Good evening everyone, I'm having trouble tracking down some weird spam happening on my server. The one thing i'd like someone to tell me is, how to identify an outgoing email when it's described as [email protected]ere. All of the emails, actually thousends of them, are using this name, when of course there is no account named after that. The system is identifying it as some alias i guess. Any help is very welcomed.
This means that the email is send by a web script in site 41. Run: ls -la /var/www | grep web41 to see the domain name. If there are messages in the mailqueue, then you an view them with postcat, if the message is sent by php, then you should find the name of the sending php script in the mail header.
Hey Till, thanks for the quick response. I had that thought myself, so I dissabled that website 2 hours ago. The problem is that they're still comming through, I had to "postsuper -d ALL" 8000 emails after disabling it. Any other hints you can offer? I'll run a maldet on that website to check about scripts meanwhile.
Ok, talking to you helped clearing my head. Take a look on the maldet resolts, just for feedback. malware detect scan report for ---------.--: SCAN ID: 112813-0847.11775 TIME: Nov 28 08:48:46 -0600 PATH: /var/www/--------.--/web/ TOTAL FILES: 3903 TOTAL HITS: 4 TOTAL CLEANED: 0 FILE HIT LIST: {HEX}php.cmdshell.unclassed.344 : /var/www/-------.--/web/modules/mod_ya/mod_ya.php => /usr/local/maldetect/quarantine/mod_ya.php.25415 {HEX}php.mailer.unclassed.494 : /var/www/-------.--/web/modules/mod_ya/themes4.php => /usr/local/maldetect/quarantine/themes4.php.23131 {HEX}php.mailer.unclassed.494 : /var/www/-------.--/web/modules/mod_ya/temp/plugin.php => /usr/local/maldetect/quarantine/plugin.php.12372 {HEX}php.cmdshell.unclassed.344 : /var/www/-------.--/web/administrator/img.php => /usr/local/maldetect/quarantine/img.php.1665 =============================================== Linux Malware Detect v1.4.2 < [email protected] > Thanks a lot.
No unfortunately spam was so intense I didn't have a clear head about it. It was like a bombardment, abour 15 mails per second. I know I shouldn't panic but sometimes even the chilheads freak out
Ok, this is getting juicy. No I haven't but this is the response: root@name_of_the_server:~# ps aux | grep 'web41' root 5861 0.0 0.0 7548 836 pts/0 S+ 10:02 0:00 grep web41 web41 25144 0.1 0.4 38416 4956 ? S Nov27 2:45 /usr/bin/crond How can i check the crontab for this user? "crontab -u web41 -e"? Seems pretty empty. Just default commented (#) stuff.
Check: /var/spool/cron/crontabs/web41 and /etc/cron.* files BEFORE try Code: lsof -p 25144 to check what files this script accesses. Might be that it only seems to be a cron. Script in carmouflage ;D
Nothing good there, they dont even exists but hey... the spams are back and I have the postcat Here it goes: root@name_of_the_server:/etc# postcat -q 15944EEA33 *** ENVELOPE RECORDS active/15944EEA33 *** message_size: 10006 197 1 0 10006 content_filter: amavis:[127.0.0.1]:10024 message_arrival_time: Thu Nov 28 10:10:43 2013 create_time: Thu Nov 28 10:10:43 2013 named_attribute: rewrite_context=local sender_fullname: sender: [email protected]ere *** MESSAGE CONTENTS active/15944EEA33 *** Received: by primarysomain.somewhere (Postfix, from userid 5035) id 15944EEA33; Thu, 28 Nov 2013 10:10:43 -0600 (CST) From: [email protected] To: [email protected] Subject: =?UTF-8?B?V2lmZW9udGhlc2lkZSBoYXMgY3JlYXRlZCBhIG5ldyBhbGJ1bSBmb3IgLg==?= MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000E_01CBFA24.ACDEF290" X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994 Message-Id: <[email protected]> Date: Thu, 28 Nov 2013 10:10:43 -0600 (CST) This is a multi-part message in MIME format. ------=_NextPart_000_000E_01CBFA24.ACDEF290 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000F_01CBFA24.ACDEF290" ------=_NextPart_001_000F_01CBFA24.ACDEF290 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Hi . Wifeontheside has created a new album. http://www.janet-victoria.us Support team. ------=_NextPart_001_000F_01CBFA24.ACDEF290 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Dkoi8-r" http-equiv=3DContent-Type> <META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19019"> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#c8e0d8> <DIV><FONT size=3D2 face=3DArial>Hi .</FONT></DIV> <DIV><FONT size=3D2 face=3DArial>Wifeontheside has created a new = album.</FONT></DIV> <DIV><FONT size=3D2 face=3DArial><A href=3D"http://rerasezspb.janet-victoria.us"><IMG = border=3D0=20 hspace=3D0 alt=3D"" align=3Dbaseline=20 src=3D"cid:97FA28ED52C24C1C95A68F9B593BB3CB@pk"></A></FONT></DIV> <DIV><FONT size=3D2 face=3DArial></FONT> </DIV> <DIV><FONT size=3D2 face=3DArial><A = href=3D"http://rerasezspb.janet-victoria.us">Click=20 Here.</A></FONT></DIV> <DIV><FONT size=3D2 face=3DArial></FONT> </DIV> <DIV><FONT size=3D2 face=3DArial>Support team.</FONT></DIV> <DIV><FONT size=3D2 face=3DArial></FONT> </DIV> <img width=1 src=3D"http://www.traffspider.us/[email protected]&mid=3D21979"> <center> <br> <br> <br> <br> <br> <br> <br> <br> <br> <table border=0 cellpadding=10 cellspaccing=10><tr> <td> <a href=3D"http://[email protected]"> Report SPAM </a> </td> <td> <a href=3D"http://rerasezspb.janet-victoria.us/unsubscribe.html"> UNSUBSCRIBE (if you do not want to receive any meesages from other users) </a></center> </td> </tr> </BODY></HTML> ------=_NextPart_001_000F_01CBFA24.ACDEF290-- ------=_NextPart_000_000E_01CBFA24.ACDEF290 Content-Type: image/jpeg; name="wifeontheside02.jpg" Content-Transfer-Encoding: base64 Content-ID: <97FA28ED52C24C1C95A68F9B593BB3CB@pk> /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0a HBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAA/AP4DASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA (--- some junk like above lines---) ------=_NextPart_000_000E_01CBFA24.ACDEF290-- *** HEADER EXTRACTED active/15944EEA33 *** original_recipient: [email protected] recipient: [email protected] *** MESSAGE FILE END active/15944EEA33 *** root@name_of_the_server:/etc# That's it.
I also did a "kill -9" on a perl that was running and an apache restart, I suppose if the threat was eliminated by maldet, I would have to kill the running processes too, right? Checking the mailq to see if it's rising.
I'm using debian 6 PHP 5.3.3-7+squeeze17 with Suhosin-Patch (cli) (built: Aug 23 2013 15:06:16) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
Seems like: PHP 5.3.3-7+squeeze17 with Suhosin-Patch (cgi-fcgi) (built: Aug 23 2013 15:06:07) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
Did you do the "lsof -p" command from my post on the first page on the running "crond" process of web41?
Seems like the issue was the compromised website, which is an old version of joomla. The remedy was maldet + killing the perl script that was running (a reboot would do the job too, but i'm against it) + restarting the apache. I don't see anymore spam mails queueing up. I consider the problem solved but I'm still keeping an eye on it. Thanks a lot for helping, Till and Croydon.
Ok, but the crond is still in "ps aux" or have you killed it? The number after "lsof -p" is the process id, so you might have to adjust it to the id of the running web41 process.
You're right, fortunately when I "ps aux | grep 'web41'" it doesn't return cron anymore... thank God Thanks for reminding me
