Solved

Spammers is using my server how can I take down their operation

Posted on 2014-09-09
11
195 Views
Last Modified: 2014-10-14
I have an email server, but the las 1rst and 6th of september some spammer is sending spam from my server.

My problem is that I can't detect how is doing this, apparently they hijacked a website in my server and put there a cgi or php script, cause the maillog show this kind or registry:

Sep  6 16:44:20 sm3 sendmail[27961]: s86LTIdQ027961: from=<apache@my.server.com>, size=1653, class=0, nrcpts=1, msgid=<201409061259.s86CxFP8005548@my.server.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Sep  6 16:44:20 sm3 sm-msp-queue[27960]: s86CxFP8005548: to=ascdfgh.sdewqq@aaa.com, ctladdr=apache (48/48), delay=08:45:05, xdelay=00:00:00, mailer=relay, pri=121430, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s86LTIdQ027961 Message accepted for delivery)
Sep  6 16:48:20 sm3 sendmail[5809]: s86LTIdQ027961: to=<ascdfgh.sdewqq@aaa.com>, ctladdr=<apache@my.server.com> (48/48), delay=00:04:00, xdelay=00:04:00, mailer=esmtp, pri=121653, relay=aaa.com. [63.240.178.216], dsn=4.0.0, stat=Deferred: Connection timed out with aaa.com.


There are not ip that I can't block, because the ip is the localhost, so they are using apache user to send.

I look for the spammer in the access_log to check if there a webpage that is sending the spam, but access_log don't show any activity suspect.

Any idea that you can share to know how I can't find the spammers' tools in my server?

Thank you
0
Comment
Question by:CloudHelpdeskOne
  • 4
  • 4
  • 3
11 Comments
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40313086
Check for script in your cgi-bin directory and grep for sendmail.  You should be easily able to find the offending script.

If the script is allowed but not locked down, do so.

If the script was uploaded and shouldn't have been, then update all of your apps and check for rootkits, etc.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40313371
You can see accesses in web logs, probably some contact form is accessed at the moment spam message fires
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40331553
Apparently the spammer didn't use a webform to send the email. The spammer injected to the server his tools. I found these files in /tmp directory:

-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjxX*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdjx*
-rwxrwxrwx 1 apache apache  17524 Aug 30 11:38 JdhHdjUdj*
-rwxrwxrwx 1 apache apache  21340 Sep  9 00:27 TU7E876x*
-rwxrwxrwx 1 apache apache  18432 Sep  9 00:27 TU7E876*
-rw-r--r-- 1 apache apache  28468 Sep  9 00:27 TU7E876x.pl
-rw-r--r-- 1 apache apache  24586 Sep  9 00:27 TU7E876.pl
-rwxrwxrwx 1 apache apache  22212 Sep  9 01:03 SLKuuT65*

I opened these files, but looks to be binary or encrypted. The .pl file have a date around the attack.

Any suggestion to find out how could they injected to my server these file?
Or any suggestion to open this files in some way we can read them?

Since I delete these files, no more spam was sent from my server, and that's explain why in the weblogs were not any registries about sending spam
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40331596
I usually see this via PHP but can happen if "POST" is not restricted or denied in the webserver configuration.

How often and how many updates are there needed on this server?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40331618
can you check those files with "file" command?
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346745
Dear jesper I guess this server have a long time without updates, this server was hardening, so updates are hard to do.
Where can I restrict the post method to php? In php.ini?
Regards
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40346749
Dear gheist this is the result of the file command:

$ file JdhHdjUdjxX
JdhHdjUdjxX: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdjx
JdhHdjUdjx: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file JdhHdjUdj
JdhHdjUdj: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x
TU7E876x: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876
TU7E876: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
$ file TU7E876x.pl
TU7E876x.pl: ASCII text, with very long lines, with CRLF line terminators
$ file TU7E876.pl
TU7E876.pl: ASCII text, with very long lines, with CRLF line terminators
$ file SLKuuT65
SLKuuT65: ELF 64-bit LSB executable, AMD x86-64, version 1 (GNU/Linux), statically linked, stripped
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 333 total points
ID: 40346751
Restrict POST and PUT in your apache configuration.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40347266
You did not tell which linux you are runing. If you do it is much easier to tell you how to find offending PHP forms....
0
 

Author Comment

by:CloudHelpdeskOne
ID: 40359839
This server is Fedora 6, this is the versio:

Linux version 2.6.22.14-72.fc6 (brewbuilder@hs20-bc1-6.build.redhat.com) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-13)) #1 SMP Wed Nov 21 15:12:59 EST 2007

The cpu is Intel(R) Pentium(R) 4 CPU 2.40GHz
0
 
LVL 62

Accepted Solution

by:
gheist earned 167 total points
ID: 40360023
Uff. It is way past EOL. Soryy to say but you need a new server. It has like 100 security holes all remotely exploitable. So now it is being plundered until you take it down.

 CentOS5 is close match to your Fedora, but i'd explore CentOS6 or Ubuntu 14.04 to keep it working longer.
If you are in a rented host - tell them abut your problem, thay will give you other for a month for free of 60% of price so you can migrate off your old monstrosity.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question