVL 8

Expert Comment

by:R_Edwards
ID: 40366657
Hrolsons,
     What Gary is trying to explain is to look at your index.php files and find a string that looks like the following:


<?php eval(base64 decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCPC9pZnJhbWU+PC9kaXY+JzsNCn0='));
the real code will be much longer.

in a nutshell your index.php files were modified by a virus or someone being malicious


/r
-= Richard
0
 

Author Comment

by:hrolsons
ID: 40366679
I don't have any index.php file in the base directory.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40366697
There must be an index.php file in the WP root directory - if there wasn't it wouldn't work
0
 

Author Comment

by:hrolsons
ID: 40366717
That file must be on the server that is redirected to, which I don't have access to.  I control blueapplehouses.com but in the .htaccess:

RewriteCond %{REQUEST_URI} !^/Intranet
RewriteCond %{REQUEST_FILENAME} .*\.html$
RewriteRule . http://blueappleproperties.com [L]

Open in new window


It sends users on to blueappleproperties.com, which I don't control.
0
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 40366822
It may not be that site, it was just an educated guess.

Check through your mail logs, see if you can identify any spam.
It could be that you have an open relay, if so you need to clamp down on your security and require authorisation for all email.
You can test for open relay's here
http://www.dnsgoodies.com/
0
 

Author Comment

by:hrolsons
ID: 40367004
I ran 216.55.161.147 and blueapplehouses.com through the open relay check on the site you suggested and it was clean.

I can't figure out why Yahoo is rejecting mail from the server.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40367024
Check the other sites on the server as well
0
 
LVL 29

Expert Comment

by:serialband
ID: 40367430
It' possible that you didn't spam and yahoo filters went overboard.

Yahoo will sometimes block you even if you're not sending spam.  If you have a legitimate mailing list and it got sent out a little too quickly, yahoo will block you.  Even if you've done the throttling to not trigger yahoo right now, yahoo may someday just decide that you're still spamming, even after you've called them before and verified with them about the mailman mailing lists that people must manually sign up for and verify.  They're the only large company that causes problems for legitimate mailers.
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 250 total points
ID: 40367840
Another site to test if your mail server is an open relay.
www.mxtoolbox.com

DirkMare
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question