Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Spammers is using my server how can I take down their operation

Posted on 2014-09-09
11
196 Views
Last Modified: 2014-10-14
I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.

My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:

Sep  6 16:44:20 sm3 sendmail[27961]: s86LTIdQ027961: from=<apache@my.server.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep  6 16:44:20 sm3 sm-msp-queue[27960]: s86CxFP8005548: to=ascdfgh.sdewqq@aaa.com, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep  6 16:48:20 sm3 sendmail[5809]: s86LTIdQ027961: to=<ascdfgh.sdewqq@aaa.com>, ctladdr=<apache@my.server.com> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [63.240.178.216], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.


There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.

I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.

Any idea that you can share to know how I can't find the spammers' tools in my server?

Thank you
0
Comment
Question by:CloudHelpdeskOne
  • 4
  • 4
  • 3
11 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40313086
Check for script in your cgi-bin directory and grep for sendmail.  You should be easily able to find the offending script.

If the script is allowed but not locked down, do so.

If the script was uploaded and shouldn't have been, then update all of your apps and check for rootkits, etc.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40313371
You can see accesses in web logs, probably some contact form is accessed at the moment spam message fires
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40331553
Apparently the spammer didn't use a webform to send the email. The spammer injected to the server his tools. I found these files in /tmp directory:

-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjxX*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjx*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdj*
-rwxrwxrwx 1 apache apache  21340 Sep  9 00:27 TU7E876x*
-rwxrwxrwx 1 apache apache  18432 Sep  9 00:27 TU7E876*
-rw-r--r-- 1 apache apache  28468 Sep  9 00:27 TU7E876x.pl
-rw-r--r-- 1 apache apache  24586 Sep  9 00:27 TU7E876.pl
-rwxrwxrwx 1 apache apache  22212 Sep  9 01:03 SLKuuT65*

I opened these files, but looks to be binary or encrypted. The .pl file have a date around the attack.

Any suggestion to find out how could they injected to my server these file?
Or any suggestion to open this files in some way we can read them?

Since I delete these files, no more spam was sent from my server, and that's explain why in the weblogs were not any registries about sending spam
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40331596
I usually see this via PHP but can happen if "POST" is not restricted or denied in the webserver configuration.

How often and how many updates are there needed on this server?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40331618
can you check those files with "file" command?
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346745
Dear jesper I guess this server have a long time without updates, this server was hardening, so updates are hard to do.
Where can I restrict the post method to php? In php.ini?
Regards
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346749
Dear gheist this is the result of the file command:

$ file JdhHdjUdjxX
JdhHdjUdjxX: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdjx
JdhHdjUdjx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdj
JdhHdjUdj: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x
TU7E876x: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876
TU7E876: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x.pl
TU7E876x.pl: ASCII text, with very long lines, with CRLF line terminators
$ file TU7E876.pl
TU7E876.pl: ASCII text, with very long lines, with CRLF line terminators
$ file SLKuuT65
SLKuuT65: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40346751
Restrict POST and PUT in your apache configuration.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40347266
You did not tell which linux you are runing. If you do it is much easier to tell you how to find offending PHP forms....
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40359839
This server is Fedora 6, this is the versio:

Linux version 2.6.22.14-72.fc6 (brewbuilder@hs20-bc1-6.build.redhat.com) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)) #1 SMP Wed Nov 21 15:12:59 EST 2007

The cpu is Intel(R) Pentium(R) 4 CPU 2.40GHz
0
 
LVL 62

Accepted Solution

by:
gheist earned 167 total points
ID: 40360023
Uff. It is way past EOL. Soryy to say but you need a new server. It has like 100 security holes all remotely exploitable. So now it is being plundered until you take it down.

 CentOS5 is close match to your Fedora, but i'd explore CentOS6 or Ubuntu 14.04 to keep it working longer.
If you are in a rented host - tell them abut your problem, thay will give you other for a month for free of 60% of price so you can migrate off your old monstrosity.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question