Darkmail issue

Portal Home > Knowledgebase > Articles Database > Darkmail issue

Posted by kselva, 12-23-2009, 02:49 AM
Hai All, In my vps (linux cpanel) i have enabled SMTP_BLOCK in csf to stop drakmail.But still spam mails are send using darkmail,the csf alert is as follows : Executable: /usr/bin/perl Command Line (often faked in exploits): ygiwxbt.pl Network connections by the process (if any): tcp: 127.0.0.1:37648 -> 127.0.0.1:25 tcp: 127.0.0.1:37650 -> 127.0.0.1:25 tcp: 127.0.0.1:37652 -> 127.0.0.1:25 tcp: 127.0.0.1:37654 -> 127.0.0.1:25 tcp: 127.0.0.1:37656 -> 127.0.0.1:25 tcp: 127.0.0.1:37658 -> 127.0.0.1:25 tcp: 127.0.0.1:37660 -> 127.0.0.1:25 tcp: 127.0.0.1:37662 -> 127.0.0.1:25 tcp: 127.0.0.1:37664 -> 127.0.0.1:25 tcp: 127.0.0.1:37666 -> 127.0.0.1:25 tcp: 127.0.0.1:37668 -> 127.0.0.1:25 There are lot of spammails send using the darkmail how can i stop this ?. Thanks in advance...
Posted by Steven, 12-23-2009, 03:02 AM
Normally this is being uploaded via FTP. Check your FTP logs for it. The affected accounts will need their passwords reset to something secure. This might be of interest to you however: http://configserver.com/cp/cxs.html
Posted by Kailash12, 12-24-2009, 03:01 AM
CXS should help to prevent such script to be executed on the server. However, it is paid version. Kailash
Posted by prashant1979, 12-24-2009, 03:18 AM
CXS fails to deliver at one point and it is that it quarantines the page itself which gets infected instead of preventing the infection. This causes issues as many customers don't have the backup of the files and their websites go down since it is mostly the home page of the website that gets quarantined. There should be some solution which prevents the pages from being infected at all. Also, Darkmail issue is not due to Gumblar and hence CXS will not help here.
Posted by Steven, 12-26-2009, 12:50 AM
CXS prevents darkmailer
Posted by prashant1979, 12-26-2009, 01:28 AM
Can you explain how Darkmailer gets injected into the server and how it works?
Posted by Steven, 12-26-2009, 01:30 AM
It gets uploaded via FTP, and executed and is used to send spam.
Posted by prashant1979, 12-26-2009, 01:34 AM
In that case, CXS should be useful. However, I was pointing to the other issue with CXS which is that it quarantines or deletes the existing page which gets infected instead of preventing the injection. In case of darkmailer, I believe a new file with the name dm.cgi gets uploaded on the server and hence even if it is removed, it does not do any harm to the existing website. Hence, there should be another way to block darkmailer instead of relying on CXS.
Posted by Steven, 12-26-2009, 02:02 AM
From their site: It prevents it before it can be executed.
Posted by prashant1979, 12-26-2009, 03:57 AM
I beg to differ with this. It prevents it before it can be executed as it quarantines or destroys the file once it is infected. I am not talking only about the darkmail script, but any file infected with Gumblar. You can also check the post in http://www.webhostingtalk.com/showthread.php?t=903045. What I mean to say is that find another way to prevent darkmail instead of relying on CXS. I hope you get my point.