Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by annie

  1. I'll open a ticket if the problem persists, and I can rule out route problems.
  2. There is a way to figure out if the problem is DNS or routing: Make a note of the IP address of your server. Let's say your mailserver address fails because the address is bad (ie DNS problems), immediately switch out the address for the IP number and then try again. If it works then, and you switch back to the address and it doesn't work, then either it's second to second intermittent, or you just proved that it's a dns problem, not a routing problem. Oh, and same thing with traceroute. Start two traceroutes from the same location at the same time. One with the address, one with the IP number. If the one with the IP number works, guess what, it's not the routing that's the problem.
  3. At home my mailserver address doesn't respond right now. I also tried it here and it failed: http://network-tools.com/ (Timed out) Before I got to http://www.zoneedit.com/ , even the first one worked. And it also worked at home. So this is intermittent.
  4. Looks like intermittent DNS problems. NS1.totalchoicehosting.com NS2.totalchoicehosting.com On two occasions today, DNS has failed. Last one a few minutes ago. Anything going on?
  5. Thanks for letting us know. I have since seen websites compromised that seemed to have been due to this exploit. In that case, it was a webhost in the UK. I haven't heard back, so don't know for sure. But all the compromised sites were on the same IP number, so the chance was excellent it was the cpanel hack.
  6. Webspammers have started hacking websites in order to serve up spam and do other things related to spamming. Download the php files with ftp or cpanel, in order to check what's in them. Browsing to them via a browser won't let you view the code. Some of those files are obfuscated, but it's possible to deobfuscate them. Quite often they point to another site via includes.
  7. There's a problem with all versions of cpanel, and a fix out. I hope you guys have applied it? Hostgator was compromised because of it. Not pretty!
  8. Since I wrote the posts here, I've found more compromised sites. And I believe some of those were due to php scripts with flaws in them. I've seen how badly they've been trying to break into my site, so I believe that's an issue these days. In my case, I've got a few blog posts with phpbb in the title, and hackers have found those in a search engine and tried highlight hacks and other hacks to get in. There's no phpBB installation on my site, so they're not getting in. I also found a hack tool on one site that allowed anyone who had found it to upload files. Truly scary.
  9. When you get it to work, be sure to disallow search engine robots from accessing the directory where the uploaded files are, or you'll be inundated with spammy pages quickly! There is a script made for file uploads that you could use. Just search for it. Also, the more scripts you have, the more holes you put in your site, and the more risk there is of a hacker gaining control over your site.
  10. Disable catch all e-mail. You can do that in cpanel. When you do that, the bounces will be rejected by the mailserver on your TCH server.
  11. I heard one customer of a webhost who's had particularly many victims of this had gotten an e-mail from his hosting company saying they were under attack. That a hacker was sniffing their FTP passwords. FTP passwords are not encrypted, so they can be sniffed. Might be time to move to secure FTP? Can you guys speculate what the bad guys did in order to manage to sniff the FTP passwords? I assume they would have had to compromise a box on the webhost's net? Especially since they hacked sites on different IP numbers. It wasn't just the one box. So, if we're thinking a switched network, they'd have to sniff somewhere near the perimeter?
  12. I've been tracking webspammers for a while, and I've discovered some spammers hacking other people's websites in order to serve up their spammy websites. They often stash a file named read.php in some directory off the root. But I've also seen other php files used. Usually the files are not supposed to be there rather than altered files. The spammers will then spam guestbooks etc with the URL's to those spammy files. I'm not saying that's happened here or even will happen here. But with this development (and most of this seems to have started in August this year), we as site owners need to be a lot more vigilant. And webhosts also should be more vigilant.
  13. I wonder if there's another forum software that allows for premoderation? Premoderation is the only reason to stick with Invision...
