Results 1 to 15 of 15
Hybrid View
-
03-15-2004, 11:58 AM #1Newbie
- Join Date
- Jun 2001
- Location
- Montreal, Canada
- Posts
- 16
SPAM being sent through my server!
Hi,
I've discovered someoneis send SPAM through my server. maillog reveals a lot outgoing messages like:
Mar 15 10:27:35 grsites sendmail[1684]: i2FFRZ3U001684: from=<apache@grsites.com>, size=15826, class=0, nrcpts=100, msgid=<200403150927.i2F9Rvl8019135@grsites.com>, proto=ESMTP,$SMTP, daemon=MTA, relay=localhost.domain [127.0.0.1]
Mar 15 10:27:35 grsites sendmail[1684]: i2FFRZ3U001684: to=<kappucheeno@aol.com>, delay=00:00:00, mailer=esmtp, pri=3015826, stat=queued
etc... How do they manage to do that? Sendmail is set to require authentication for SMTP, and the access file in /etc/mail is not set to allow RELAYING for anyone other than localhost. The only users on the box are 2 family members, did their accounts get hacked? How do I determine which user the email is set through?
Any help would be greatly appreciated!
Gabriel
-
03-15-2004, 12:37 PM #2Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Hard to tell without more information. Do you have formmail scripts ?
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
03-15-2004, 01:01 PM #3Newbie
- Join Date
- Jun 2001
- Location
- Montreal, Canada
- Posts
- 16
Yes, I have ezformml.cgi. That's a good point.
I just checked and one instance of it has a CGI field in the web page to specify part of the message content. They may have used that. I will disable it for now...
Thanks! :-)Gabriel Ross
webmaster@grsites.com
-
03-28-2004, 06:29 PM #4Newbie
- Join Date
- Jun 2001
- Location
- Montreal, Canada
- Posts
- 16
Oops
Looks like formmail scripts weren't the problem. This morning the spam was coming through, I tried chmod'ing the scrtipts to 000 and it didn't stop the deluge, nor did shutting off the http daemon alltogether, so it's happening through sendmail itself. Stopping the sendmail daemon is my only option for now.
Like I said, it's set up for password authentication, and I tried changing all users' passwords but to no avail.
The only email that needs to be sent from the server comes from perl scripts, and I could do without the ability to relay email from outside the server itself. How do I set this up? I've got MailScanner installed.
Thanks for any help...
Gabriel RossGabriel Ross
webmaster@grsites.com
-
03-28-2004, 07:48 PM #5Newbie
- Join Date
- Jun 2001
- Location
- Montreal, Canada
- Posts
- 16
OK, I shut off SMTP authentication and disallowed relaying from anywhere. But this seems to be the header from one of the spams:
Return-Path: <apache@grsites.com>
Received: from grsites.com (localhost.domain [127.0.0.1])
by grsites.com (8.12.10/8.12.10) with ESMTP id i2SNSHlT022248;
Sun, 28 Mar 2004 18:34:05 -0500
Received: (from apache@localhost)
by grsites.com (8.12.10/8.12.10/Submit) id i2SJKjWM019072;
Sun, 28 Mar 2004 14:20:45 -0500
Date: Sun, 28 Mar 2004 14:20:45 -0500
Message-Id: <200403281920.i2SJKjWM019072@grsites.com>
To: admin@grsites.com
To: emily285@www.grsites.com
From: Marketmaven857%40kiwinet@2Ecom
Subject: Dont miss this trade . VqehC cw9Mhg ZEE1Q 3Hs
Content-Type: multipart/mixed;
boundary=uYTeb9AmZ9VnM3X52mtBU5gXL5AOya
Status:
Looks like it's coming from localhost.
???
Gabriel Ross
-
03-28-2004, 08:17 PM #6WHT Addict
- Join Date
- Nov 2002
- Posts
- 163
delete this
-
03-28-2004, 08:25 PM #7Junior Guru Wannabe
- Join Date
- Feb 2004
- Posts
- 82
Judging by the headers its coming from your webserver (apache@localhost) which would indicate it is probably coming from a perl/PHP script of some sort. As for tracing it, first try top and see if you can see anything that looks suspicious (although this wont show PHP scripts if they aren't run as cgis), then I guess try the /server-status bit built into apache to see what is being accessed, and if that still fails - start checking your web logs to try and find it.
-
03-28-2004, 11:05 PM #8Web Hosting Evangelist
- Join Date
- Jan 2004
- Location
- Washington, DC
- Posts
- 450
Chances are apache is running as it own user. Just deny the apache user from being able to send mail.
Christian Dawson Exectuive Director and Co-Founder, i2Coalition
The i2Coalition is comprised of small to medium cloud providers, data centers, registrars, registries and other foundational Internet enterprises. Join today!
Follow us on Twitter @i2coalition or checkout our forum!
-
03-29-2004, 07:05 AM #9Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
That works but doesn't solve the root of the problem and you effectively stop the whole server from having any php scripts (if not using phpsuexec) which can send emails now and in the future.
Why don't you try installing phpsuexec? Since there's very little sites on the server (2 email accounts only you said), do a thorough audit of all scripts that's accessible via the web.
It could also be that you have been compromised.••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
05-05-2004, 05:30 PM #10Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 61
having the same problem
I got a similar problem on my hosting machine. Tons of email were sent out from my own domain, so my host had to suspend my account. I have changed my password, and also advised my host to disable formmail.pl script, but yesterday it came back again. Now, all my domains are suspended again
I am waiting for the solution from my host, and in the meantime, I am prepareing to move my domains to a new hosting machine to see whether it was caused by the machine set up or not. Man, what a headache caused by those crazy bastards.www.handreach.net -- taking care of your web site
-
05-05-2004, 07:20 PM #11Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Could be happening from mail() being used on a spam script of some sort. You can test this by adding:
disable_functions = mail
to you php.ini and restarting apache. Keep in mind this will break all php mailing.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-06-2004, 11:15 AM #12Web Hosting Master
- Join Date
- Dec 2000
- Posts
- 954
thelinuxguy --- adding this directive to php.ini is as "Prevent the user 'nobody' from sending out mail to remote addresses" inside the WHM-> Tweak Settings ?
BTW: if i check the "Prevent the user 'nobody' from sending out mail to remote addresses" in WHM and have a few users i trust, how do i chown there dir to let them use a php mail script ?
And do i have to chown "username" there script who sends e-mail or ther entire directory?
Tanks a lot
-
05-06-2004, 06:07 PM #13Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 61
Found the problem
I discovered that it was caused by a CGI script that was hijacked by a cracker. I copied it from O'Rily Perl books, but seemed that it is already obselete to hackers
www.handreach.net -- taking care of your web site
-
05-06-2004, 08:15 PM #14Russ
- Join Date
- Mar 2002
- Location
- Philadelphia, PA
- Posts
- 2,517
You should probably disable the bundled formmail scripts. Then adjust your sendmail in order to detect php nobody spammers, there are various scripts around which will do this.
-
05-07-2004, 03:16 PM #15Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 61
As I said, I didn't use formmail, and I heard of the problems with formmail before. I wrote my own one based on the example on the O'Rily book. I have to disable this code right now, but in case I want to use a form to send email, what's the best solution?
www.handreach.net -- taking care of your web site