Just received 3 e-mails with viruses from surpass

mikeamos · June 7th, 2005, 12:41 PM

I'm assuming that they are not from surpass administrators, but if they are not, I have a major security hole in my website, as the headers show the email originating from a surpass server. I receieved the following:

Subject: Account Alert
Body: We attached some important information regarding your account.
Headers:

Quote:

Return-path: <mikeamo

sh56.surpasshosting.com>
Envelope-to: mike

mikeamos.net
Delivery-date: Tue, 07 Jun 2005 08:56:27 -0400
Received: from mikeamo by sh56.surpasshosting.com with local-bsmtp (Exim 4.43)
id 1Dfdd3-0008MX-Pv
for mike

mikeamos.net; Tue, 07 Jun 2005 08:56:27 -0400
Received: from pool-141-157-8-207.balt.east.verizon.net ([141.157.8.207] helo=mikeamos.net)
by sh56.surpasshosting.com with esmtp (Exim 4.43)
id 1Dfdd1-0008MN-Kr
for mike

mikeamos.net; Tue, 07 Jun 2005 08:56:25 -0400
From: service

mikeamos.net
To: mike

mikeamos.net
Subject: Account Alert
Date: Mon, 6 Jun 2005 20:57:04 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_F48262C6.0C2BD853"
X-Priority: 3
X-MSMail-Priority: Normal
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
sh56.surpasshosting.com
X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
DATE_IN_PAST_06_12,MISSING_MIMEOLE,NO_REAL_NAME,PR IORITY_NO_NAME,
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Message-Id: <E1Dfdd3-0008MX-Pv

sh56.surpasshosting.com>
Status: R

Contained an attachment called: account-details.zip containing a batch file.

Subject: *WARNING* Your e-mail account will be closed.
Body: We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
Headers:

Quote:

Return-path: <mikeamo

sh56.surpasshosting.com>
Envelope-to: mike

mikeamos.net
Delivery-date: Tue, 07 Jun 2005 09:15:46 -0400
Received: from mikeamo by sh56.surpasshosting.com with local-bsmtp (Exim 4.43)
id 1Dfdvl-0000To-UK
for mike

mikeamos.net; Tue, 07 Jun 2005 09:15:46 -0400
Received: from pool-141-157-8-207.balt.east.verizon.net ([141.157.8.207] helo=mikeamos.net)
by sh56.surpasshosting.com with esmtp (Exim 4.43)
id 1Dfdvi-0000Tk-Qu
for mike

mikeamos.net; Tue, 07 Jun 2005 09:15:45 -0400
From: admin

mikeamos.net
To: mike

mikeamos.net
Subject: *WARNING* Your Email Account Will Be Closed
Date: Mon, 6 Jun 2005 21:16:23 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_46A2068E.B21DA3F6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
sh56.surpasshosting.com
X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
DATE_IN_PAST_06_12,MISSING_MIMEOLE,NO_REAL_NAME,PR IORITY_NO_NAME,
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.3
Message-Id: <E1Dfdvl-0000To-UK

sh56.surpasshosting.com>
Status: R

Contained an attachment "info-text.zip" containing a batch file..

I got two more sent with the same style.. When I first saw that a virus was attached, I expected to see something else in the headers, but it appears as if I sent it to myself, or someone got into my account and sent it to me. I understand that this probably wasn't the administration who sent this to me, but I am seeking better ways of protecting my site from and intruders, or any explanation as to how this may have occured!

Thanks!

H · June 7th, 2005, 12:47 PM

What scripts are you running on your site? Have you checked various folders for any unrecognized files or even folders you don't remember putting there?

I'm pretty sure e-mail from Surpass would be going through the main Surpass Hosting server. Also, note the e-mail adresses in the "From:" part. They're "service" and "admin" at your domain. I think that gives a pretty good clue someone else is sending these e-mails.

Also remember that it could potentially be another account on your server sending the e-mails.

mikeamos · June 7th, 2005, 12:50 PM

Quote:

Originally Posted by Haugland

What scripts are you running on your site? Have you checked various folders for any unrecognized files or even folders you don't remember putting there?

I'm pretty sure e-mail from Surpass would be going through the main Surpass Hosting server. Also, note the e-mail adresses in the "From:" part. They're "service" and "admin" at your domain. I think that gives a pretty good clue someone else is sending these e-mails.

Also remember that it could potentially be another account on your server sending the e-mails.

All the folders look the same.. I am the only one with an e-mail address on my account.. I'm assuming someone got my password somehow..

