Solved

Spammers is using my server how can I take down their operation

Posted on 2014-09-09
11
201 Views
Last Modified: 2014-10-14
I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.

My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:

Sep  6 16:44:20 sm3 sendmail[27961]: s86LTIdQ027961: from=<apache@my.server.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep  6 16:44:20 sm3 sm-msp-queue[27960]: s86CxFP8005548: to=ascdfgh.sdewqq@aaa.com, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep  6 16:48:20 sm3 sendmail[5809]: s86LTIdQ027961: to=<ascdfgh.sdewqq@aaa.com>, ctladdr=<apache@my.server.com> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [63.240.178.216], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.


There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.

I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.

Any idea that you can share to know how I can't find the spammers' tools in my server?

Thank you
0
Comment
Question by:CloudHelpdeskOne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40313086
Check for script in your cgi-bin directory and grep for sendmail.  You should be easily able to find the offending script.

If the script is allowed but not locked down, do so.

If the script was uploaded and shouldn't have been, then update all of your apps and check for rootkits, etc.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40313371
You can see accesses in web logs, probably some contact form is accessed at the moment spam message fires
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40331553
Apparently the spammer didn't use a webform to send the email. The spammer injected to the server his tools. I found these files in /tmp directory:

-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjxX*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjx*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdj*
-rwxrwxrwx 1 apache apache  21340 Sep  9 00:27 TU7E876x*
-rwxrwxrwx 1 apache apache  18432 Sep  9 00:27 TU7E876*
-rw-r--r-- 1 apache apache  28468 Sep  9 00:27 TU7E876x.pl
-rw-r--r-- 1 apache apache  24586 Sep  9 00:27 TU7E876.pl
-rwxrwxrwx 1 apache apache  22212 Sep  9 01:03 SLKuuT65*

I opened these files, but looks to be binary or encrypted. The .pl file have a date around the attack.

Any suggestion to find out how could they injected to my server these file?
Or any suggestion to open this files in some way we can read them?

Since I delete these files, no more spam was sent from my server, and that's explain why in the weblogs were not any registries about sending spam
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 40331596
I usually see this via PHP but can happen if "POST" is not restricted or denied in the webserver configuration.

How often and how many updates are there needed on this server?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40331618
can you check those files with "file" command?
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346745
Dear jesper I guess this server have a long time without updates, this server was hardening, so updates are hard to do.
Where can I restrict the post method to php? In php.ini?
Regards
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346749
Dear gheist this is the result of the file command:

$ file JdhHdjUdjxX
JdhHdjUdjxX: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdjx
JdhHdjUdjx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdj
JdhHdjUdj: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x
TU7E876x: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876
TU7E876: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x.pl
TU7E876x.pl: ASCII text, with very long lines, with CRLF line terminators
$ file TU7E876.pl
TU7E876.pl: ASCII text, with very long lines, with CRLF line terminators
$ file SLKuuT65
SLKuuT65: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40346751
Restrict POST and PUT in your apache configuration.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40347266
You did not tell which linux you are runing. If you do it is much easier to tell you how to find offending PHP forms....
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40359839
This server is Fedora 6, this is the versio:

Linux version 2.6.22.14-72.fc6 (brewbuilder@hs20-bc1-6.build.redhat.com) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)) #1 SMP Wed Nov 21 15:12:59 EST 2007

The cpu is Intel(R) Pentium(R) 4 CPU 2.40GHz
0
 
LVL 62

Accepted Solution

by:
gheist earned 167 total points
ID: 40360023
Uff. It is way past EOL. Soryy to say but you need a new server. It has like 100 security holes all remotely exploitable. So now it is being plundered until you take it down.

 CentOS5 is close match to your Fedora, but i'd explore CentOS6 or Ubuntu 14.04 to keep it working longer.
If you are in a rented host - tell them abut your problem, thay will give you other for a month for free of 60% of price so you can migrate off your old monstrosity.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question