Sending Spam to AOL

[SeLLeRoNe]

Hi,

AOL is contacting me cause my server is sending many spam email to their users and ive found one of those here reported:

1ONk80-00055I-Pn-H
apache 1004 1004
<[email protected]>
1276423760 0
-ident apache
-received_protocol local
-body_linecount 48
-max_received_linelength 131
-auth_id apache
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

198P Received: from apache by Psycho.CrazyNetwork.it with local (Exim 4.72)
        (envelope-from <[email protected]>)
        id 1ONk80-00055I-Pn
        for [email protected]; Sun, 13 Jun 2010 12:09:20 +0200
038  Date: Sun, 13 Jun 2010 12:09:20 +0200
055I Message-Id: <[email protected]>
023T To: [email protected]
066  Subject: *IMPORTANT* Halifax Bank -Your Online Access Suspended !
054F From: Halifax Online Banking <[email protected]>
011R Reply-To:
018  MIME-Version: 1.0
024  Content-Type: text/html
032  Content-Transfer-Encoding: 8bit

User sending is apache so prolly some users or maybe just one has been hacked..

The question is, how should i check wich user is and how should i investigate about this?

Thanks for help from everyone, much appreciated as always.

Regards

 

[nobaloney]

check your logs for emails with that subject line.

Jeff

 

[SeLLeRoNe]

Hi Jeff,

thaks for your reply, i alrady looked there but didnt get info usefull.. at least.. i think

here the part of the log.. there are many more lines like those

2010-06-13 10:54:08 1ONixE-00068V-Lm <= [email protected] U=apache P=local S=2360 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]
2010-06-13 10:54:08 1ONixE-00068T-LQ <= [email protected] U=apache P=local S=2329 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]
2010-06-13 10:54:08 1ONixE-00068a-NC <= [email protected] U=apache P=local S=2317 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]
2010-06-13 10:54:08 1ONixE-00068Y-Mc <= [email protected] U=apache P=local S=2338 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]

Any guide line?

Thanks again

 

[floyd]

Apparently you used grep instead of exigrep.

 

[SeLLeRoNe]

Ok i did with exigrep, hope did well

2010-06-13 10:49:47 1ONit1-000058-Mh <= [email protected] U=apache P=local S=2317 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]
2010-06-13 10:49:48 1ONit1-000058-Mh => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2382 H=mx-c1.talktalk.net [62.24.202.3] C="250 ok:  Message 65901242 accepted"
2010-06-13 10:49:48 1ONit1-000058-Mh Completed

2010-06-13 10:49:46 1ONit0-0008Uz-Pd <= [email protected] U=apache P=local S=2317 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !" from <[email protected]> for [email protected]
2010-06-13 10:49:48 1ONit0-0008Uz-Pd => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=2382 H=mx3.hotmail.com [65.54.188.72] C="250  <[email protected]> Queued mail for delivery"
2010-06-13 10:49:48 1ONit0-0008Uz-Pd Completed

in those email seems im spamming to hotmail now :/

 

[floyd]

Do you host Psycho.CrazyNetwork.it?

 

[SeLLeRoNe]

ofc no, that is the server hostname... thats why i dunno how to find out which user is sending those emails, prolly some website hacked with some bug on cms or something like that.

Any idea to find out who is the responsable?

 

[floyd]

Looks like you are running php as a module. You should install the php mail header patch which will tell you which script is sending the email.

 

[SeLLeRoNe]

ok, i think is the mail header patch intocustombuild right?

What module ive to rebuild after set yes to mail patch? Just php is enough?

Thanks

 

[SeLLeRoNe]

Ive reinstalled PHP and secure_php via custombuild

but the log seems the same

+++ 1OO5rb-00089E-JD has not completed +++
2010-06-14 11:21:51 1OO5rb-00089E-JD <= <> H=clarity.mcc.ac.uk [130.88.200.144] P=esmtps X=TLSv1:AES256-SHA:256 S=1244 [email protected] T="Re: \"*IMPORTANT* Halifax Bank -Your Online Access Suspended !\"" from <> for [email protected]
2010-06-14 11:21:51 1OO5rb-00089E-JD ** [email protected] F=<> R=virtual_aliases:
2010-06-14 11:21:51 1OO5rb-00089E-JD Frozen (delivery error message)

 

[daveyw]

Check the /server-status page for strange post requests.
Also maybe there are perl scripts running (ps aux | grep perl)

 

[SeLLeRoNe]

>ps aux | grep perl
root     29681  0.0  0.0   3140   796 pts/1    S+   15:34   0:00 grep perl

ive no /server-status page anywhere, how can i find it and what usefull information should give?

cgi-bin on all user is disabled so i dont think they should run perl scripts from account, am i wrong?

 

[daveyw]

nano -w /etc/httpd/conf/extra/httpd-info.conf

You need to change

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from .example.com
</Location>

to

<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from all
</Location>

and

#ExtendedStatus On

to

ExtendedStatus On

Then reload or restart HTTPd. Then you can view it by http://your-hostname/server-status
Then watch it, and if you see some strange posts maybe there is a leak.
* NOTE: Set it back to off if you dont need it anymore, or add your hostname/ip to the Allow from and add 'Deny from all'.

You can also try

netstat -nat | grep :21
lsof -ni tcp:21

 

[SeLLeRoNe]

Very nice thanks!

>netstat -nat | grep :21
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 194.177.98.220:21       194.177.98.220:37131    TIME_WAIT

>lsof -ni tcp:21
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
proftpd 3395  ftp    0u  IPv4   7305       TCP *:ftp (LISTEN)

http://psycho.crazynetwork.it/server-status

Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-0	19124	0/1/1	_ 	0.16	0	429	0.0	0.01	0.01 	207.46.13.144	www.polisportivaciampino.it	GET /index.php?option=com_easygb&Itemid=28 HTTP/1.1
1-0	19125	1/1/1	K 	0.08	0	185	0.1	0.00	0.00 	88.149.242.126	webmail.dndonline.it	GET /?_task=mail&_action=keep-alive&_t=1276525767553&_remote=1&
3-0	19127	0/0/0	W 	0.00	0	0	0.0	0.00	0.00 	89.97.218.88	www.psycho.crazynetwork.it	GET /server-status HTTP/1.1

The last one is me, the middle one seems to be webmail so roundcube... so need login..

Should be the first one givin the problem and sendin mails?

 

[daveyw]

Well the first result, it looks like a joomla site. It could be the problem.
The FTP connections looks normal.

If you still have this issues then it must be some leak in a site. I guess the joomla site(s)

 

[SeLLeRoNe]

well i already thot was a problem in a website, but i dunno how find out which site and what page is sending email and i would like to find out a way to have a better result on investigation, there is no way?

 

[floyd]

You have to look for mail that was sent after the patch was added.

If you get spam complaints for spam sent after the patch then you will see the php script in the headers. You may also find mail in the spool that will also contain the script. But you have to look for mail that was sent after the patch was added.

 

[SeLLeRoNe]

So maybe ive installed that patch in a bad way...

2010-06-13 12:27:15 Received from [email protected] U=apache P=local S=2360 T="*IMPORTANT* Halifax Bank -Your Online Access Suspended !"
2010-06-13 17:17:42 [email protected] R=lookuphost T=remote_smtp defer (-53): retry time not reached for any host

cause her ei dont see any information about header scirpt that is sending the email, was right the way i wrote to install this patch?

Thanks for your patience

 

[floyd]

Its not going to be in the log. See post above.

 

[SeLLeRoNe]

Ok sorry i didnt get it, but, after email has been sent ive no the id i see in the log in spool directory.

By the way ive found a bad script in a user directory, a php page for send email uploaded using 777 permission of the directory.

Ive just received an email from myself with spam, i was checking headers and seems that my own server sent it, so, should be that the password of that email has been hacked?

This is the log:

>exigrep 89.129.223.147 mainlog
2010-06-15 17:00:53 1OOXdE-0003us-Tm <= [email protected] H=([89.129.223.147]) [89.129.223.147] P=esmtp S=7012 T="Sent to andrea.iannucci. -75% discounts notifier. has Leo For in" from <[email protected]> for [email protected]
2010-06-15 17:01:01 1OOXdE-0003us-Tm => andrea.iannucci <[email protected]> F=<[email protected]> R=spamcheck_director T=spamcheck S=7346
2010-06-15 17:01:01 1OOXdE-0003us-Tm Completed

Ive catched the ip from header, and to me seems that he did correct auth for that email, is it correct or i miss something?

Thanks again, as always