Need a help to find a spammer

zEitEr

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,829
Location
www.poralix.com
Hello,

Since yesterday we've been receiving abuses. They say:

...skipped...
your Server with the IP: 195.xxx.xxx.xxx has attacked one of our server on the service:
"postfix" on Time: Mon, 28 Mar 2011 10:23:27 +0200
The IP was automatically blocked for more than 10 minutes. To block an IP, it needs
3 failed Logins, one match for "invalid user" or a 5xx-Error-Code (eg. Blacklist)!
...skipped...
Click to expand...

I suppose, that's a matter of "invalid user". It would not trouble me, if I would not see an increasing number of bounces we receive, that is much bigger than usual. The bounces are coming to our server with fake recipient addresses, like:

CarolynOstenberg@server_IP_PTR_name
TianaMacadamia@server_IP_PTR_name
JayRox@server_IP_PTR_name
LuciaSamberg@server_IP_PTR_name
ToddSilvestri@server_IP_PTR_name

server_IP_PTR_name is PTR name of IP of our server, that is not the same with hostname

That's really annoying. I've checked exim logs, and it seems none related email was send out of the server through sendmail/exim. I suppose a spammer, if he/she sits on our server is using sockets to connect to a victim server.

Please, share your ideas, how to find him/her and stop it.


Regards,
Alex.
 
This should be a stupid idea, but, had you tryed to check netstat to that server (ip/host/port) for check if is your server sending?

Should also be that someone use as reply-to, or, sender email a fake email from you server but without using your mailserver?

In your mailqueue have you any outgoing mail to that server?

Regards
 
That's a good idea. I've been watching tcpdump output since hours, nothing interesting. And no reports were recieved. So I should wait, if it happen again.

Yes, that's possible, that someone is pretending to be us, sending our domain in HELO statement. I asked for some more evidences from the abuse sender.

Nothing outgoing in queue, and nothing in logs.
 
If is a user using PHP to send email you should see (if they send you headers of those email) the X-PHP statement that link you to the url sending the email...

But untill they dont send you a "proof" with headers you are not able to understand how is happening.

Another way should be decrease the value of limit (/etc/virtual/limit) and increase for single user when needed in the format /etc/virtual/limit_$username so you can check if there is an not-usual outoing traffic.

Atm, not other ideas :) sorry

Regards
 
Hmm, I've found a strange PERL process, it's running in memory, but file, which is related to the process, does not exist. It's seems I've found the spammer.
 
I wonder, is it possible to get the script content, just before I kill it?

The script seems to be a Dark Mailer. Default names of the scripts are forbidden by FTP rules, thus it looks like gtfxgye.cgi.
 
honestly i dont know.

i think you should check it from /proc/pid but honestly i dont remember which file would contain those info.

Have you find any information in varius log about that process? yes, prolly cgi but i would suspect on a php cms with bad permissions.

Regards
 
All I could learn from /proc/<PID>/ directory, I did it. To be true, that's how I've found the script and the user.

p.s. netstat helped.
 
zEitEr said:
Hmm, I've found a strange PERL process, it's running in memory, but file, which is related to the process, does not exist. It's seems I've found the spammer.
Click to expand...
Many hackers, after they start a process, kill the file.

Jeff
 
We use a regular expression in ProFTPD, which forbid uploading files with particular names. But in this case a hacker uploaded files with names consisting of random chars. Seems to me we should tune the regexp. Or is there any other way to go?

As far as I know (from FTP logs) the script was uploaded by a bot, so would it help to avoid such things if we switch onto FTPS instead of FTP?
 
You must log in or register to reply here.
Back
Top