Spam Investigation

SeLLeRoNe

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,516
Location
A Coruña, Spain
Hi guys,

today ive a new issue with spam from one of my customer's website...

Here the header have on spam report

Code: 
--------------000407040209090904000108
Content-Type: message/rfc822;
 name="ForwardedMessage.eml"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="ForwardedMessage.eml"

Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from fep30.mail.dk (fep30.mail.dk [80.160.76.194])
	by abuse.mail.dk (Postfix) with ESMTP id 9DC58564CD
	for <[email protected]>; Sun,  4 Jul 2010 19:20:13 +0200 (CEST)
Received: from fep28 ([80.160.76.232]) by fep30.mail.dk
          (InterMail vM.7.09.02.02 201-2219-117-103-20090326) with ESMTP
          id <20100704172013.UJWC2012.fep30.mail.dk@fep28>
          for <[email protected]>; Sun, 4 Jul 2010 19:20:13 +0200
X-TDC-Received-From-IP: 81.174.67.21
Received: from [81.174.67.21] ([81.174.67.21:50602] helo=www.ladispolicalcio.it)
	by fep28 (envelope-from <[email protected]>)
	(ecelerity 2.2.2.43 r(32041/32180M)) with ESMTP
	id CC/96-20605-DC2C03C4; Sun, 04 Jul 2010 19:20:13 +0200
Received: (qmail 78175 invoked by uid 33); 04 Jul 2010 17:20:10 +0000
Date: 04 Jul 2010 17:20:10 +0000 
Message-ID: <[email protected]>
Subject: HI FRIEND! MEDS SEX PILLS!
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
From: <[email protected]>
To: [email protected]
X-Priority: 3
Content-Transfer-Encoding: quoted-printable

Ive php-header patch but on this header i dont see any refer on the source page of those spams email.

Ofc i can find out the user and the domain but i dont understand how find out the source page or how they are sending those email.

Hope someone can provide me some suggestion for solve this new problem ive got.

Thanks as always to everyone

Best regards
 
How do you know it was from the web site and not from SMTP

If its from a php script on the web site and you are running php as a module then you should see in the header:

Received: from apache by

So I believe either you are not running php as a module, in which case the php mail header patch is irrelevant or the spam was sent using somebody's regular email account.

Is fep28 one of your users?
 
Message-ID: <[email protected]>
and
Received: from [81.174.67.21] ([81.174.67.21:50602] helo=www.ladispolicalcio.it)
made me think about website and no smtp server

PHP is installed as CLI and on other server i see X-PHP line in header when is sent by apache... so, prolly you are right, is an smtp account sending...


feb28 doesnt exist on server side as user and client side as email account.

I suppose is the original sender that use ladispolicalcio.it smtp for send spam so...

Ive blocked all the website and till now ive no received any other communication about spam abuse... this is another thing that make me thing about mail via apache user and php script (cgi-bin is disabled).

Have you any idea about i should check if is via smtp or via apache using further investigation method?

Thanks for your reply and have a nice day
 
The whole thing doesn't make sense to me because I see no references to exim and if exim did not handle the mail then that means its not a DirectAdmin server and it makes me wonder why we are discussing it.
 
is not a vps but i dont think change anything :)

www-data:x:33:33:www-data:/var/www:/bin/sh

yes, it is apache, but, i dont get why php-header patch is not working, i know floyd sayd that is cause php is on cli-mode but, on another server with same configuration ive received X-PHP line in mail header that identify the url where email has been sent.

Do you suggest to re-install php as CGI? Does that will change in any ways the user's websites?

Thanks again
 
i know floyd sayd that is cause php is on cli-mode
Click to expand...

The patch does work for cli mode. It may work for cgi mode as well, I don't know.

I just do not see where this came from a mail server using exim. I do not see an exim style message id.

Have you checked netstat to see if there is anything connecting to outside servers on port 25? Perhaps there is another mail server running sending the spam. There could be a php or perl script running as apache that is a mail server.
 
@SeLLeRoNe:

Before we go further, which of these IP#s is on your server?
81.174.67.21
80.160.76.232

81.174.67.21 responds as 220 Burn.CrazyNetwork.it ESMTP Exim 4.72

80.160.76.232 responds as 220 Welcome to fpo.mail.dk!

Reading up from the bottom, it's coming from Burn.CrazyNetwork.it. Running qmail, so Floyd's question is important.

Is that you? If so, are you running an exim server on that machine? Or a qmail server? If a qmail server, what has this to do with us?

Please give us more information about your mailserver, etc.

If neither IP# is you, then let us know your mailserver's IP number(s).

Jeff
 
Hi jlasman, thanks as always for your interest on my problem.

My IP is 81.174.67.21 and Hostname is Burn.CrazyNetwork.it

Is a DA Server with Exim, i never had installed qmail so prolly someone somewhere had installed that with perl script or something like that as floyd sayd.

The mailserver ip is that one, the main server ip.

Here info about exim:

Code: 
[23:26:49] [email protected] [/]
>exim -bV
Exim version 4.72 #1 built 04-Jun-2010 11:10:28
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.5.20: (September 20, 2006)
Support for: crypteq iconv() Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 4
OpenSSL compile-time version: OpenSSL 0.9.8g 19 Oct 2007
OpenSSL runtime version: OpenSSL 0.9.8g 19 Oct 2007
Configuration file is /etc/exim.conf

Im using your SB exim conf just for give more info.

Some other test:

Code: 
[23:26:51] [email protected] [/]
>ps aux | grep qmail
root     13203  0.0  0.0   2072   624 pts/1    D+   23:27   0:00 grep qmail

Code: 
[23:28:12] [email protected] [/]
>/usr/local/nobody_check/nobody_check
Nobody Check 1.0.3 Old Version Please Update
Running on DirectAdmin
Copyright (c) 2006 Wave Point Media Inc
Made available by www.webhostgear.com
Options: kill bad proc=1 logging lvl=1
Initializing Scan on lun lug  5 23:28:13 CEST 2010 ...

httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean

Done Scanning
Clean Processes: 16
Your server is all clean and safe - keep up the good work!

netstat seems is not listening (or having connection) on port 257 btw, why 257?
Code: 
[23:29:05] [email protected] [/]
>netstat -ant | grep :257

User ladispoli (that seems to be the host sending those email) seems have no crontab running.

If you have more command line need to see just let me know.

Thanks guys, i always appreciate your help.

Edit: qmail seems to not be installed.. at least not in a normal mode
Code: 
[23:30:13] [email protected] [/]
>qmail
bash: qmail: command not found
 
Further info about PHP, maybe important for you analys

Code: 
[23:31:51] [email protected] [/]
>php -v
PHP 5.2.13 with Suhosin-Patch 0.9.7 (cli) (built: Jul  1 2010 14:59:14)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
    with eAccelerator v0.9.6, Copyright (c) 2004-2010 eAccelerator, by eAccelerator
    with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
    with Suhosin v0.9.18, Copyright (c) 2002-2006, by Hardened-PHP Project
    with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies

Edit: qmail command seems not to be on server, maybe have a different name if is really there
Code: 
[23:35:50] [email protected] [~]
>find / -name qmail
 
Last edited:
It could easily be a script that is faking a qmail id. If the script is finished sending the spam then you will not find it in netstat. However what you should be looking for is not qmail.

You want:

Code: 
netstat -np | grep 25 | grep -v exim

And then look for any processes connecting on port 25 to foreign ip address that are not exim.
 
Code: 
[23:44:36] [email protected] [/]
>netstat -np | grep 25 | grep -v exim
tcp        0      0 194.177.98.234:80       151.50.178.198:50625    FIN_WAIT2   -
tcp        0      0 81.174.66.183:22        123.252.133.204:60741   TIME_WAIT   -
tcp        0      0 194.177.98.234:80       87.228.220.30:51125     TIME_WAIT   -
tcp        0      0 194.177.98.234:110      87.7.252.16:1611        TIME_WAIT   -
tcp        0      0 194.177.98.234:110      79.9.248.43:52575       TIME_WAIT   -
tcp        0      0 81.174.66.183:22        123.252.133.204:36017   TIME_WAIT   -
tcp        0  25526 194.177.98.234:80       189.138.207.178:1956    FIN_WAIT1   15619/httpd
tcp        0      0 81.174.66.183:22        123.252.133.204:44719   ESTABLISHED 15685/sshd: unknown
tcp        0      0 194.177.98.234:80       66.249.71.228:34925     TIME_WAIT   -
tcp        0      0 194.177.98.234:80       123.125.66.103:57442    TIME_WAIT   -
tcp        0     52 81.174.67.21:22         87.7.252.16:1662        ESTABLISHED 15649/sshd: sellero
tcp        0      0 194.177.98.234:80       93.145.43.221:52825     TIME_WAIT   -
unix  3      [ ]         STREAM     CONNECTED     47108442 15625/pop3-login
unix  3      [ ]         STREAM     CONNECTED     47108439 15625/pop3-login
unix  3      [ ]         STREAM     CONNECTED     47108252 8624/dovecot-auth   /var/run/dovecot/login/default
unix  3      [ ]         STREAM     CONNECTED     47108251 15605/pop3-login
unix  2      [ ]         DGRAM                    46646256 8621/dovecot
unix  3      [ ]         STREAM     CONNECTED     46601525 8624/dovecot-auth   /var/run/dovecot/login/default
unix  2      [ ]         STREAM     CONNECTED     46380725 7876/spamd child
unix  3      [ ]         STREAM     CONNECTED     46287825 8621/dovecot
unix  3      [ ]         STREAM     CONNECTED     46258317 8624/dovecot-auth   /var/run/dovecot/login/default
unix  3      [ ]         STREAM     CONNECTED     46258316 25878/imap-login
unix  3      [ ]         STREAM     CONNECTED     46258310 25878/imap-login
unix  3      [ ]         STREAM     CONNECTED     46258309 8621/dovecot
unix  2      [ ]         DGRAM                    25939764 7979/ntpd

Maybe im wrong but those are strange or not?

Code: 
tcp        0      0 81.174.66.183:22        123.252.133.204:60741   TIME_WAIT   -
tcp        0      0 81.174.66.183:22        123.252.133.204:36017   TIME_WAIT   -
tcp        0      0 81.174.66.183:22        123.252.133.204:44719   ESTABLISHED 15685/sshd: unknown

all are mine ip's but ive never used or connected to 81.174.66.183 one...
 
To clarify a few points

qmail can be on the server but not identifiable as qmail, since it can be named anything and still identify itself as qmail when run.

Since neither a script nor qmail needs to run as a daemon to send mail, it's possible you'll never see it attached to any port, nor will you see it in a process list.

Neither a script nor qmail needs to bind to port 25 to send email.

You may need to search all of userspace for executable files. if it's a script, it doesn't even have to be executable; php scripts can be called by php, and perl scripts can be called by perl.

Where to look? I'd start with looking at sites and users created on your server just prior to the spam starting.

Jeff
 
Thanks for your detailed explanation, ive solved deleting the customer's website that was mentioned in email and seems that spam is no more being sent.

Ive disabled cgi so i think perl scripts cant be used and executed, so prolly was a php page... but.. if was a php page so php-header patch was able to "tell me" the correct sending url, am i wrong?

Btw, as always, thanks for your help guys
 
SeLLeRoNe said:
ive solved deleting the customer's website that was mentioned in email and seems that spam is no more being sent.
Click to expand...
Isn't that a bit drastic though.... I mean, I would take it offline (i.e suspend it so nothing can be accessed by hackers/them), tell him/her what has happened, then give them time to explain if they knew what was going on, if they didn't, offer them assistance, otherwise, if they did know, cut the site altogether? Or am I being too nice to my customers? lol
SeLLeRoNe said:
.. but.. if was a php page so php-header patch was able to "tell me" the correct sending url, am i wrong?
Click to expand...
Maybe a php class was used to send over SMTP? Seeing as it used qmail, think it bypasses all php relevance.... I could be wrong though.
 
hehe sorry, i didnt explain well, ofc ive talk with the customer, explained the situation and what was going on, he sayd, delete cause im doing a new website dont worry.. so i moved all the files into /root for have a copy for investigation and restored his account with a clean public_html folder :) Im not so drastic should be a shame ^^

You think so there was a executable file that was qmail and was called from a class using a socket smtp? Cause seems was not using smtp port (ofc maybe he was binding a non-standard port)... well.. ill check the files soon ^^

Thanks
 
You must log in or register to reply here.
Back
Top