25 replies to this topic

[Stan]

Did anyone get a mail from patriot@emergency-planet.com?

[Kermit]

I didn't get one.
Is it something bad?

[Stan]

We are currently investigating an attack on our server. We got complaints of several people that have never heard of us or our site and from our ISP.

Failure to resolve this issue from our side will result in a shutdown of Emergency-planet by our ISP. Results of the investigation will be forwarded to American authorities.



More details will be released soon. At this time we can guarantee no email addresses where stolen as we only got used to send out bulk spam.

[gunswat]

oh noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

[Stan]

Update:

I informed the provider of the possible reason this happened. I am still checking the system to close every psosible way they came in. At this time i was able to stop delivery of 700000 emails by cutting the connection.

As soon we exactly know what has happened, full details will be posted

[Kermit]

Good luck!

[Stan]

Update: Wrong reason, issue still persistent

After removing 700k emails in queue and checking back 10minute later i found out 32k new emails where added to the queue

New registrations will be shutdown until resolved since I took the mailserver down

[RedHawk504]

Go get em stan!

[DMC]

Book 'm stanno

[Stan]

Another update: Issue still persists, eta of a fix is now unknown

[ausavin26]

Yep, my emails aren't going

[Stan]

As long i don't know where the slightly terroristic mails come from no mails will go through

[Dakota]

Is it going through the IPB or an external source? You may want to do a quick sweep of the FTP for unknown files that have been added to the server and obviously password changes to your cPanel.

[griffy]

ive had this happen to me before i had to close my account it was so bad but i believe that stan will get this issue addressed and please dont be afraid to take this to the american government they will track down the guy

[ausavin26]

Or please don't be afraid to contact Sparta...we don't need some government...

[Voodoo_Operator]

Or please don't be afraid to contact Sparta...we don't need some government...

Let's not kick people down bottomless wells just yet, mmmkay?

[ausavin26]

Why not

[Dakota]

ive had this happen to me before i had to close my account it was so bad but i believe that stan will get this issue addressed and please dont be afraid to take this to the american government they will track down the guy

They aren't as proactive as you might think when it comes to spam, it gets put on a very long to do list by FBI's cyber security division to be handled when they get to it. Only the really big stuff gets any attention these days.

[Stan]

Dakota it's not coming from IPB, the mails are send out from the user www-data. This makes www-data@srv1.ictwereld which is quite strange because this user has not even right to login.

My guess is they uploaded a file and got that file to auto-run the second issue is...i can't fine that file anywhere.

However, a few hours after I disabled the main site and removed two websites from the server the queue began fill slower then first and then it stopped, now the thing I am currently wondering about it....whas it that? Or did the attack just end?

But i got a mail tonight...

Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present
in the rkhunter.dat file.
Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not
present in the rkhunter.dat file.
Warning: Suspicious file types found in /dev:
		 /dev/shm/7gbhujb54g8z9hu43jre8: data

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

[met police999]

Wtf? This is mental btw I haven't had any emails