The Planet Forums > Planet DATA Centre suspends Magichost Clients accounts

Full Version: Planet DATA Centre suspends Magichost Clients accounts

The Planet Forums > System Administration > Mail Hosting

apac

Dec 11 2008, 05:14 PM

Hi,

We buy server space through a company called magichost which ultimately is connected to The Planet

Whilst both companies benefit from our money, neither at this point in time is prepared to help resolve a problem which exists on their servers only. Whilst I understand and appreciate that they are not the low-life scum spamming via these accounts they have most generously refused to do anything or make any suggestions other that to suspend the accounts so we cannot see what is going on and attempt to fix this issue.

Surely someone has come across this problem before and their is a solutuion or soething to look for in the scripts mentioned below that are said to be sending the spam.

They made a website backup which we cannot download even though we have made numerous attempts and now they are saying effectively even if we can download the backup and fix the problem they wont restore the accounts anyway!!!!

What sort of a solution is that, take the clients money, then when stuff happens close everything down and refuse to do anything to help.

Anyone that can give me any ideas on how to fix this would be most welcome to reply.

Below are some excerpts taken from emails from their so-called Admin Team over the last few days

Regarding your 2nd account that gets suspended, I have checked the source:

I have found the below files which seems to have sent the spam emails. Please confirm with your client. As per the logs it seems to be exploited from the IP "83.229.91.32".

---------------------
[root@host aff]# ll Uniz.php
-rw-r--r-- 1 wwwausi wwwausi 9812 Jun 16 05:51 Uniz.php
[root@host aff]#
[root@host aff]# ll 407.php
-rw-r--r-- 1 wwwausi wwwausi 5122 Jun 16 05:51 407.php
[root@host aff]#
-----------------

Logs:-
-------
83.229.91.32 - - [03/Dec/2008:11:57:56 -0600] "GET /aff/407.php HTTP/1.1" 200 2971 "-" "Mozilla/5.0 (Windows; U; Windows NT 5$
83.229.91.32 - - [03/Dec/2008:11:57:58 -0600] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1;$
83.229.91.32 - - [03/Dec/2008:11:57:58 -0600] "GET /aff/407.php HTTP/1.1" 200 2971 "-" "Mozilla/5.0 (Windows; U; Windows NT 5$
83.229.91.32 - - [03/Dec/2008:12:09:31 -0600] "POST /aff/407.php HTTP/1.1" 200 18582 "http://ausinks.com/aff/407.php" "Mozill$
83.229.91.32 - - [03/Dec/2008:12:11:35 -0600] "POST /aff/407.php HTTP/1.1" 200 43743 "http://ausinks.com/aff/407.php" "Mozill$
------------------

I have checked and found that there are 2 php files "407.php" and "Uniz.php" in wwwgems account which were used in sending e spam emails. Below logs indicate that the IP "65.49.2.93" has exploited this. Please confirm with your client.

------------------------

65.49.2.93 - - [04/Dec/2008:10:05:25 -0600] "POST /407.php HTTP/1.0" 200 31867 "http://gemsnjewels.com.au/407.php" "Opera/9.6$
65.49.2.93 - - [04/Dec/2008:10:06:02 -0600] "POST /407.php HTTP/1.0" 200 31549 "http://gemsnjewels.com.au/407.php" "Opera/9.6$
65.49.2.93 - - [04/Dec/2008:10:06:46 -0600] "POST /407.php HTTP/1.0" 200 31574 "http://gemsnjewels.com.au/407.php" "Opera/9.6$
---------

I am checking another account. I will also contact ThePlanet for the issue as far as contacting them directly (I think you can)..anyways I will update you shortly.

We get this response from ThePlanet regarding if you can contact them directly. Please check:

Dear Customer,
Unfortunately we cannot work with your customer. However if you'd like to post their reply in the ticket for us to review you may do that.

As you should know and we have said clearly when these two site gets spam complaint. Their sites will not be unsuspended as datacenter will also not allow too. To put their sites back online will cause the server to shut down and ip to get blacklisted which will affect all accounts on your server.

We will be giving you more time to backup your files but we will not be able to set those two accounts back online. We have put those backup files to your root directory that allows you to download to your own computer for investigation, but even though despite your investigation we will still not be able to turn those two sites back.

Please confirm.

Gee that was some help wasnt it????

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.