Results 1 to 15 of 15

Hybrid View

  1. #1
    Join Date
    Jun 2001
    Location
    Montreal, Canada
    Posts
    16

    SPAM being sent through my server!

    Hi,

    I've discovered someoneis send SPAM through my server. maillog reveals a lot outgoing messages like:

    Mar 15 10:27:35 grsites sendmail[1684]: i2FFRZ3U001684: from=<apache@grsites.com>, size=15826, class=0, nrcpts=100, msgid=<200403150927.i2F9Rvl8019135@grsites.com>, proto=ESMTP,$SMTP, daemon=MTA, relay=localhost.domain [127.0.0.1]
    Mar 15 10:27:35 grsites sendmail[1684]: i2FFRZ3U001684: to=<kappucheeno@aol.com>, delay=00:00:00, mailer=esmtp, pri=3015826, stat=queued


    etc... How do they manage to do that? Sendmail is set to require authentication for SMTP, and the access file in /etc/mail is not set to allow RELAYING for anyone other than localhost. The only users on the box are 2 family members, did their accounts get hacked? How do I determine which user the email is set through?

    Any help would be greatly appreciated!

    Gabriel

  2. #2
    Hard to tell without more information. Do you have formmail scripts ?
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  3. #3
    Join Date
    Jun 2001
    Location
    Montreal, Canada
    Posts
    16
    Yes, I have ezformml.cgi. That's a good point.

    I just checked and one instance of it has a CGI field in the web page to specify part of the message content. They may have used that. I will disable it for now...

    Thanks! :-)
    Gabriel Ross
    webmaster@grsites.com

  4. #4
    Join Date
    Jun 2001
    Location
    Montreal, Canada
    Posts
    16

    Oops

    Looks like formmail scripts weren't the problem. This morning the spam was coming through, I tried chmod'ing the scrtipts to 000 and it didn't stop the deluge, nor did shutting off the http daemon alltogether, so it's happening through sendmail itself. Stopping the sendmail daemon is my only option for now.

    Like I said, it's set up for password authentication, and I tried changing all users' passwords but to no avail.

    The only email that needs to be sent from the server comes from perl scripts, and I could do without the ability to relay email from outside the server itself. How do I set this up? I've got MailScanner installed.

    Thanks for any help...

    Gabriel Ross
    Gabriel Ross
    webmaster@grsites.com

  5. #5
    Join Date
    Jun 2001
    Location
    Montreal, Canada
    Posts
    16
    OK, I shut off SMTP authentication and disallowed relaying from anywhere. But this seems to be the header from one of the spams:

    Return-Path: <apache@grsites.com>
    Received: from grsites.com (localhost.domain [127.0.0.1])
    by grsites.com (8.12.10/8.12.10) with ESMTP id i2SNSHlT022248;
    Sun, 28 Mar 2004 18:34:05 -0500
    Received: (from apache@localhost)
    by grsites.com (8.12.10/8.12.10/Submit) id i2SJKjWM019072;
    Sun, 28 Mar 2004 14:20:45 -0500
    Date: Sun, 28 Mar 2004 14:20:45 -0500
    Message-Id: <200403281920.i2SJKjWM019072@grsites.com>
    To: admin@grsites.com
    To: emily285@www.grsites.com
    From: Marketmaven857%40kiwinet@2Ecom
    Subject: Dont miss this trade . VqehC cw9Mhg ZEE1Q 3Hs
    Content-Type: multipart/mixed;
    boundary=uYTeb9AmZ9VnM3X52mtBU5gXL5AOya
    Status:


    Looks like it's coming from localhost.

    ???

    Gabriel Ross

  6. #6
    delete this

  7. #7
    Judging by the headers its coming from your webserver (apache@localhost) which would indicate it is probably coming from a perl/PHP script of some sort. As for tracing it, first try top and see if you can see anything that looks suspicious (although this wont show PHP scripts if they aren't run as cgis), then I guess try the /server-status bit built into apache to see what is being accessed, and if that still fails - start checking your web logs to try and find it.

  8. #8
    Join Date
    Jan 2004
    Location
    Washington, DC
    Posts
    450
    Chances are apache is running as it own user. Just deny the apache user from being able to send mail.
    Christian Dawson Exectuive Director and Co-Founder, i2Coalition
    The i2Coalition is comprised of small to medium cloud providers, data centers, registrars, registries and other foundational Internet enterprises. Join today!
    Follow us on Twitter @i2coalition or checkout our forum!

  9. #9
    That works but doesn't solve the root of the problem and you effectively stop the whole server from having any php scripts (if not using phpsuexec) which can send emails now and in the future.

    Why don't you try installing phpsuexec? Since there's very little sites on the server (2 email accounts only you said), do a thorough audit of all scripts that's accessible via the web.

    It could also be that you have been compromised.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  10. #10

    Angry having the same problem

    I got a similar problem on my hosting machine. Tons of email were sent out from my own domain, so my host had to suspend my account. I have changed my password, and also advised my host to disable formmail.pl script, but yesterday it came back again. Now, all my domains are suspended again

    I am waiting for the solution from my host, and in the meantime, I am prepareing to move my domains to a new hosting machine to see whether it was caused by the machine set up or not. Man, what a headache caused by those crazy bastards.
    www.handreach.net -- taking care of your web site

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Could be happening from mail() being used on a spam script of some sort. You can test this by adding:

    disable_functions = mail

    to you php.ini and restarting apache. Keep in mind this will break all php mailing.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #12
    Join Date
    Dec 2000
    Posts
    954
    thelinuxguy --- adding this directive to php.ini is as "Prevent the user 'nobody' from sending out mail to remote addresses" inside the WHM-> Tweak Settings ?


    BTW: if i check the "Prevent the user 'nobody' from sending out mail to remote addresses" in WHM and have a few users i trust, how do i chown there dir to let them use a php mail script ?
    And do i have to chown "username" there script who sends e-mail or ther entire directory?


    Tanks a lot

  13. #13

    Found the problem

    I discovered that it was caused by a CGI script that was hijacked by a cracker. I copied it from O'Rily Perl books, but seemed that it is already obselete to hackers
    www.handreach.net -- taking care of your web site

  14. #14
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,517
    You should probably disable the bundled formmail scripts. Then adjust your sendmail in order to detect php nobody spammers, there are various scripts around which will do this.

  15. #15
    As I said, I didn't use formmail, and I heard of the problems with formmail before. I wrote my own one based on the example on the O'Rily book. I have to disable this code right now, but in case I want to use a form to send email, what's the best solution?
    www.handreach.net -- taking care of your web site

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •