Results 1 to 8 of 8
  1. #1
    Join Date
    Jul 2006
    Location
    UA
    Posts
    43

    How to find the script which uses exim and apache to send spam?

    Hello,

    Not far ago somebody hacked our customer account through the vulnerability in phpBB Album module and uploaded some scripts. Then it started to send nigerian spam using exim and apache. These scripts were found and deleted and the Album module was fully deleted too. But when I look at the processes now I see that exim and httpd still start very often so the system resources are probably overused by them.

    Code:
     13:34:32  up 56 min,  1 user,  load average: 2.95, 2.54, 3.50
    108 processes: 107 sleeping, 1 running, 0 zombie, 0 stopped
    CPU states:  cpu    user    nice  system    irq  softirq  iowait    idle
               total   35.2%    0.0%    3.9%   1.9%     1.9%   56.8%    0.0%
    Mem:  2056844k av, 1354880k used,  701964k free,       0k shrd,   95644k buff
           804320k active,             367144k inactive
    Swap: 1052248k av,       0k used, 1052248k free                 1004688k cached
    
      PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
    20426 apache    15   0 26520  25M 10620 S     9.8  1.2   0:01   0 httpd
    24364 apache    20   0 20376  19M 10416 S     3.9  0.9   0:00   0 httpd
    24371 root      23   0  3684 3684  2792 S     1.9  0.1   0:00   0 exim
    21986 apache    15   0 26708  26M 10812 S     0.9  1.2   0:01   0 httpd
    22873 apache    15   0 25440  24M 10744 S     0.9  1.2   0:01   0 httpd
    22885 apache    15   0 25012  24M 10520 S     0.9  1.2   0:00   0 httpd
    23983 apache    15   0 24320  23M 10460 D     0.9  1.1   0:00   0 httpd
    24370 root      20   0  1180 1180   908 R     0.9  0.0   0:00   0 top
    24373 root      18   0  3688 3688  2792 S     0.9  0.1   0:00   0 exim
    24375 root      22   0  3688 3688  2792 S     0.9  0.1   0:00   0 exim
        1 root      15   0   540  540   468 S     0.0  0.0   0:03   0 init
        2 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 keventd
        3 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kapmd
        4 root      34  19     0    0     0 SWN   0.0  0.0   0:00   0 ksoftirqd/0
        7 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 bdflush
        5 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kswapd
        6 root      15   0     0    0     0 SW    0.0  0.0   0:02   0 kscand
        8 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kupdated
        9 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 mdrecoveryd
       13 root      15   0     0    0     0 DW    0.0  0.0   0:06   0 kjournald
       68 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 khubd
      756 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
      853 root      25   0     0    0     0 SW    0.0  0.0   0:00   0 kjournald
     1296 root      15   0     0    0     0 SW    0.0  0.0   0:00   0 loop0
     2283 root      15   0   612  612   524 S     0.0  0.0   0:00   0 syslogd
     2287 root      24   0   508  508   436 S     0.0  0.0   0:00   0 klogd
     2306 root      15   0   452  452   380 S     0.0  0.0   0:00   0 mdadm
     2329 root      25   0   556  556   488 S     0.0  0.0   0:00   0 apmd
     2343 root      25   0  1208 1208  1060 S     0.0  0.0   0:00   0 mysqld_safe
     2376 mysql     15   0 22724  22M  2896 S     0.0  1.1   0:00   0 mysqld
     2379 mysql     15   0 22724  22M  2896 S     0.0  1.1   0:00   0 mysqld
    13909 root      20   0  1556 1556  1312 S     0.0  0.0   0:00   0 sshd
    Please, help to find out what uses exim and apache so rapidly and how to make sure that spam is already stopped or not.

    Thanks a lot.

    <<signatures to be set up in your profile>>
    Last edited by bear; 06-15-2008 at 06:31 PM.

  2. #2
    Join Date
    Jul 2006
    Location
    UA
    Posts
    43
    I would like also to suggest that we have CentOS with DirectAdmin installed.

  3. #3
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Did you enable extended logging into exim?
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  4. #4
    Join Date
    Oct 2007
    Posts
    106
    Seems that he has enabled it david.

  5. #5
    Join Date
    Jul 2006
    Location
    UA
    Posts
    43
    Yes, but can't find something useful in logs.

    There was a lot of files in /var/spool/exim/input (some thousands, I suppose)
    I did rm -rf, but I'm not sure how to know exactly the spam is stopped or not now.

    What should I check?

    Thanks.
    Last edited by Garikus; 03-14-2008 at 07:54 AM.

  6. #6
    Join Date
    Jul 2006
    Location
    UA
    Posts
    43
    Oops. I noticed that my SMTP authentification doesn't work now. Messages can be sent with no SMTP auth. How to fix this, please?

  7. #7
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,588
    Hello,
    If this a cPanel server go to WHM and activate antirelayd to be Enabled and Monitored via Service Configuration ---> Service Manager.


    Thanks,

  8. #8
    Using these steps I'll show you how to locate the top scripts on your server that send out email. You can then search the mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam.

    Login SSH as the root user.
    Run command to pull the most used mailing script's location from the Exim mail log:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    Code:

    grep cwd /var/log/exim_mainlog

    Use the grep command it will locate cwd from the Exim mail log. This stands for current working directory.

    grep -v /var/spool

    Use the grep with the -v flag which is an invert match, so we don't show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script.

    awk -F"cwd=" '{print $2}' | awk '{print $1}'

    Use the awk command with the -Field separator set to cwd=, then just print out the $2nd column of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path. sort | uniq -c | sort -n

    Sort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.

    You should get back something like this:

    15 /home/uname/public_html/about-us
    25 /home/uname/public_html
    7866 /home/uname/public_html/dir
    Here we can see that the /home/uname/public_html/dir directory by far has more deliveries coming in than others.


    Now we can run the command to see what files and scripts are located in that directory:

    ls -lahtr /home/uname/public_html/dir
    In thise case we got back:

    drwxr-xr-x 15 uname uname 3.0K Jan 20 10:25 ../
    -rw-r--r-- 1 uname uname 9.6K Jan 20 11:27 mail.php
    drwxr-xr-x 2 uname uname 2.0K Jan 20 11:27 ./

    So we can see there is a script called mail.php in this directory Knowing the mail.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

    grep "mail.php" /home/uname/access-logs/domain.com | awk '{print $1}' |sort -n | uniq -c | sort -n
    You should get back something similar to this:

    2 113.113.123.136
    2 143.163.143.15
    2 143.123.173.124
    7860 13.13.13.13

    So we can clearly see that the IP address 13.13.13.13 was responsible for using our mailer script in a malicious nature.If you did find a malicious IP address sending out a large volume of messages from a script on your server you'll probably want to go ahead and block them at your server's firewall

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •