Major email abuse... Need help tracking it down.

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
My sister has an account on my server. I have her DA password really complex (randomly generated) -- including upper case, lower case, numbers and special characters.

I have setup DA to not use the MX records on the server because I have setup a Zimbra server that we use for email.

At the beginning of October I received an email saying that 5626 emails were sent out. I immediated changed her password for the DA account including webmail. I changed the maximum emails to 500 per day.

Now I'm still getting emails. Just got one today saying she sent 500 emails.

I know that it is not possible for her to have sent them herself because she is the one that called me to give me the heads up that she received this email from my server first.

Here are the stats from her DA account:
Code:
Date 	Apache 	Email 	Ftp 	Pop 	Imap 	DirectAdmin 	Other 	Total 	Email Deliveries (Sent)
2012 10 08	759.4 MB	5.81 MB	0 B	0 B	0 B	0 B	0 B	765.3 MB	5361 (5361)
2012 10 09	21.1 MB	98.5 KB	0 B	0 B	0 B	371 KB	0 B	21.5 MB	98 (98)
2012 10 10	50.4 MB	14.0 KB	0 B	0 B	0 B	0.568 MB	0 B	51.0 MB	12 (12)
2012 10 11	26.2 MB	5.48 KB	0 B	0 B	0 B	0 B	0 B	26.2 MB	5 (5)
2012 10 12	17.5 MB	190 KB	0 B	0 B	0 B	211 KB	0 B	17.9 MB	181 (181)
2012 10 13	18.1 MB	379 KB	0 B	0 B	0 B	0 B	0 B	18.5 MB	362 (362)
2012 10 14	24.2 MB	5.55 KB	0 B	0 B	0 B	375 KB	0 B	24.6 MB	5 (5)
2012 10 15	24.4 MB	5.48 KB	0 B	0 B	0 B	0 B	0 B	24.4 MB	5 (5)
2012 10 16	32.5 MB	110 KB	0 B	0 B	0 B	0 B	0 B	32.6 MB	94 (94)
2012 10 17	60.3 MB	498 KB	0 B	0 B	0 B	0 B	0 B	60.7 MB	456 (456)
2012 10 18	58.6 MB	420 KB	0 B	0 B	0 B	0 B	0 B	59.0 MB	376 (376)
total	1.07 GB	7.50 MB	0 B	0 B	0 B	1.50 MB	0 B	1.08 GB	6955 (6955)
Could someone please help me figure out how these emails are getting sent out? I don't know where else to look.
 
/var/log/exim/mainlog

You can see who is being emailed from that account.

U= is the username sending the email.

You can also look at /var/log/maillog or /var/log/mail.info and see who is logging in via pop3/imap.
 
Last edited:
Okay I have reviewed the logs but I'm not sure the benefit in know "who" the emails were sent to. I know that it was spam and I know which account it is coming from. I'm not sure where it is coming from or how the abuser is gaining access to the account with such a complex password that has recently been changed.

Is there a way to find out if someone has installed a script on to my server?
 
Thats why you have to go through the logs to see which ip it is coming from. The logs will tell you everything.
 
What software is used to build her site? Perhaps there's an exploit, and her site has been hacked.

Jeff
 
Joomla, it is an older version. I'm in the process of upgrading it but is not ready yet.

There is a comments component installed. I'm thinking this is the problem. There are a lot of spam comments on in this comments component so maybe these comments are sending out emails??
 
the older version of any CMS may be the reason for what you are saying better you upgrade first and check that no one was sitting back by maintaining a backdoor and after all that things watch that the spamming out of your box or not
 
Joomla, it is an older version. I'm in the process of upgrading it but is not ready yet.

There is a comments component installed. I'm thinking this is the problem. There are a lot of spam comments on in this comments component so maybe these comments are sending out emails??

I guess you are using Joomla 1.5 with some installed extensions. Make sure you run the last version of 1.5 (upgrading to 2.5 would be better but more complex). And don't forget to update your extensions because that would probably been the reason for sending spam (not Joomla self but the installed extension, I guess). Also take a look at http://docs.joomla.org/Vulnerable_Extensions_List that might be useful for you :)
 
Okay I have reviewed the logs but I'm not sure the benefit in know "who" the emails were sent to. I know that it was spam and I know which account it is coming from. I'm not sure where it is coming from or how the abuser is gaining access to the account with such a complex password that has recently been changed.

Is there a way to find out if someone has installed a script on to my server?


Open /etc/exim.conf either in SSH or in File editor in directadmin and find line:

Code:
log_selector = \

add after the line this code:

Code:
  +arguments \

save and restart exim. Since now all arguments will be logged, they include path to the script if an email is sent by a script. This will hep you to find malicious scripts on your server.

Then you might need to use eximstats to find top senders, top locations, top destinations and other info.
 
Back
Top