ThePlanet has opened an abuse ticket on our account due to outgoing spam on our server. We have looked into it and could not find the source anywhere, and was therefore unable to suspend any accounts.
We therefore asked ThePlanet to investigate the issue using our only hour of administrative time.
Here was their response:
Originally Posted by ThePlanet ticket response
We have made extensive checks of the system and checked the results of the extended Exim logging, but have been unable to determine the source of the emails. There is a possiblity the emails are being injected directly into the Exim queue, which would prevent them from being logged.
In the interests of finding out if any of the users on the system were generating these messages, we checked various aspects of the users and investigated one mailing script under one of the users that shows heavy use in the Apache logs. While the check cannot be regarded as comprehensive, it was lengthy and detailed with respect to issues we have seen in the past. We could not attribute any particular user to this problem.
An Abuse engineer and a Security engineer spent well over an hour working on this issue, however, we are only attributing the time spent towards your admin hour for the month of June for this server.
Further time may be spent on this issue by our personnel if you wish, but this would be at a cost of $75 per hour. Please advise if this is desirable, or if you would rather have your admins work on the issue. A rapid response by either party is highly desirable.
Is anyone familiar with a problem like this? I am not sure what to do, I can't really afford $75 for them to look into it for another hour.
Since this issue arrised, I have blocked all emails from being sent from "nobody". I am not 100% sure if this will stop the spam for the time being.
You could first check if there is anything suspicious going on in the server.. continuously check for processes(ps auxwf or simply ps aux, or cat /proc/processIDs in case of hidden ones).. netstat -lpn for any unwanted ports listening on any ports..
Do you have mailmon installed?? This would let you know if a user is sending emails.. also if php is compiled as cgi, then instead of scripts sending mails as nobody, it will send in the user's identity.
We had an issue like this before and it was a hacker who gained access through phpBB forum which was continously making POSTs.. They created their own forum too.. Couldnt find how that was done!!
I`m absolutely agree with SmartTux. You should install e-mail monitoring software if you do not have any.
Blocking user 'nobody' is nice thing. And though this may not help on the current situation it will save you in future.
In addition to what SmartTux has posted, this could be an issue with vBulletin board as well.
We have one customer who did not patch the forum with the latest update, and was hacked by someone.
If you have Fantastico, make sure that you update it with the latest version of the free scripts.
If you know for customer who use forums/content management system/ portals & etc,
write them an e-mail to be sure that the scripts are up-to-date.
Insecure scripts for sending e-mails (formmail , formmail clones & etc) could be this source as well.
The spammer may spam remotely, taking advantage from insecured contact form.
And another nice thing would be if you configure Exim in that way,which will allow
no more than certain amount of e-mails to be sent from certain account.
This could be done for e-mails per hour easily.
I am sorry, it wasnt phpBB. It was php_nuke.
I uninstalled the php_nuke which was causing the issue.. The apache/domlogs for that account was showing continuous POSTs when the nuke site was runing..
Also disabled all phpnukes on the server for some time to ensure the outbound spamming due to this really stops.. Anyway, NOC didnt complain after that
Theres not much advise can be given too you. If ThePlanet have checked the server and found nothing. You are best to either pay them to make sure its completely gone or pay an outside source to trace and secure the server further.
Server Management - AdminGeekZ.com Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: [email protected]
We have made extensive checks of the system and checked the results of the extended Exim logging, but have been unable to determine the source of the emails.
With extended logging, nobody is somebody. So, if you're having a spam issue and you can't find the spammer with exim's extended loging and you don't know what to do next, you should hire someone to check it.