View previous topic :: View next topic |
Author |
Message |
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Fri Jul 31, 2009 2:16 am Post subject: |
|
|
Update: Got this notice -
Quote: | The DarkMailer Trojan has been removed from the server, and a process is being looked into, in order to keep this from happening again. We will keep you updated on any changes that may be necessary on this server to keep this from happening again.
Thanks
ATCI Hosting. |
I wrote them back:
Quote: | Was I the client that was causing this or someone else? I need to be sure as I wish to move to a dedicated server and need to understand if I'm just bringing the problem with me.
>> "and a process is being looked into, in order to keep this from happening again."
What does that mean? Tell me in technical terms. Have you simply killed the process for now and removed the files meaning that it could come back at any moment? Or have you done patching or changes to limit outbound port 25 restrictions?
Have you started the process of getting the box delisted from the various spam databases? Will you be actually looking after delisting this server? Many of the places I cannot do this myself as they want an atcihosting.com admin email address to do it. If no changes to the server have been done (other than removing the physical trojan files and stopping the process) then delisting should NOT be done as it can just come back again.
Kal |
Information on DarkMailer: http://en.wikipedia.org/wiki/Dark_Mailer
I've done some reading on it and it's an especially insidious trojan because it comes in so many mutating variants. To be fair to the hosting companies, the problem is not usually them - it's the end users who install some questionable software on their server or create FTP accounts with user names like "upload/upload" and don't put any extra security in place. The Dark Mailer CGI scripts get uploaded and before you know they're running and causing havoc.
If there are any shared components to your website (as is the case here with the email server used for sending email) then one user can cause all users on that server to have problems as the whole server gets blacklisted and emails are no longer allowed.
So the only way to keep your site safe from your neighbours is the get your own 100% dedicated server. I've asked them to move ahead with this. (Assuming I wasn't the cause of the problem to begin with - I hope not as I keep a pretty tight ship here!)
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
RobertMfromLI
Joined: 29 Jun 2009 Posts: 114 Location: West Islip, NY
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
AnalogRocks Forum Moderator
Joined: 08 Mar 2006 Posts: 26690 Location: Toronto, Ontario, Canada
TV/Projector: Sony 1252Q, AMPRO 4000G
|
Link Posted: Fri Jul 31, 2009 3:10 am Post subject: |
|
|
Ahh yes it did....
_________________ Tech support for nothing
CRT.
HD done right!
|
|
Back to top |
|
|
Curt Palme CRT Tech
Joined: 08 Mar 2006 Posts: 24305 Location: Langley, BC
TV/Projector: All of them!
|
Link Posted: Fri Jul 31, 2009 4:26 am Post subject: |
|
|
Nice work Kal! I'll have a new projector list whenever you want it. Lots of new sets in, and I'm broke.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
Curt Palme CRT Tech
Joined: 08 Mar 2006 Posts: 24305 Location: Langley, BC
TV/Projector: All of them!
|
Link Posted: Mon Aug 03, 2009 1:52 pm Post subject: |
|
|
I was gonna mention, email notifications are not getting to me via Shaw.
|
|
Back to top |
|
|
CRT_Ben
Joined: 28 Aug 2006 Posts: 1684 Location: Northern Virginia
|
Link Posted: Mon Aug 03, 2009 2:21 pm Post subject: |
|
|
Man, that sucks. Come to think of it, all of my notifications have been dropped in the Spam folder lately, I guess this is why...hopefully you can find a good hosting company!
|
|
Back to top |
|
|
zaphod
Joined: 16 Jun 2006 Posts: 2002 Location: Cloverdale
|
Link Posted: Mon Aug 03, 2009 4:44 pm Post subject: |
|
|
why these hosting companies don't use VmWare is beyond me. isolated systems, unique IP for each instance and root access to the person using it without compromising root access to the other instances. and with VmWare being free (unless you want to do the clever stuff like Vmotion to bounce instances around) it's a no brainer for a hosting company.
sigh.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Tue Aug 04, 2009 12:00 am Post subject: |
|
|
Looks like they finally found the offender:
Code: | > Date: Mon, 3 Aug 2009 12:23:30 -0400
> From: support@atcihosting.com
> Subject: [ATCI Technical Case #LMX-20413-395]: Offline Message (Cerberus Livechat)
> To: kal???????@hotmail.com
>
> We have located the darkhorse mailer/spambot and cleaned up the account.
> There was a compromised FTP account that would allow the program to be uploaded, run, and then completely removed.
> We are now in the process of working with the spam lists to get the main IP delisted.
> Most lists will drop the IP in a few days as long as there is no more spamming.
>
> No, you were not the compromised account. |
Annoying that it took so long to find the compromised account, but in their defence it's not always easy to find.
A 100% dedicated server is $149-199/month. Time to start planning the move. I don't want to be at the whim of some idiot who creates full access FTP accounts with passwords set to "password".
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
Curt Palme CRT Tech
Joined: 08 Mar 2006 Posts: 24305 Location: Langley, BC
TV/Projector: All of them!
|
Link Posted: Tue Aug 04, 2009 12:14 am Post subject: |
|
|
Hey, I know, how about using 1&1?
Hahahahahahahahahah!
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
k.berger
Joined: 16 Mar 2006 Posts: 84
|
Link Posted: Tue Aug 04, 2009 8:25 pm Post subject: |
|
|
Hi Kal,
just crossed my mind: you may want to look into possibility of using for your mail different hosting company, like the one where you registered Domain. That would require changes in DNS Record, but it's easy, and combination would cost a lot less than dedicated server.
Kris
|
|
Back to top |
|
|
zaphod
Joined: 16 Jun 2006 Posts: 2002 Location: Cloverdale
|
Link Posted: Tue Aug 04, 2009 10:44 pm Post subject: |
|
|
yep, and maybe Kal missed it in the fray, but i offered to do pretty much exactly that a few pages back on my server
_________________ walk gently. leave a good impression.
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Tue Aug 04, 2009 10:44 pm Post subject: |
|
|
k.berger wrote: | Hi Kal,
just crossed my mind: you may want to look into possibility of using for your mail different hosting company, like the one where you registered Domain. That would require changes in DNS Record, but it's easy, and combination would cost a lot less than dedicated server.
Kris |
Interesting idea - Iill look into it. The one issue I see is that you'd likely still be on a shared IP of some sort so the same issue could occur. For you to be on your very own mail IP you'd need to be completely isolated.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Tue Aug 04, 2009 10:48 pm Post subject: |
|
|
zaphod wrote: | yep, and maybe Kal missed it in the fray, but i offered to do pretty much exactly that a few pages back on my server |
Sorry Zaphod - I did miss it!
Thanks for the offer. I've actually out of town a lot in the next week and half and need to re-assess a bit before moving forward with a different or changed solution.
I have to do a bit of poking around.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
|
|