H · June 7th, 2005, 1:20 PM

If you're running any PHP scripts like phpNuke, phpBB, etc... Something like that, they could have found an exploit to send e-mails from your server, or perhaps buried a script somewhere to do it.

You might want to e-mail support or abuse about it and have them check it out. You can do that at http://desk.surpasshosting.com/

zogger · June 7th, 2005, 4:26 PM

Quote:

Received: from pool-141-157-8-207.balt.east.verizon.net ([141.157.8.207] helo=mikeamos.net)

Doesn't look like it's coming from surpass to me, unless there is some kind of forwarding at the other end? (or I'm being stupid, something could have blanked in my mind for all I know... heh)

H · June 7th, 2005, 4:37 PM

Actually, that makes sense Zogger. I just checked some headers in my e-mail and it's very similar. I recieved an e-mail from buddhapuss.

Quote:

Received: from hauglan by pipe.surpasshosting.com with local-bsmtp (Exim 4.43) id 1DZ9Gk-0004Vd-Uz for mike

haugland.ca; Fri, 20 May 2005 11:18:38 -0400
Received: from [66.194.153.1] (helo=fairytale.illecebra.org) by pipe.surpasshosting.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.43) id 1DZ9Gk-0004VZ-Qu for mike

haugland.ca; Fri, 20 May 2005 11:18:34 -0400
Received: from pool-**-***-***-***.nwrk.east.verizon.net ([**.***.***.***] helo=[192.168.1.101]) by fairytale.illecebra.org with esmtpa (Exim 4.44) id 1DZ9Gf-0008HN-9t for mike

haugland.ca; Fri, 20 May 2005 11:18:29 -0400

Please note I removed Buddhapuss's IP.

mikeamos · June 7th, 2005, 4:41 PM

ok so its an external source? that makes me feel much more comfortable

patmos · June 16th, 2005, 12:19 AM

You've been hacked just like me. Fooled into opening a zip? You've installed a trojan that is downloading all your hard drive info to the perpetrator. Your virus scanner will not see it because it is custom made to target only Surpass email accounts and not a part of general virus attacks. Demand that Surpass supply you with a utility to remove the virus that has been installed on your computer and for godsake, unplug your computer from the internet until you're clean.

**removed** · June 16th, 2005, 1:55 AM

Quote:

Originally Posted by patmos

You've been hacked just like me. Fooled into opening a zip? You've installed a trojan that is downloading all your hard drive info to the perpetrator. Your virus scanner will not see it because it is custom made to target only Surpass email accounts and not a part of general virus attacks. Demand that Surpass supply you with a utility to remove the virus that has been installed on your computer and for godsake, unplug your computer from the internet until you're clean.

You should really, really ASK before posting something like this and scaring people.

Chances are it's just this. I've seen hundreds of these over the last month:
http://securityresponse.symantec.com...ober.o@mm.html

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

June 7th, 2005, 12:47 PM	#2 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,058 posts Gave thanks: 48 Thanked 129 times	What scripts are you running on your site? Have you checked various folders for any unrecognized files or even folders you don't remember putting there? I'm pretty sure e-mail from Surpass would be going through the main Surpass Hosting server. Also, note the e-mail adresses in the "From:" part. They're "service" and "admin" at your domain. I think that gives a pretty good clue someone else is sending these e-mails. Also remember that it could potentially be another account on your server sending the e-mails.

June 7th, 2005, 1:20 PM	#4 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,058 posts Gave thanks: 48 Thanked 129 times	If you're running any PHP scripts like phpNuke, phpBB, etc... Something like that, they could have found an exploit to send e-mails from your server, or perhaps buried a script somewhere to do it. You might want to e-mail support or abuse about it and have them check it out. You can do that at http://desk.surpasshosting.com/

June 7th, 2005, 4:41 PM	#7 (permalink)
mikeamos Registered User Fresh Surpasser Joined in Nov 2004 19 posts Gave thanks: 0 Thanked 0 times	ok so its an external source? that makes me feel much more comfortable

June 16th, 2005, 12:19 AM	#8 (permalink)
patmos Registered User Fresh Surpasser Joined in Oct 2004 5 posts Gave thanks: 0 Thanked 0 times	You've been hacked just like me. Fooled into opening a zip? You've installed a trojan that is downloading all your hard drive info to the perpetrator. Your virus scanner will not see it because it is custom made to target only Surpass email accounts and not a part of general virus attacks. Demand that Surpass supply you with a utility to remove the virus that has been installed on your computer and for godsake, unplug your computer from the internet until you're clean.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)