Plesk Panel "Web Statistics" Permission Issue
15.04.2022
One of the common problems lately is SPAM being sent by infiltrating an account on the server. In this blog post, we will briefly touch on how to detect the source of SPAM on a server and what measures should be taken.
The fundamental source of the problem is script security vulnerabilities, especially on shared hosting servers, no matter how many security measures you take. Vulnerabilities in WordPress-based software and SPAM emails sent by infiltrating accounts of users who have not applied the security-fixing update have caused quite annoying problems with IP addresses getting blacklisted.
Developing technology provides today’s hackers with new opportunities. Currently, the most common work done by bots that hack accounts with script security vulnerabilities is opening PHP socket connections and sending SPAM emails directly through their own software without using the email service installed on the server, using all IP addresses attached to the server. This way, hackers can send SPAM until the IP is blacklisted using all IPs they can detect on the web hosting account they have captured.
System administrators who are unaware of this method generally immediately check the email service logs on the server to find which account is sending SPAM. But they cannot find any log records, because SPAM is not being sent through the email service installed on the server. The best method for detecting this on Linux servers is the netstat command.
Most Commonly Used Netstat Parameters
-n: Does not show IP RDNS output, enabling faster results
-t: Lists TCP connections without showing Unix socket connections
-u: Lists UDP connections without showing Unix socket connections
-p: Shows which program and PID number the listed connections are running under
The command we need is netstat -ntup. With the command netstat -ntup | grep :25, the application names next to PID numbers should be EXIM (on a cPanel server). If we see PHP instead of EXIM, we may be facing a problem.
To find the directory of the running PID file:
lsof -p PIDNUMBER
lsof -p PIDNUMBER | grep cwdThis way we can reach the directory where the PHP application using port 25 is running. The files placed by the hacker exploiting the script vulnerability will be directly visible in the directory.
To block TCP tunneling via SSH:
AllowTCPForwarding noAdd this to the SSH config file and restart the SSH service.
One of the best solution methods we want to share: In our own hosting network, we use SMTP RELAY servers for email sending. We enter a rule on the main switch that blocks access from all server IP addresses except the RELAY server we defined on the local network to port 25. This way, email sending is never done from outside the SMTP RELAY servers.
Existing Netinternet customers can activate similar ACL rules themselves from the IP Management section in their customer panels. When ACL-SMTP is active, port 25 of the servers is closed to the internet while remaining open on the local network.
Leave a Comment
* Your comment will be published after approval.
Comments
2<p>Teşekkürler,</p><p>Güzel bir paylaşım.</p>
<p>Merhaba,</p><p>ACL-SMTP ilgili ip üzerinde aktif edersek port internete kapanıyor demişsiniz. Bu kapanma normal mail alışverişini etkiler mi?</p><p>Teşekkürler.</p>