Problem with exim and spammer

L

luiis

New member
Joined
May 8, 2012
Messages
11
Hi!
I've a problem with my exim and some spammer. As you can see in this log: http://www.skiforum.it/mainlog all mail are sent by the default user ([email protected]) in my directadmin. I don't understand which is the responsable, I've installed the "DirectAdminSpamBlocker4.1" but it doesnt work for me. It's possible to block the remote_smtp sent on this user?
The password isn't spoofed because I changed it 5 times in 3 hours and the problem still persist.
Someone can help me? :(
 
Can you see the email haders for check if is an php script? (i think probably it is a php script on that user).

Regards
 
According to this message:
"The skiforum account has just finished sending 50000 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/skiforum.bytes file, it was found that the highest sender was [email protected], at 49993 emails.

The top authenticated user was skiforum, at 49993 emails.
This accounts for 99% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.


The most common path that the messages were sent from is /tmp, at 33919 emails (67%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

This warning was generated because the 50000 email threshold was hit."

/tmp is a system path so it'sn't a problem of script but of SMTP right?
 
Well, a customer of mine had same issue, a CMS set to use SMTP and a webmail form that was set to use smtp, hacked that, all mail was authenticated but actually was spam.

That's why i sayd to check headers, in headers you should have the .php file that is sending mails and remove/check/block that.

Regards
 
Here some headers:


1SS5UU-0005Ot-2k-H
skiforum 1004 1006
<[email protected]>
1336564534 0
-ident skiforum
-received_protocol local
-body_linecount 491
-max_received_linelength 88
-auth_id skiforum
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

198P Received: from skiforum by terry.euservers.net with local (Exim 4.73)
(envelope-from <[email protected]>)
id 1SS5UU-0005Ot-2k
for [email protected]; Wed, 09 May 2012 13:55:34 +0200
053F From: Marisa Lasley <[email protected]>
025T To: [email protected]
049 Subject: Marisa Lasley SENT YOU A FRIEND REQUEST
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_fc8fda86981d0a77616c0a81b7f98534"
052I Message-Id: <[email protected]>
040S Sender: <[email protected]>
038 Date: Wed, 09 May 2012 13:55:34 +0200



1SS5SM-0004Ju-Fa-H
skiforum 1004 1006
<[email protected]>
1336564402 0
-ident skiforum
-received_protocol local
-body_linecount 491
-max_received_linelength 86
-auth_id skiforum
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

196P Received: from skiforum by terry.euservers.net with local (Exim 4.73)
(envelope-from <[email protected]>)
id 1SS5SM-0004Ju-Fa
for [email protected]; Wed, 09 May 2012 13:53:22 +0200
053F From: Marisa Lasley <[email protected]>
023T To: [email protected]
049 Subject: Marisa Lasley SENT YOU A FRIEND REQUEST
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_fc8fda86981d0a77616c0a81b7f98534"
052I Message-Id: <[email protected]>
040S Sender: <[email protected]>
038 Date: Wed, 09 May 2012 13:53:22 +0200


And today all mails are the same (check it here: http://www.skiforum.it/mainlog )
So you think I'm rootkitted?
 
I've:
- Php 5.2.17
- dovecot 2.0.16
- Exim 4.73
- DirectAdmin 1.40.0
- Apache 2.2.21

Regards and thanks for the help ;)
 
First, i strongly recommend to update to PHP 5.3.x.

But, if you cant cause of customers website, enable the mail-header-patch in options.conf and reocmpile PHP.

This will add an X-PHP line in email sent by PHP scripts.

If this is already enabled, that's a probelm cause the header you pasted have not that line and so i should think is somehow hacked somewhere else.

Regards
 
Yes is enabled because another (real) messagge have this header:

183P Received: from apache by terry.euservers.net with local (Exim 4.73)
(envelope-from <[email protected]>)
id 1SS37V-0003hk-49
for [email protected]; Wed, 09 May 2012 11:23:41 +0200
022T To: [email protected]
061 Subject: Action Required to Activate Membership for Skiforum
067 X-PHP-Script: www.skiforum.it/forum/register.php for 91.201.64.223
038F From: "Skiforum" <[email protected]>
031 Auto-Submitted: auto-generated
032* Return-Path: [email protected]
058I Message-ID: <[email protected]>
018 MIME-Version: 1.0
047 Content-Type: text/plain; charset="ISO-8859-1"
032 Content-Transfer-Encoding: 8bit
014 X-Priority: 3
033 X-Mailer: vBulletin Mail via PHP
038 Date: Wed, 09 May 2012 11:23:41 +0200

So that's a bad news, I need to check all the server :(
 
root 1605 0.0 0.0 44824 4512 ? S 15:35 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.optonline.net 167.206.4.77 2 1SS6rb-00048n-PU
mail 1607 0.0 0.0 45068 2300 ? S 15:35 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.optonline.net 167.206.4.77 2 1SS6rb-00048n-PU

And how about this comands? Why exim use the user mail and root to send mail? Maybe somebody use the server as a relay?
 
AFAIK exim should run as mail, so, that's strange.

Also, is optonline.net your domain or an MX related to your business?

Are you using SpamBlocker 4.1 right?

For now, at least you should block that user to send mail setting the limit per user to 1 (just for that user using file /etc/virtual/limit_skiforum)

Regards
 
Yes, I use spamblocker 4.1 and this domain have nothing do with this server or business :) Ok perfect I will block for now, but the user need to send some mails with PHP, it's possible to block only SMTP mails and not PHP mails?
 
mmmh not sure honestly, that limit should be a "total" limit

The strange part is that changing the email doenst solve the issue so i think or about server rooted or wrong spamblocker configuration.

Atm ive no more ideas, maybe jlasman (that is the creator of spamblocker) should have other good answers

Regards
 
luiis said:
root 1605 0.0 0.0 44824 4512 ? S 15:35 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.optonline.net 167.206.4.77 2 1SS6rb-00048n-PU
mail 1607 0.0 0.0 45068 2300 ? S 15:35 0:00 /usr/sbin/exim -MCS -MCP -MC remote_smtp mx1.optonline.net 167.206.4.77 2 1SS6rb-00048n-PU

And how about this comands? Why exim use the user mail and root to send mail? Maybe somebody use the server as a relay?
Click to expand...


Hello,

What you see if you run

Code: 
exigrep 1SS6rb-00048n-PU /var/log/exim/mainlog

make sure you run exigrep for valid eximlog (you might need to use a rotated one).

You might need to remove 127.0.0.1 from

Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

and restart exim.


Additionally you might want to Google as there are some similar topics, like this one http://www.directadmin.com/forum/archive/index.php/t-30116.html
 
Hi to all,
first thanks for the help!
Second: I dont have 127.0.0.1 in the exim.conf, only the part to pophost.
And in the pophost file I've 2 IP is normal? Or it need to be blank if I don't edited nothing and no one is a server IP?
 
This is the relative line on my production server:

Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

How your's one look like?

Except for 127.0.0.1 you shouldn't have other IP's i suppose

Regards
 
You must log in or register to reply here.
Back
Top