1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My VPS was hacked. Sending SPAM MEssages. Please help

Discussion in 'Web Hosting' started by myfault, Jul 7, 2013.

  1. myfault

    myfault Power Member

    Joined:
    Sep 21, 2012
    Messages:
    636
    Likes Received:
    121
    Last 3 days before i purchased VPS for scrapebox from this forum but today the owner told me in skype that my VPS IP sending some kind of spam messages

    Code:
    Datum: 7. Juli 2013 04:23:54 MESZ
    Betreff: Hacker
    Hi,
    We have had hack attempts on our website from your network, from IP address 176.**.**.**
    We believe this server is compromised, and is part of a botnet attack, possibly using eggdrop bot/psybnc, controlled by UDP via port 80.
    Please check this server for malware or if this is a user account, please inform them that this kind of behaviour is unacceptable.
    The criminal controlling the botnet usually targets CPanel/WHM, WordPress Akismet and ccmail installations, so please check any other servers running these.
     
    Your country's CERT is aware of this botnet, so please report this incident.
     
    Disinfectant scripts are here:
    http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
    http://www.malfarmed.com/blog/malware/step-by-step-wordpress-malware-removal/
    http://wordpress.org/support/topic/locking-wp-loginphp-with-htaccess
    http://sitecheck.sucuri.net/scanner/
     
    Extract from Logs follows:
    176.**.***.** - - [06/Jul/2013:17:48:46 +1000] "GET /hacker_php.txt/register.php HTTP/1.1" 200 29045
    176.**.***.** - - [06/Jul/2013:17:48:46 +1000] "GET /hacker_php.txt/register.php HTTP/1.1" 200 29045 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
    176.**.***.** - - [06/Jul/2013:17:48:48 +1000] "GET /register.php HTTP/1.1" 200 29045
    176.**.***.** - - [06/Jul/2013:17:48:48 +1000] "GET /register.php HTTP/1.1" 200 29045 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"
     
    Best Regards, 
    I am only using scrapebox and sick platform reader. I am running an Win 2008 Server. Please help
     
  2. innozemec

    innozemec Jr. VIP Jr. VIP

    Joined:
    Aug 19, 2011
    Messages:
    5,288
    Likes Received:
    1,799
    Location:
    www.Indexification.com
    Home Page:
  3. myfault

    myfault Power Member

    Joined:
    Sep 21, 2012
    Messages:
    636
    Likes Received:
    121
    Nope because i am only installed scrapebox not wordpress.
     
  4. innozemec

    innozemec Jr. VIP Jr. VIP

    Joined:
    Aug 19, 2011
    Messages:
    5,288
    Likes Received:
    1,799
    Location:
    www.Indexification.com
    Home Page:
    and i thought you are using the VPS for seo tools, but the message from your admin provides some WP related urls...
     
  5. myfault

    myfault Power Member

    Joined:
    Sep 21, 2012
    Messages:
    636
    Likes Received:
    121
    Leave it. I sort out the problem, it is issue with scrapebox which also harvest many times same url. I now the blaclist those domains.
     
  6. linuxfreak1985

    linuxfreak1985 BANNED BANNED

    Joined:
    Nov 14, 2011
    Messages:
    81
    Likes Received:
    6
    check your .htaccess file inside WordPress root for additional and irrelevant code, compare with default WordPress .htaccess and remove any suspicious code.
     
  7. ndshgyta

    ndshgyta Newbie

    Joined:
    Feb 8, 2013
    Messages:
    22
    Likes Received:
    0
    Reinstall the OS and next time make a full backup!
     
  8. jimgeek

    jimgeek Newbie

    Joined:
    Jul 11, 2013
    Messages:
    7
    Likes Received:
    0
    Reinstall the OS is the easiest solution.
    If you are using a Windows solution, the virus may be difficult to remove.
     
  9. CheersFile

    CheersFile Registered Member

    Joined:
    Jul 9, 2013
    Messages:
    60
    Likes Received:
    7
    install some security plugin hope it will worked out
     
  10. IceWizzard

    IceWizzard Newbie

    Joined:
    Jul 3, 2013
    Messages:
    15
    Likes Received:
    1
    Well it's partly their fault for not securing their servers..
     
  11. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    I can help but not for free. PM me if you still need it.
     
  12. xxtoni

    xxtoni Junior Member

    Joined:
    Jul 5, 2010
    Messages:
    172
    Likes Received:
    213
    What's wrong with you guys ?

    He doesn't have wordpress installed on his VSP, he has Scrapebox and some other tool installed. The hosting owner probably sent you the log of a wordpress site YOU spammed to. You probably didn't use proxies, which you absolutely should, and your VPS' IP was used for submitting the comment, of course the wp blog owner reported your IP and now chances are you will be kicked from your VPS for doing spam.

    Let this be a lesson to EVERYONE, you absolutely MUST use proxies when using software that submits ANYTHING, ANYWHERE.
     
    • Thanks Thanks x 2
  13. Zuuuu

    Zuuuu Regular Member

    Joined:
    May 9, 2013
    Messages:
    472
    Likes Received:
    172
    Try to talk with your vps network and fix the problem. This is not ok!
     
  14. mudaber

    mudaber Newbie

    Joined:
    Jan 24, 2013
    Messages:
    1
    Likes Received:
    0
    I have a dedicated server and I am also facing the same problem. please help me
     
  15. HerpDerpSlerp

    HerpDerpSlerp Power Member

    Joined:
    Mar 19, 2013
    Messages:
    778
    Likes Received:
    623
    what is your exact issue? I can help you for a price
     
  16. EubanksCreek

    EubanksCreek Newbie

    Joined:
    Jan 11, 2014
    Messages:
    21
    Likes Received:
    0
    Check the exim processes, check the exim log that should confirm the path of the processes sending messages.

    This is the exim commands -

    exigrep

    Kill exim first to stop sending all messages.

    PM Me for anything specific.
     
  17. harleybishop

    harleybishop Newbie

    Joined:
    Jan 14, 2014
    Messages:
    24
    Likes Received:
    2
    This is not your fault, they should clean up their VPS before giving it to a new client. Just put a new OS.