Mass spam being sent from my server

blaszlo

blaszlo

Verified User
Joined
Jun 9, 2008
Messages
116
Hello all,

I am having a major issue where thousandsd of spam messages have been send from my server using the [email protected] account and I cannot figure out how it is being done or how to stop it. To stop the bleeding I have blocked outbound port 25, but obviously this is not a permanent solution. Below is a header of one of the spam messages (emails changed to protect the innocent)...

Code: 
------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from apache by hostname.myhost.com with local (Exim 4.67)
	(envelope-from <[email protected]>)
	id 1RQunU-0004sn-4l
	for [email protected]; Thu, 17 Nov 2011 00:46:04 -0500
Date: Thu, 17 Nov 2011 00:46:04 -0500
To: [email protected]
From: keystone limited <[email protected]>
Reply-To: [email protected]
Subject: ****JOB OFFER****
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="iso-8859-1"

Again, I ahve no idea how to stop this sort of thing. I am assuming there is some sort of injection happening somewhere on one of my sites, but how can I find it? Nextly, is there any way for me to tell Exim to not allow outbound mail for the user apache? Many thanks!
 
You should check the exim log /var/log/exim/mainlog to see what account its coming from.
 
Here is a copy of that log...

Code: 
2011-11-13 11:43:57 1RPd9x-0001DO-6m <= [email protected] U=apache P=local S=1553 [email protected] T="Statment Montly" from <[email protected]> for [email protected]
2011-11-13 11:43:57 1RPd9x-0001DQ-EY <= [email protected] U=apache P=local S=700 T="[user ip : 180.254.97.201]" from <[email protected]> for [email protected]
2011-11-13 11:43:57 1RPd9x-0001DT-KG <= [email protected] U=apache P=local S=1476 T="Letter & Email List  [user ip : 180.254.97.201]" from <[email protected]> for [email protected]
2011-11-13 11:43:58 1RPd9x-0001DO-6m => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1603 H=mx2.hotmail.com [65.55.37.104] C="250  <[email protected]> Queued mail for $
2011-11-13 11:43:58 1RPd9x-0001DO-6m Completed

Looks like they are all coming from the apache user, and the "[email protected]" is a user on my box. Again, can I block apache from sending emails?
 
Apache by itself does not send emails, it's a PHP script which is running from apache's name. So why don't you use mod_ruid2 or suPHP? In that case or PHP scripts would be executed from real username.
 
It looks like the scripts are running from a single username and sending out in apache, as I stated above. Would suPHP prevent this type of issue, or simply make it easier to diagnose?
 
Of course, suPHP will make it easier to diagnose and manage things including permissions and issues like you have. Search the forums if you want more details about its installation and usage, or official documentation.
 
OK, I have just installed suPHP included in custombuild, we will see how it goes. I will post back if there are any issues or if this continues. Now it looks like I have some heavy file/directory permission modifications to make :)
 
That's not that heavy:

Code: 
cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes
 find /home/*/domains/*/public_html -type d -print0 | xargs -0 chmod 711
 find /home/*/domains/*/public_html -type f -print0 | xargs -0 chmod 644
 find /home/*/domains/*/public_html -type f -name '*.cgi*' -exec chmod 755 {} \;
 find /home/*/domains/*/public_html -type f -name '*.pl*' -exec chmod 755 {} \;
 find /home/*/domains/*/public_html -type f -name '*.pm*' -exec chmod 755 {} \;
 cd /usr/local/directadmin/data/users && for i in `ls`; do { chown -R $i:$i /home/$i/domains/*/public_html;}; done;
 
You must log in or register to reply here.
Back
Top