Hi All. There is a quite interesting issue happening right now on some of our servers. Spam is being send, there are no logs in /var/log/mail.* , and it's not being sent from PHP. The server was installed with perfect server how-to. To be able to find anything, I used TCPdump. And that is what I've found: Code: ............ 11:20:41.116845 IP hosting.eurohoster.org.smtp > myserver.example.com.53511: Flags [.], seq 1:2897, ack 120, win 114, options [nop,nop,TS val 921013505 ecr 2395700626], length 2896: SMTP: HTTP/1.1 200 OK [email protected]...]XJ.Xce...../X@".......rq...... 6.....}.HTTP/1.1 200 OK ..<...5z.. ...Xce..z#HD.jx@>..BF.r....l/m......2..R..C....mF..w;z..O.B.f..F._....4.........i..Constantmark <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail Xx <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> some_mail <[email protected]> etc... around 50 receipts So as you can see, the login e-mailadres is also not visible. Why is it not being logged in postfix? Any thoughts how to catch spammer? Thank's!
One possibility is that there is a standalone script or program which has it's own smtp library so it does not needs postfix for sending. This can be a web script, so I won't say that PHP is not a possible source. - Check with netstat if there are any unusual ports opened. - Check if there is an unusually high activity from a 'web[ID]' user with e.g. top and then check the access.log of this site for unusual POST requests. - Check the running processes with 'ps aux', anything unusual there? - Scan the server for malware, e.g. with ISPProtect. There is a free trial for ISPProtect: https://ispprotect.com/ and for rootkits with rkhunter or lynis.
And lsof is a hanyd tool as well, use it to find out more about the process that you catched with tcpdump.
@till thank's for your response. This problem was solved on another server by resetting passwords for all e-mail accounts. Now I have (I think) same problem on another server, but here I have much more mail accounts. So resetting passwords is not an option. Did a research on apache access log, nothing strange (like normal, WP bruteforce, comments, etc.). No weird things in TOP, ps and netstat as well.... Got ispprotect license, but it's not a good idea to scan 800 GB of files. Any other thoughts?
When the sending was done trough a hacked mail account, then you should see the mails in the mail.log and you should see them in the mailqueue (command postqueue -p). Please check the mailqueue of you see some unset spam mails there. We have clients that scan several terabytes of web files regularly, so I don't see any problems with that storage size. It will take a few hours to scan them of course. Beside that, you can try to find out more about the sending processes with ps command and lsof. If you need help by remote login, try to contact Florian from ISPConfig business support. He is specialist for mail systems. But I'm not sure if he is working on Christmas day. http://www.ispconfig.org/get-support/?type=ispconfig
