fsockopen spam

Yolte

Verified User
Joined
Oct 10, 2006
Messages
36
Hello,

I found a file in a wordpress site (base64 decoded). When i encode this file, i see that spammer is using some email address and passwords (which are not related with my server) and using fsockopen to send spam mail with my server's ip address.

So,

- Some infected website with this file
- Using some email address and passwords for authenticatin
- Spammer connecting my server with this php file and using my main ip address
- He is using my server like a relay or proxy pass.


I can see these connectios by tcpdump;

Code:
16:20:43.189411 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:43.272616 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0
16:20:43.272709 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 31
16:20:43.441488 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 54
16:20:43.631498 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:43.631614 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 23
16:20:43.849555 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 54
16:20:44.043821 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 34
16:20:44.216208 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 44
16:20:44.320743 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 6
16:20:44.492226 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 39
16:20:44.511391 IP X.X.X.X1.34543 > 65.55.37.104.smtp: tcp 0
16:20:44.628693 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 1208
16:20:44.666593 IP X.X.X.X1.40587 > 67.231.152.47.smtp: tcp 0
16:20:44.817925 IP X.X.X.X1.40587 > 67.231.152.47.smtp: tcp 0
16:20:45.241665 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 6
16:20:45.408418 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0
16:20:45.412143 IP X.X.X.X1.60466 > 65.175.128.136.smtp: tcp 0

First i thought to disable some php functions like fsockopen, but there are lots of different ways to make connection.

Do you have any suggestion to stop this?

If you want to see file: http://pastebin.ca/3162557

P.s.: I know i can find this files and delete them but i want to block this method for further problems.

Thanks
 
Beste way is to install CSF/LFD and limit outgoing ports to the ones really needed.
This way only scripts working via the default ports will work.

I also thought there were ways to monitor outgoing traffic of users.

Next to that install Maldetect, it will detect base64 encrypted files on your users home directory's and warn you about it. You can even have them automatically removed.

I don't know of a way to really block these kinds of attempts, so I will follow this thread to see if others have some smart idea's about fighting this kind of abuse.
 
Outgoing port 25 should be blocked for everyone except "mail" and "root".

To test, login to ssh as any non-root User, like "admin", and try:
Code:
telnet directadmin.com 25
or any external server, to ensure they're blocked (but to port 80, for example, should connect)
I believe CSF does have this ability, but not sure if it's enabled by default.

I guess one could also block outbound port 587, as login attacks could be done to a remote box to try and figure out a password.. and if known, use it.. so might as well as 587 to that "mail" only list too.

I had to hunt around, but found the settings here:
https://forum.directadmin.com/showthread.php?t=51923&p=267072#post267072

John
 
I limited dst port 25 for some uid's on server by a iptables rule.

And it seems to be fixed my problem

Thank you all.
 
Hello,

In csf it is:

SMTP_BLOCK = "0"

which is disabled by default.

And CSF suggests blocking of 25, 465, 587 which are listed in

SMTP_PORTS = "25,465,587"
 
Just to make things a bit more clear:
SMTP_BLOCK = "0"
is the default setting which disables this.

So it should be set to:
SMTP_BLOCK = "1"
for it to work.

If you don't use any webmail or other web scripts you can disable local mail too:
set SMTP_ALLOWLOCAL = "1" to SMTP_ALLOWLOCAL = "0".
But as said, don't disable this if you use webmail otherwise it won't function anymore. :)
 
Back
Top