  14. I was wondering, since you guys are so good at what you're doing, if you know how to track referrer spam on a virtual webhost server? From the perspective of support/technical personell, I mean? Scenario: I complained to another webhost that I was referrer spammed from their box. They initially tried to find the script responsible, but gave up and null-routed the IP to my server instead. That got me plenty hot under the collar, since I'm a spam fighter, and they're essentially giving the spammer carte blanche to continue spamming - forever! So since those guys apparently don't know what they're doing, I thought I'd open up the field and ask you guys, since you appear to be very capable, and run a very tight ship. You know, they asked me indignantly: "Do you keep logs of every outbound connection from your server?" EDIT: How would you monitor outbound connections, that came from any port, but connected to port 80 on a remote system?
  15. Toddcurry: You're a victim of poor planning. Catchall e-mail stopped being viable a few years ago. I know it was convenient. I used it too, years ago. And I still see people signing my blog with typical catchall e-mail addresses. And I shake my head every time...
  16. I'm considering moving the MX records from my TCH webhost space to my own mailserver. A server I've built from the ground, and know the ins and outs of. Full control is nice. I'm just wondering if there are any side effects I haven't thought about? I've got control over the domain myself, but if TCH's nameservers are authoritative, maybe they need to map the MX records in their server, instead of me doing something at the registrar? Any scenarios where something might go wrong are appreciated. And for the record, the TCH servers are solid, I'm just so darn proud of my own mailservers and exactly the way they handle mail...
  17. I run a few mailservers, so I'm familiar with faked sender spamruns. My experience has been that Leo Kuvayev has been behind most of them. But I thought of something. With domains on a webhost such as TCH, and catch-all turned off, you won't know if there's a spamrun misusing your domain. Maybe there should be SOME kind of functionality in cpanel that made it possible to find that out? Say if there was a tally of the number of bounces or some mail statistics? Some domain owners are afraid the spamruns will reflect badly on them. I've experienced guestbook spam joe jobs, so I know the recipients of spam can sometimes go proactive. I got messages in my guestbook I didn't understand until one poster explained it to me. Then I put up a notice on my site about it, and the proactive types went elsewhere to protest. So, is there any way we can find out about the spamruns without enabling catc-all (and it should stay firmly OFF, in my opinion).
  18. After having used it for a while, I believe TCH has a filter that disallows bounces if you do more than one bounce at a time. So I either have to do one bounce at a login, or use another SMTP server.
  19. Normally I'd agree with you about bouncing messages. But when dealing with CANSPAM compliants who got my address due to a friend having a virus and subscribing me to loads of bulk e-mail lists, it's probably the best way. So I'm pretty miffed that most of the mails can't be bounced. I NEED TO BOUNCE THEM! So what is this administrative prohibition anyway?
  20. Looks like maybe it's got to do with WHO I'm bouncing mail to? Maybe some of the spam is to nonexisting domains? Either way, I need to get the message across to some CAN SPAM pseudo compliant lists, so hopefully this will work.
  21. Weird. Now it worked without me doing any changes.
  22. I need to use smtp server at TCH, but I get this error message: Could not send - the SMTP server replied: Administrative prohibition (SMTP server error 550) What must I do to make it work? This is a POP3 account, and I'm using an old version of Mailwasher.
  23. The only thing present in my root .htaccess is some wiki rewrite rules.
  24. It can't have anything to do with indexes off. Some users have all their accesses blocked. Some coming in without referrers, some without referrers and user agents, are blocked. One must have been a bot. I saw loads of accesses within a minute or two. Multiple to the same files. Always loading images and css files. Now and then there would be a 403, in between 200 and 304. It looks almost as a small scale DDOS attack? Wait, it's from a school. It could also have been a school class using multiple computers via the same NAT router. When I search for 403, it looks like a lot, but I can see a lot of accesses came through as well, after I searched for the IP number. There's a bot (no referrer or user agent) that was blocked as well. Looks like throttling, because it's downloading a mile a minute from my forum. No images loaded.
  25. I've got lots of 403's in my logs that I can't account for. I don't know how and why they're blocked. As far as I know, I didn't block them. So, who did? And yes, I double checked my .htaccess files.
  • Create New...