Solved

Spammers is using my server how can I take down their operation

Posted on 2014-09-09
11
194 Views
Last Modified: 2014-10-14
I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.

My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:

Sep  6 16:44:20 sm3 sendmail[27961]: s86LTIdQ027961: from=<apache@my.server.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep  6 16:44:20 sm3 sm-msp-queue[27960]: s86CxFP8005548: to=ascdfgh.sdewqq@aaa.com, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep  6 16:48:20 sm3 sendmail[5809]: s86LTIdQ027961: to=<ascdfgh.sdewqq@aaa.com>, ctladdr=<apache@my.server.com> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [63.240.178.216], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.


There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.

I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.

Any idea that you can share to know how I can't find the spammers' tools in my server?

Thank you
0
Comment
Question by:CloudHelpdeskOne
  • 4
  • 4
  • 3
11 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40313086
Check for script in your cgi-bin directory and grep for sendmail.  You should be easily able to find the offending script.

If the script is allowed but not locked down, do so.

If the script was uploaded and shouldn't have been, then update all of your apps and check for rootkits, etc.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40313371
You can see accesses in web logs, probably some contact form is accessed at the moment spam message fires
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40331553
Apparently the spammer didn't use a webform to send the email. The spammer injected to the server his tools. I found these files in /tmp directory:

-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjxX*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjx*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdj*
-rwxrwxrwx 1 apache apache  21340 Sep  9 00:27 TU7E876x*
-rwxrwxrwx 1 apache apache  18432 Sep  9 00:27 TU7E876*
-rw-r--r-- 1 apache apache  28468 Sep  9 00:27 TU7E876x.pl
-rw-r--r-- 1 apache apache  24586 Sep  9 00:27 TU7E876.pl
-rwxrwxrwx 1 apache apache  22212 Sep  9 01:03 SLKuuT65*

I opened these files, but looks to be binary or encrypted. The .pl file have a date around the attack.

Any suggestion to find out how could they injected to my server these file?
Or any suggestion to open this files in some way we can read them?

Since I delete these files, no more spam was sent from my server, and that's explain why in the weblogs were not any registries about sending spam
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40331596
I usually see this via PHP but can happen if "POST" is not restricted or denied in the webserver configuration.

How often and how many updates are there needed on this server?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40331618
can you check those files with "file" command?
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:CloudHelpdeskOne
ID: 40346745
Dear jesper I guess this server have a long time without updates, this server was hardening, so updates are hard to do.
Where can I restrict the post method to php? In php.ini?
Regards
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346749
Dear gheist this is the result of the file command:

$ file JdhHdjUdjxX
JdhHdjUdjxX: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdjx
JdhHdjUdjx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdj
JdhHdjUdj: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x
TU7E876x: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876
TU7E876: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x.pl
TU7E876x.pl: ASCII text, with very long lines, with CRLF line terminators
$ file TU7E876.pl
TU7E876.pl: ASCII text, with very long lines, with CRLF line terminators
$ file SLKuuT65
SLKuuT65: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40346751
Restrict POST and PUT in your apache configuration.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40347266
You did not tell which linux you are runing. If you do it is much easier to tell you how to find offending PHP forms....
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40359839
This server is Fedora 6, this is the versio:

Linux version 2.6.22.14-72.fc6 (brewbuilder@hs20-bc1-6.build.redhat.com) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)) #1 SMP Wed Nov 21 15:12:59 EST 2007

The cpu is Intel(R) Pentium(R) 4 CPU 2.40GHz
0
 
LVL 61

Accepted Solution

by:
gheist earned 167 total points
ID: 40360023
Uff. It is way past EOL. Soryy to say but you need a new server. It has like 100 security holes all remotely exploitable. So now it is being plundered until you take it down.

 CentOS5 is close match to your Fedora, but i'd explore CentOS6 or Ubuntu 14.04 to keep it working longer.
If you are in a rented host - tell them abut your problem, thay will give you other for a month for free of 60% of price so you can migrate off your old monstrosity.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jailbreak and Rooting on mobile devices 10 131
Endpoint security products 4 51
Ubuntu 14.04.3 Cannot login via GUI, returns to GUI login prompt 26 101
Server 2008-R2 lost password 19 97
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now