Hi,
My server running and update CentOS 4.4. In the last hours lot of spam are being send form my server to the world. I'm unable to locate the source.
Sendmail is define to relay localhost, and it seems that the source is local!
It seem that all the email are send from
apache@mydomain.com to
user@mydomain.com
Sendmail is configure to accept for local delivery mail for domain mydomain.com
Here is trace of spam session:
Quote:
May 3 14:39:51 active sendmail[17696]: NOQUEUE: connect from mydomain.com [127.0.0.1]
May 3 14:39:51 active sendmail[17696]: AUTH: available mech=CRAM-MD5 DIGEST-MD5 PLAIN ANONYMOUS LOGIN, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: Milter: no active filter
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 220 mydomain.com ESMTP Sendmail 8.13.1/8.12.8; Thu, 3 May 2007 14:39:51 +0300
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: <-- EHLO mydomain.com
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-mydomain.com Hello mydomain.com [127.0.0.1], pleased to meet you
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-ENHANCEDSTATUSCODES
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-PIPELINING
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-8BITMIME
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-SIZE
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-DSN
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-ETRN
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-AUTH DIGEST-MD5 CRAM-MD5
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250-DELIVERBY
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250 HELP
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: <-- MAIL From:<apache@mydomain.com> SIZE=133 AUTH=apache@mydomain.com
May 3 14:39:51 active sendmail[17696]: ruleset=trust_auth, arg1=apache@mydomain.com, relay=mydomain.com [127.0.0.1], reject=550 5.7.1 <apache@mydomain.com>... not authenticated
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250 2.1.0 <apache@mydomain.com>... Sender ok
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: <-- RCPT To:<reports@mydomain.com>
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250 2.1.5 <reports@mydomain.com>... Recipient ok
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: <-- DATA
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 354 Enter mail, end with "." on a line by itself
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: from=<apache@mydomain.com>, size=410, class=0, nrcpts=1, msgid=<200705031139.l43BdpDW017695@mydomain.com>, proto=ESMTP, daemon=MTA, relay=mydomain.com [127.0.0.1]
May 3 14:39:51 active sendmail[17696]: l43Bdpg2017696: --- 250 2.0.0 l43Bdpg2017696 Message accepted for delivery
May 3 14:39:51 active sendmail[17696]: l43Bdpg3017696: <-- QUIT
May 3 14:39:51 active sendmail[17696]: l43Bdpg3017696: --- 221 2.0.0 mydomain.com closing connection
|
It seems the spam message BCC contain a lot of victims address, that not from mydomain.
Is some one connect form outside and spoof 127.0.0.1 ?
If it local process, ho do I locate it?
I scan /tmp and my web server root for suspicious file and didn't find nothing!
Please advice
Addady
Linear Mode
