Recently we kept getting multiple of these in out Jmail ASP forms from serveral domains, could it be a hacker trying to do something?


enquiry: yfzzoxy@domain.com
submit: yfzzoxy@domain.com
email: yfzzoxy@domain.com
name: yfzzoxy@domain.com
_showURL: yfzzoxy@domain.com
Content-Type: multipart/mixed; boundary="===============0654077313=="
MIME-Version: 1.0
Subject: 84aa684d
To: yfzzoxy@domain.com
bcc: jrubin3456@aol.com
From: yfzzoxy@domain.com

This is a multi-part message in MIME format.

--===============0654077313==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

hjvyfi
--===============0654077313==--


PS:
"domain.com" is replace to represent one of the domains hosted at the server.

Hi

it is very difficult to point what is causing this but i could guess it is a spam dictionary attack...

if you have many senders@domain.com all of then different form each other then you should see if there is some catch all default account to this domain and disable it - also see if your smtp can ban ips that generate many errors...

OR

if it is definitly something related with Jmail can be a insecure form that some hackers discover in this customer domain and are exploiting most likley to do spam...

keep in mind that this will happen if you have open relay on the smtp or if the asp code is insecure

you can also search inside of this customer directories and using findstr or find you can print all pages that call for Jmail component...

best regards

CLaudio

one of the customer's site had been hacked, the fellow simple (don;t know how) manage to "creacked" the ftp password and upload a inde.html file to the directory!

Next is virus scanner detect the fellow (should be the same guy) using SQL injection in ASP in another direcory, it was also deleted.

This guy is trying all ways.

I am using mail-enabled not sure how I can ban ips that generate many errors... no catch all is enable in the mail server

not sure why this guy want to do this...

Mail Enable has many features to help in this case

you should use it on the smtp connector click using right button and select properties

on some of the tabs (smtp, relay, etc) you should find Ban Ip Adresses then you can select 5 or 10 to the threshold (it means 5 or 10 wrong commands it will ban the ip) after that you can do a task with a bat file scheduled to overwrite the smtp-deny list (located in one of the mail enable folders) with an empty file

personally i dont think they "craked" the ftp password

i do think that your customer has a vulnerable application such as phpbb or an upload page totally opened to "strangers" or a simple include_once or external request

for instance:

if you have an asp page calling an external image or code such as http://www.mydomain.com/inlcude.asp?img=ht.../www.amazon.com

a hacker can change the get uri (final parameters in this url) and then put a FSO application in your web space, then he can not only change or copy any of the files but also upload a virus, try to run some exe programs, etc

you may consider look this post of mine

http://forums.servermatrix.com/viewtopic.php?t=16653

and in the final of it you can see some asp.net and folder permissions security tips

The folders permissions is the MOST IMPORTANT THING to be done in a windows server...

good luck

Claudio

Thanks claudioszykman.

Ya i checked and configures ban ips settings etc to be tighter after browsing up and down at Mailenale site.

You're right about the vulnerable application. Our programmer found out an old upload script in ASP at one of customer's 3 yr old site, it was a very old asp-writing format which can be easily upload SQL injection script.

It is being replaced. Think it'll take a while before we look thru all the asp scripts.

But I still cannot figure how he/she manage to use the FTP. hTe login pass/ usrname is simple yes, but not simple enough to do it in a matter of 10 attempts. The ftp is set to ban ip with more than 10 login retries.

Hi

if you are sure that they also use FTP access so it can be one simple reason

someone infected your customers home computer (using some spyware - you know prevx is an excelent anti-spyware home software) and then they could access some file with his instructions and password or they copied his ftp .ini file that stores the most used hosts passwords

once i had a compromised windows server and all web sites index were changed so we asked our DataCenter for a fresh reload and started everything again ...

So your situation is not the most critial it could be

Best Regards and good luck ; )

Claudio

Gee I didn;t think of that, it was that simple enough but yet I missed it.

Ya it's a high chance that could've happened as a check in the mail logs showing numerous infected viruses at the domain's mailboxes daily!

And I also think the client's computers are not properly installed wiit latest (or even basic) antivirus protection softwares, based on the way the ask for support each time. They have little knowledge on IT or online related...

Thanks!

Anyway, what we did was to monitor closely and check the logs daily, hope to avoid such cases in future... think that's the only way then...

Hi

unfortunatly i need to tell you that it seems to be discovered as a new spam hack...

http://forums.webhostautomation.com/viewto...pic.php?t=13536

i hope it helps

regards

Claudio

Thanks!

The messages kept coming in, think we'll have to bear with it first before dinding a solution