Disk space notification - e-mails

Genesis

Administrator
Staff member
Sent via PM

cpanel name: jamiem
Website: svflash.com

toysareforboys said:
I got a low disk space notification today:

"The account with the username 'jamiem' (svflash.com), is running out of disk space.

Please remove some files from this account, or ask the administrator to increase your disk quota.

This account has used 87.12% (871.24/1000.00 MB) of its allocated disk space.

!! Do not respond to this message. Your reply will go nowhere. !!"

I checked our website, it's under 100mb in size? When I logged into cpanel it said "mail" was using 800mb, but we don't even use e-mail on our svflash.com domain??

Have a look, see if you can figure out what's up Sad

-Jamie M.
 

un4saken

Administrator
This is your current mail folder: 819 MB.

Code:
root [/]# du -h /home/jamiem/mail/cur
819M	/home/jamiem/mail/cur
root [/]# _


Your account is sending out emails every 3 second. This is the example content of your emails

------ This is a copy of the message, including all the headers. ------

Return-path: <jamiem@hero.gigadnsserver.com>
Received: from jamiem by hero.gigadnsserver.com with local (Exim 4.82)
(envelope-from <jamiem@hero.gigadnsserver.com>)
id 1XhypS-002qw3-Fo
for candyle-----@yahoo.com; Sat, 25 Oct 2014 11:44:15 +0100
To: candyle-----@yahoo.com
Subject: Ship Notification
From: "FedEx Priority Overnight" <support@svflash.com>
X-Mailer: EasyDMfree
Reply-To: "FedEx Priority Overnight" <support@svflash.com>


You may want to play with your site configuration. Sending emails every 3 second is not normal. Your account will be automatically suspended if it continues like this.
 

Genesis

Administrator
Staff member
@un4. As far as I can see Jamie isn't using his Webmail account for his Website. Someone else is. Which means it has been hacked. I don't have shell access. Is it possible for you to empty the "cur" folder. And also disable his Webmail account so that the hacker can't use it any longer? Check the relays. There have been more than 1000 e-mails sent through his account over a very short period.
 

toysareforboys

New member
un4saken said:
This is your current mail folder: 819 MB.

Code:
root [/]# du -h /home/jamiem/mail/cur
819M	/home/jamiem/mail/cur
root [/]# _


Your account is sending out emails every 3 second. This is the example content of your emails

------ This is a copy of the message, including all the headers. ------

Return-path: <jamiem@hero.gigadnsserver.com>
Received: from jamiem by hero.gigadnsserver.com with local (Exim 4.82)
(envelope-from <jamiem@hero.gigadnsserver.com>)
id 1XhypS-002qw3-Fo
for candyle-----@yahoo.com; Sat, 25 Oct 2014 11:44:15 +0100
To: candyle-----@yahoo.com
Subject: Ship Notification
From: "FedEx Priority Overnight" <support@svflash.com>
X-Mailer: EasyDMfree
Reply-To: "FedEx Priority Overnight" <support@svflash.com>


You may want to play with your site configuration. Sending emails every 3 second is not normal. Your account will be automatically suspended if it continues like this.
We don't use any e-mail (webmail or otherwise) on the svflash.com domain?! I tried to use my ftp program (bitkenix) to delete the cur folder, but it looks like it's going file by file, says 4 months, 3 years, 8 months and 11 days remaining :( if possible could you delete it from your end?

If possible could you also disable any and all e-mail to/from svflash.com?

-Jamie M.
 

un4saken

Administrator
I deleted all current emails but your website script keeps sending them so your quota will fill up again shortly. I suggest you to find that loophole in your script and fix it. Or your account will be automatically suspended when you are over your quota.

FedEx



Dear Customer,

Your parcel has arrived at October 30. Courier was unable to deliver the parcel to you.
To receive your parcel, print this label and go to the nearest office.



Get Shipment Label
 

Genesis

Administrator
Staff member
@Jamie. I checked Drupal security advisories and looks as though Drupal released an emergency advisory for Drupal 7 together with a patch for the script on 15 October. If this patch had not been applied within hours of releasing it, it is likely that your site has been irreparably breached. It may be better for you to build the site from scratch or from a backup dated before 15 October.

Check the Drupal FAQS at the link below:
https://www.drupal.org/node/2357241

As well as this emergency announcement of 29 October:
https://www.drupal.org/PSA-2014-003

Drupal Security Team said:
The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

Here is a link to the page for how to subscribe to the security advisories mailing list:
https://www.drupal.org/security