Yesterday morning I started the day with a check of email —0– 1100 messages… ?? Yes 1100. Most of them were filtered into a folder I set up for delivery failures some time back. (about 950), (about 100 to junk mail and then 50 to the inbox). I started investigating because my usual morning haul is 150 or so with 2/3′s being filtered into a spam folder, the rest being routine messages from scripts on servers I monitor, daily correspondence, mailing list digests/etc….
It appears that most were delivery failures and they apparently had originally been sent from a script in this domain (cgi-bin/cgiemail) I hadn’t remembered installing that script, so I immediately suspected somehow my account had been compromised. I looked into it and found the suspect script. Trying a test run of it through my browser and then about 9-11 AM (Eastern Time) yesterday (May 26th) I disabled it by taking away all read/write/execute privilages. I noticed from my logs that the hits against it stopped several hours later. I’ve still been getting tons of delivery failures (now up to 4000) and now I had a mystery of why the script was there. On investigation I found that all my accounts through my webhost provider had this script. None of the others seemed to be bothered (yet) though. On even further investigation, it appears that my webhost provider installed this script on new scripts at some time in the past. (No longer). I don’t make use of it, and neither do any of my other sites with perhaps 1 exception.
That was certainly annoying, a nuisance and disturbing. So last night I inquired in the forums of my service provider, giving details and asking if anyone else had seen similar behaviour, etc.
Now comes the part that has made me just a bit ill. At 5PM today (May 27th) I receive a rather terse message from my webhost provider. The subject is along the lines of “averyjparker.com TOS warning” (there was a tracking number too). (Terms of service warning.) Basically they say that THEY have disabled a script on my site that has been compromised by spammers and I need to find some other script to use. What irks me is this is a TOS WARNING!! Over a script that my service provider installed apparently by default on all their accounts for a period of time. I’ve suggested that they post an advisory for all account holders to look into replacing the script in question or simply removing it if it’s not used.
It’s also a bit amusing to me that they finally disabled the offending script 36 hours after I discovered and disabled the fool thing MYSELF. I’ve logged in several times since then to doublecheck the permissions/test the script and verify that it was still inactive. AND it was… According to my logs the attempts to use the script stopped around 2-3 hours after it started giving them 403 errors.
To tie this into another point I’ve made in some of the updates I’ve had here on the page. The ip addresses of machines pulling this page are literally ALL over the net. Most seem to be PRIVATE BROADBAND users. Once again we’re seeing more evidence of trojaned/virus infected machines being used as tools in sending junk mail. In fact it wouldn’t surprise me if, in part, the script on this site has been targeted/exploited because I’ve drawn this connection before.
Now, to sum up…. I have received a Terms Of Service Warning, because spammers have used trojaned/viral infected systems that are NOT mine to execute a script on my webserver which I did not install, but which my service provider installed by default probably when I set up my account.
Related PostsRelated Posts
- Google trying to warn about dangerous pages SunbeltBlog is talking about a new sign that Google is stepping up to try to protect users against potentially malicious sites. They have a screenshot, which I was able to verify, that gives a warning before allowing a user to proceed to a page that "Warning - the site you......
- Get paid for the mistakes you make.... It seems that some companies are fortunate enough to be able to make money even from their faults. The Monterey Herald details an account of a woman who was informed by Choicepoint that crooks had accessed some of her personal information. This was apparently due to a lapse in security......
- The basics Well to start out, this might should be crosslinked in the computer security section, but I'm putting it in commentary primarily to catch those who might not typically look at computer security. First, why should you care about keeping your computer secure? I've heard people ask something like this. Usually......
- Digital TV Aerial Installers - Get Your Aerial Installed Are you like the many other people who are looking for digital TV aerial installers who can deliver quick high quality service? If you need an aerial installed in either your home or business it's important that the company you choose not only provide a competitive price but also......
- Sea World Marina, San Diego, CA Phone: 619.226.3915 Average Water Depth: 9 feet is the average at this marina, but it is always a good idea to check ahead before you arrive. Marine Standby Channel: The marina monitors Channel 16, but you can always reach them by phone if you have difficulty getting through. Is......
- Diet Food Delivery Review DietFoodDelivery.org is a comprehensive guide informing you of the latest available diet food delivery services as well as an in depth look of each service they have listed. Each service has its own section with detailed information such as sample menus, special offers, testimonials, and a summary. You can compare......
- Web Hosting
- Share This Plugin not Working in Some Themes
- Google Analytics Feature Tease
- Sorry for the vanishing act