Results 1 to 7 of 7
Thread: Apache Sending Spam
-
08-29-2007, 11:18 AM #1Newbie
- Join Date
- Jul 2006
- Posts
- 10
Apache Sending Spam
Yesterday my mail logs started showing many a spam email being sent from my server. There isn't anything mission critical running on it, so I took down qmail until I could find the vulnerability and fix it. But try as I might, I haven't found any conclusive vulnerability, so I thought to ask here where someone with more experience might spot something obvious that I've missed (I'm still somewhat new to this).
Anyway, the qmail logs show that the messages came from uid 48, apache. Log excerpt (sending of first spam mail):
Aug 28 11:10:51 host qmail-queue[8056]: mail: all addreses are uncheckable - need to skip scanning (by deny mode)
Aug 28 11:10:51 host qmail-queue[8056]: scan: the message(drweb.tmp.TNDOi2) sent by anonymous@HOSTNAME to SPAMADDRESS should be passed without checks, because contains uncheckable addresses
Aug 28 11:10:51 host qmail: 1188295851.742521 new msg 51970054
Aug 28 11:10:51 host qmail: 1188295851.742679 info msg 51970054: bytes 445 from <anonymous@HOSTNAME> qp 8057 uid 48
Aug 28 11:10:51 host qmail: 1188295851.752799 starting delivery 460: msg 51970054 to remote SPAMADDRESS
Aug 28 11:10:51 host qmail: 1188295851.752933 status: local 0/10 remote 1/20
210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "CONNECT 205.158.62.146:25 HTTP/1.0" 405 235 "-" "-"
210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "PUT http://205.158.62.146:25/ HTTP/1.0" 405 231 "-" "-"
210.17.191.242 - - [28/Aug/2007:14:34:43 +0100] "POST http://205.158.62.146:25/ HTTP/1.0" 200 2 "-" "-"
I'm not sure where to go from here. I'm concerned about the lack of logs by Apache. There's a nine hour period without any entries; not unusual for my server given that its not very active, but the time when the spam was sent falls in this time period. I've checked for common security issues, but qmail is configured only to relay from localhost, and Apache isn't configured as an open proxy. Are there any other common issues I should check for? Is there any other information I should post here to help identify the problem?
I'm running Apache version 2.0.52, and qmail 1.03.
I'd be very grateful for any help or links to relevant HOWTOs.
-
09-01-2007, 10:07 PM #2Newbie
- Join Date
- Sep 2007
- Posts
- 9
it would appear that someones trying to hack you. the fact that your server is still online, should be assurance that they've not succeeded.
-
09-01-2007, 10:55 PM #3
-
09-01-2007, 11:09 PM #4Newbie
- Join Date
- Sep 2007
- Posts
- 9
idk, whatever I gain access to, I ruin, so forgive me for assuming that others dont.
-
09-02-2007, 12:05 AM #5WHT Addict
- Join Date
- Sep 2005
- Posts
- 150
-
09-02-2007, 12:07 AM #6WHT Addict
- Join Date
- Sep 2005
- Posts
- 150
-
09-02-2007, 11:06 AM #7Newbie
- Join Date
- Jul 2006
- Posts
- 10
I hadn't realised that if you give a log file in a vhost entry in Apache, that takes prioirity to the main log file, so the relevant logs were stored elsewhere. Once I found this, I quickly saw that someone was exploiting a vulnerable script to include remote files. The script in question is removed now, but I'm not sure how much damage they managed to do. Most of the scripts they used were designed for sending spam. Since the script was taken down, no more spam has been sent (that is, every remote email listed in the maillogs since then are legitimate). Still, I'm concerned that someone may be using the server to other ill ends, through whatever access they may have managed to get through the scripts.
