How can I check spam mail from apache

S

sansak

Verified User
Joined
Jun 23, 2007
Messages
51
Today I see the /etc/virtual/usage in apache.bytes has many times to send email as the following

7344=type=email&[email protected]&method=outgoing&id=1NuUXL-0004rw-PC
8090=type=email&[email protected]&method=outgoing&id=1NuUZa-00064B-Hi
8032=type=email&[email protected]&method=outgoing&id=1NuUah-0006UC-3x
8036=type=email&[email protected]&method=outgoing&id=1NuUar-0006ZR-LH
5824=type=email&[email protected]&method=outgoing&id=1NuUY1-0005M3-1i
4312=type=email&[email protected]&method=outgoing&id=1NuUwe-0000ZV-B2
7346=type=email&[email protected]&method=outgoing&id=1NuUXh-00056i-4q
8034=type=email&[email protected]&method=outgoing&id=1NuUb1-0006dW-CG
4628=type=email&[email protected]&method=outgoing&id=1NuUwY-0000X9-Hz

How can I check it that where is it come from?
In Exim mainlog there are still email sending from apache, please help
 
interested on this investigation aswell.

ill suggest u for now to look for perl scripts

Code: 
find /home/ -name .pl

and open the mail that apache create for check if there is a link to one of your customer website (usually not, they use to point you to another website/server but a check dont is expensive ^^)

Those are my 2 cent, hope they can help you a bit
 
SeLLeRoNe said:
interested on this investigation aswell.

ill suggest u for now to look for perl scripts

Code: 
find /home/ -name .pl

and open the mail that apache create for check if there is a link to one of your customer website (usually not, they use to point you to another website/server but a check dont is expensive ^^)

Those are my 2 cent, hope they can help you a bit
Click to expand...

I've disable cgi for every users, but I'll find .pl again.
 
check for users that have 777 permission in some directory.

if cgi is disabled so they can upload the file but maybe the cannot execute that and cant send the spam, but of course, an detailed investigation is required
 
SeLLeRoNe said:
if cgi is disabled so they can upload the file but maybe the cannot execute that and cant send the spam, but of course, an detailed investigation is required
Click to expand...

First understand this. If mail is being sent out as the user apache then mod_php is being used and it is a php script executing the process.

The hacker probably used a php script vulnerability to upload a script like this http://phpshell.sourceforge.net/

This will then allow him to run any commands he want but of course still under the user apache.

He has probably uploaded a perl script designed to send out spam. He then starts the script. While the script is now running in memory he then deletes it. He can also delete the php shell script. He has now deleted all the files that he used to send the spam.

The perl script can even be a mail server which will leave no trace of the mail transaction in the exim log or any log.

What you are looking for are vulnerable php scripts. There are many areas to look at. You need a server admin to investigate this for you if you are currently having a problem and do not have time to take several days or weeks to learn everything.

However you can use the nobody user check at webhostgear http://www.webhostgear.com/353.html and you can use avast to scan for vulnerable scripts.
 
You must log in or register to reply here.
Back
Top