Solved

Spammers is using my server how can I take down their operation

Posted on 2014-09-09
11
187 Views
Last Modified: 2014-10-14
I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.

My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:

Sep  6 16:44:20 sm3 sendmail[27961]: s86LTIdQ027961: from=<apache@my.server.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep  6 16:44:20 sm3 sm-msp-queue[27960]: s86CxFP8005548: to=ascdfgh.sdewqq@aaa.com, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep  6 16:48:20 sm3 sendmail[5809]: s86LTIdQ027961: to=<ascdfgh.sdewqq@aaa.com>, ctladdr=<apache@my.server.com> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [63.240.178.216], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.


There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.

I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.

Any idea that you can share to know how I can't find the spammers' tools in my server?

Thank you
0
Comment
Question by:CloudHelpdeskOne
  • 4
  • 4
  • 3
11 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40313086
Check for script in your cgi-bin directory and grep for sendmail.  You should be easily able to find the offending script.

If the script is allowed but not locked down, do so.

If the script was uploaded and shouldn't have been, then update all of your apps and check for rootkits, etc.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40313371
You can see accesses in web logs, probably some contact form is accessed at the moment spam message fires
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40331553
Apparently the spammer didn't use a webform to send the email. The spammer injected to the server his tools. I found these files in /tmp directory:

-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjxX*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjx*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdj*
-rwxrwxrwx 1 apache apache  21340 Sep  9 00:27 TU7E876x*
-rwxrwxrwx 1 apache apache  18432 Sep  9 00:27 TU7E876*
-rw-r--r-- 1 apache apache  28468 Sep  9 00:27 TU7E876x.pl
-rw-r--r-- 1 apache apache  24586 Sep  9 00:27 TU7E876.pl
-rwxrwxrwx 1 apache apache  22212 Sep  9 01:03 SLKuuT65*

I opened these files, but looks to be binary or encrypted. The .pl file have a date around the attack.

Any suggestion to find out how could they injected to my server these file?
Or any suggestion to open this files in some way we can read them?

Since I delete these files, no more spam was sent from my server, and that's explain why in the weblogs were not any registries about sending spam
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40331596
I usually see this via PHP but can happen if "POST" is not restricted or denied in the webserver configuration.

How often and how many updates are there needed on this server?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40331618
can you check those files with "file" command?
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:CloudHelpdeskOne
ID: 40346745
Dear jesper I guess this server have a long time without updates, this server was hardening, so updates are hard to do.
Where can I restrict the post method to php? In php.ini?
Regards
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346749
Dear gheist this is the result of the file command:

$ file JdhHdjUdjxX
JdhHdjUdjxX: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdjx
JdhHdjUdjx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdj
JdhHdjUdj: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x
TU7E876x: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876
TU7E876: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x.pl
TU7E876x.pl: ASCII text, with very long lines, with CRLF line terminators
$ file TU7E876.pl
TU7E876.pl: ASCII text, with very long lines, with CRLF line terminators
$ file SLKuuT65
SLKuuT65: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40346751
Restrict POST and PUT in your apache configuration.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40347266
You did not tell which linux you are runing. If you do it is much easier to tell you how to find offending PHP forms....
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40359839
This server is Fedora 6, this is the versio:

Linux version 2.6.22.14-72.fc6 (brewbuilder@hs20-bc1-6.build.redhat.com) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)) #1 SMP Wed Nov 21 15:12:59 EST 2007

The cpu is Intel(R) Pentium(R) 4 CPU 2.40GHz
0
 
LVL 61

Accepted Solution

by:
gheist earned 167 total points
ID: 40360023
Uff. It is way past EOL. Soryy to say but you need a new server. It has like 100 security holes all remotely exploitable. So now it is being plundered until you take it down.

 CentOS5 is close match to your Fedora, but i'd explore CentOS6 or Ubuntu 14.04 to keep it working longer.
If you are in a rented host - tell them abut your problem, thay will give you other for a month for free of 60% of price so you can migrate off your old monstrosity.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Read about achieving the basic levels of HRIS security in the workplace.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now