I've checked netstat, and all of the programs listening seem to be legitimate. rkhunter (fully updated) gave it a clean bill of health, apart from some out-dated software. None of the running processes jump out at me as malicious either, but I'm not very experienced so I've included the output to ps aux as requested:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1616 612 ? Ss Sep01 0:00 init [3]
root 5399 0.0 0.0 1520 544 ? Ss Sep01 0:00 syslogd -m 0
named 7687 0.0 0.3 37028 3544 ? Ssl Sep01 0:02 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/named/run-root
root 7700 0.0 0.1 3988 1060 ? Ss Sep01 0:00 /usr/sbin/sshd
root 7710 0.0 0.0 2068 828 ? Ss Sep01 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 7804 0.0 0.1 2140 1112 ? S Sep01 0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
mysql 7860 0.0 1.6 104652 17372 ? Sl Sep01 0:53 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
root 8129 0.0 0.0 3480 804 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir
root 8131 0.0 0.0 3380 940 ? S Sep01 0:00 /usr/sbin/courierlogger imapd
root 8146 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=imapd-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentlookup 993 /usr/bin/couriertls -server -tcpd /usr/sbin/imaplogin /usr/lib/courier-imap/authlib/authpsa /usr/bin/imapd Maildir
root 8148 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger imapd-ssl
root 8158 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir
root 8160 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger pop3d
root 8169 0.0 0.0 3480 796 ? S Sep01 0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/sbin/courierlogger -stderrloggername=pop3d-ssl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentlookup 995 /usr/bin/couriertls -server -tcpd /usr/sbin/pop3login /usr/lib/courier-imap/authlib/authpsa /usr/bin/pop3d Maildir
root 8172 0.0 0.0 3248 780 ? S Sep01 0:00 /usr/sbin/courierlogger pop3d-ssl
qmails 8188 0.0 0.0 1496 448 ? S Sep01 0:01 qmail-send
qmaill 9217 0.0 0.0 1452 436 ? S Sep01 0:00 splogger qmail
root 9219 0.0 0.0 1480 344 ? S Sep01 0:00 qmail-lspawn ./Maildir/
qmailr 9220 0.0 0.0 1476 372 ? S Sep01 0:00 qmail-rspawn
qmailq 9222 0.0 0.0 1444 316 ? S Sep01 0:00 qmail-clean
root 9364 0.0 1.4 29948 15332 ? Ss Sep01 0:00 /usr/sbin/httpd
popuser 9482 0.0 2.1 24492 22284 ? Ss Sep01 0:00 /usr/bin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 1 --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
popuser 9519 0.0 2.1 24436 22228 ? Ss Sep01 0:00 /usr/bin/spamd --username=popuser --daemonize --helper-home-dir=/var/qmail --max-children 1 --pidfile=/var/run/spamd/spamd_light.pid --socketpath=/tmp/spamd_light.sock --siteconfigpath=/dev/null
popuser 9532 0.0 1.9 24492 20624 ? S Sep01 0:00 spamd child
popuser 9545 0.0 1.9 24436 20568 ? S Sep01 0:00 spamd child
root 9621 0.0 0.4 47452 4760 ? Ss Sep01 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 9625 0.0 1.9 52948 20904 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 9626 0.0 1.8 52768 19024 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
psaadm 9627 0.0 1.8 51968 19540 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
psaadm 9628 0.0 2.4 55344 25220 ? S Sep01 0:02 /usr/local/psa/admin/bin/httpsd
psaadm 9629 0.0 1.8 51724 19608 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 9742 0.0 1.9 52204 20440 ? S Sep01 0:01 /usr/local/psa/admin/bin/httpsd
drweb 9782 0.0 1.4 18560 15388 ? Ss Sep01 0:54 /opt/drweb/drwebd
root 9844 0.0 0.0 2456 916 ? Ss Sep01 0:00 crond
root 9855 0.0 0.0 4032 808 ? Ss Sep01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -n 2
root 9856 0.0 0.0 4032 472 ? S Sep01 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -n 2
psaadm 7857 0.0 1.0 50140 11044 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 8065 0.0 1.7 51932 18348 ? S Sep01 0:00 /usr/local/psa/admin/bin/httpsd
apache 13807 0.1 2.1 40404 22284 ? S 08:05 0:43 /usr/sbin/httpd
apache 22017 0.1 2.1 41484 22984 ? S 08:31 0:44 /usr/sbin/httpd
apache 9776 0.1 2.1 41576 22868 ? S 09:10 0:40 /usr/sbin/httpd
apache 28149 0.1 2.2 41468 23628 ? S 09:16 0:35 /usr/sbin/httpd
apache 29804 0.1 2.0 39040 21140 ? S 14:23 0:09 /usr/sbin/httpd
Finally, tmp contained a file called 'r00t', which certainly seemed to be the product of some attempt to gain more access. Nothing else jumped out at me, but I doubt every malicious executable is going to be so obviously named.