cPanel & ylmf-pc

The curiosity of the attacker that will not let it go.

Having managed to play the game with the duck fox and dog or whatever it is across the river to ensure a user who didn’t keep his stuff up to date wrestles back control of his CONTROL PANEL (we are not just talking p0wn3d code here – we are talking users, emails, FTP, all poor lamb).

We were quick to blame the Dropbox disclosure – and maybe that is involved, however – what we are seeing is bruting of email accounts, then password resets, tracks covered, in, user locked out, resets are pointless and so on.

I digress.

This morning they are trying to wrestle their way back in again – and I am watching it unfold.

How.

Well a bunch of ways – but the one that is sticking out like the proverbial ‘poo in a swimming pool’ is the use of a common mail agent from multiple locations – a lot of them being in China (although obviously no indication of source).

The mail agent is one I have seen enough times before – ylmf-pc – and its failing authentication right left and centre.

You would think that a tool as common as this would use a randomised string or the rDNS of its source? But no. This makes our life (for now) easier.

So Рthese are cPanel hosts they are hounding for some reason. Aide m̩moire Рyou stopped it like this last time:

  • SSH in and create /etc/heloblocks . Edit that file and add one per line the agents you want to block – so for us we have ylmf-pc
  • Log into cPanel WHM and head over to Exim Configuration Manager, and click the Advanced Editor tab.
  • Ctrl+F to find custom_begin_smtp_helo as the Exim config has a bunch of pre done containers for this kind of joy… and then enter the following:

drop
condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
log_message = HELO/EHLO – HELO on heloblocks Blocklist
message = HELO on heloblocks Blocklist
accept

  • Click the tick next to the box, and scroll down to the bottom of the frame and click SAVE (which also restarts Exim with your new settings).

While they persist in using the same agent this is one less thing to piss me off today. *sigh*

*This overview was taken from an article found here.

2 Responses to “cPanel & ylmf-pc

  • Equally another option you may wish to pursue is firewall based – depending on your access and flexibility:

    iptables -A INPUT -p tcp –dport 25 -m string –string ylmf-pc –algo bm -j DROP

    However, this only tackles email coming in from port 25. Anything on encrypted ports you are going to struggle with here. But none the less – iptables.

  • This appears to be CUTWAIL & PUSHDO related – and still as relative now as it was then. Old bots don’t seem to die.

    https://en.wikipedia.org/wiki/Cutwail_botnet

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar