LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-08-2013, 01:20 PM   #1
kingkashif
Member
 
Registered: May 2009
Posts: 92

Rep: Reputation: 15
how to investigate this spammer using our server ?


Hello guys,

We see that a specific type of email is being sent thought our server. We would like to find out how is this possible.
We are using Plesk Panel 11.5.X ..

How is this user able to send emails using this forged account?
Any idea>?

Code:
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from User (unknown [178.33.85.142])
	by hosting.DOMAIN.com (Postfix) with ESMTPA id 6898C203037;
	Tue,  8 Oct 2013 17:37:22 +0200 (SAST)
From: "PayPal"<srvcs@ppapall.co.uk>
Subject: Important: We noticed unusual activity in your PayPal account (Ref #PP-001-546-712-069)
Date: Tue, 8 Oct 2013 08:37:15 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0022_01C2A9A6.46ABF990"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Thanks in advance.
 
Old 10-08-2013, 01:22 PM   #2
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,077

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
i would start with a whois search for the IP address
(arin.net/ui)
i did it for you just to be nice
http://whois.arin.net/rest/net/NET-178-0-0-0-1/pft
 
Old 10-08-2013, 01:31 PM   #3
kingkashif
Member
 
Registered: May 2009
Posts: 92

Original Poster
Rep: Reputation: 15
Thanks Frieza, you are a kind human being indeed.

What now? What's the next step ?
 
Old 10-08-2013, 01:35 PM   #4
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,077

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
i would look at any, and all logs related to mail servers (in /var/log), and put a block on that IP address (or if necessary, that IP address block entirely, if nobody from Amsterdam is expected to use your server), not sure the specifics since it's been a long, long time since I configured a mail server, and i'm not sure if it was the same one you are using. which btw would be useful information for you to post
 
Old 10-08-2013, 01:51 PM   #5
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,458

Rep: Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941Reputation: 1941
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 10-08-2013, 02:03 PM   #6
kingkashif
Member
 
Registered: May 2009
Posts: 92

Original Poster
Rep: Reputation: 15
Actually, I will block the IP but what if the spammer comes from another IP?

I wanted to know how he uses our server to send out these emails? So that we could counter it?
Any clue how is it possible?
 
Old 10-08-2013, 04:10 PM   #7
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,077

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
Quote:
Originally Posted by kingkashif View Post
Actually, I will block the IP but what if the spammer comes from another IP?

I wanted to know how he uses our server to send out these emails? So that we could counter it?
Any clue how is it possible?
you might have to block out the entire IP block, though nothing to prevent him from spoofing an IP
 
Old 10-08-2013, 04:28 PM   #8
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Kubuntu
Posts: 1,190

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Quote:
Originally Posted by kingkashif View Post
Actually, I will block the IP but what if the spammer comes from another IP?
Blocking by IP and whole ranges of it is only reliable method in my opinion. You can help self by services like SORBS, SpamCop, Spamhaus

Quote:
I wanted to know how he uses our server to send out these emails?
How do you known it used your mail server? It can be allowed, for example allowing sending mail from outside network by port 25, or somebody can discover authorization data one of your trusted users, or it can be trojan on one of your users computer.
 
Old 10-08-2013, 05:08 PM   #9
kingkashif
Member
 
Registered: May 2009
Posts: 92

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by eSelix View Post
How do you known it used your mail server? It can be allowed, for example allowing sending mail from outside network by port 25, or somebody can discover authorization data one of your trusted users, or it can be trojan on one of your users computer.
I know they used our mail server because the emails were in the mail queue of our server.

I don't suspect a trojan our server. But, you mean if they discover authorization data of one of our trusted users they they can use our mail server to send out these spam emails using this fake email address such as srvce@ppaypall.com ?
 
Old 10-08-2013, 06:50 PM   #10
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 3,074
Blog Entries: 4

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
More often that not on (some)Panel products, it is a user's credentials that are compromised.

I'd check the logs for rapid and varied connections from diverse IPs for your clients by their login name or loginID.
 
1 members found this post helpful.
Old 10-09-2013, 01:29 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by Habitual View Post
More often that not on (some)Panel products, it is a user's credentials that are compromised.
...and if it's not that one should assess server configuration as a whole and particularly inspect the server for any software running in the web stack (CMSes, web logs, themes, helpers, plugins, extensions, etc, etc) that is unnecessary, wrongly configured, badly coded, no longer maintained, not updated or outright vulnerable. Check software package contents by comparing hashes with those from a downloaded version from a trusted source and for a quick check of PHP shells and other 'malware" see Linux Malware Detect (LMD).
 
1 members found this post helpful.
Old 10-09-2013, 07:00 AM   #12
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 3,074
Blog Entries: 4

Rep: Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743Reputation: 743
Quote:
Originally Posted by unSpawn View Post
...and if it's not that one should assess server configuration as a whole and particularly inspect the server for any software running in the web stack (CMSes, web logs, themes, helpers, plugins, extensions, etc, etc) that is unnecessary, wrongly configured, badly coded, no longer maintained, not updated or outright vulnerable. Check software package contents by comparing hashes with those from a downloaded version from a trusted source and for a quick check of PHP shells and other 'malware" see Linux Malware Detect (LMD).
Do I get partial credit for a partial answer?
and it may be PP 11.5 now but could have been abused if there was a previous version and it was upgraded to 11.5.
Check the logs slowly and carefully.

Plesk Mass Password Reset Script
 
Old 10-10-2013, 09:02 AM   #13
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,263

Rep: Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085Reputation: 1085
For these very reasons, I stopped using Plesk (and all of its brethren) years ago.

"Convenient" though they are, these systems hand far too much power to "a web page." To do what they do, they introduce all sorts of kernel modules that have consistently been found to have "holes." There are just too many places to hide an exploit.

Last edited by sundialsvcs; 10-10-2013 at 09:04 AM.
 
Old 10-10-2013, 09:31 AM   #14
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,202

Rep: Reputation: 291Reputation: 291Reputation: 291
I would find out why your mail daemon is allowing open relaying and stop it. It's pointless trying to block IP addresses if it's open because many more will come along.

I don't know too much about plesk, but I would assume that the mail service is provided by sendmail or the like.
 
Old 10-10-2013, 10:06 AM   #15
Stuferus
Member
 
Registered: Jun 2013
Location: Germany
Distribution: Slackware
Posts: 140

Rep: Reputation: Disabled
Quote:
Originally Posted by dive View Post
I don't know too much about plesk, but I would assume that the mail service is provided by sendmail or the like.
plesk is postfix or since version 9 qmail. i think sendmail and exim are not supported, but everyone can and may proof me wrong.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the best way to investigate I/O performance issues? gdtm86@gmail.com Linux - Newbie 5 06-06-2012 07:51 PM
[DO NOT REPLY] dnsmasq not resolving. How to investigate? catkin Linux - Networking 1 02-12-2010 10:01 PM
How to investigate a shutdown which is not working? ade05fr Linux - General 2 12-21-2007 04:35 AM
How to investigate a system lockup kvtournh Linux - Security 2 12-09-2005 05:48 AM
Mandrake 10, no sound - how do I investigate? owain Linux - Newbie 6 04-17-2004 05:49 PM


All times are GMT -5. The time now is 06:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration