LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-18-2008, 02:14 PM   #1
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Rep: Reputation: 15
Server being used to relay spam (Pesk + Qmail), how do I stop it?


I have a Root server with 1and1. They use Plesk as the control panel so that is what I have been using.
I got a notice from them that our server has been sending spam and they are getting complaints.

The server uses Qmail with spamassassin

In the Plesk control panel I have set (From day 1) for mail relay to be on, but require SMTP authentication.

When I look in the mail queue for the server I see the same sender (not a domain on my server) sending mass emails to a group of 100+ users.

I went through and looked at everything I could to see if I had something setup that was not correct and I just do not see it.

I ran a telnet to the server and attempted to send from a domain not in the RCPT list and it failed.

What logs can I look at or how can I determine if they are sending directly from the server or if I have a site on there that has been compromised?

Thank you for all your help!
 
Old 11-18-2008, 03:48 PM   #2
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
I checked the secure log and see a lot of the lines like the following, some are legit and a lot of not.

Nov 18 15:25:31 u15262964 xinetd[3826]: START: smtp pid=3435 from=202.75.56.43

I checked and this is a AU IP. Some are from Africa, Amsterdam, China, etc



These are obviously the spammers, but are they connecting from the outside world to my server to send?
 
Old 11-18-2008, 04:02 PM   #3
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
First, check your SMTP authentication. I'm not clear on the details of SMTP-AUTH, but Wikipedia suggests that it can use password authentication; this could be a simple matter of someone brute-forcing your password. The first thing I'd do is change your password and see if the problem stops.

If the server has been compromised, then the chances are that it's a known rootkit that's being used to send spam; you should probably try running chkrootkit to test for this. http://www.chkrootkit.org/.

Can you get hold of a sample spam message? This may tell you if they are using your mail system or not (qmail headers) and may even yield something about the upstream message sender, such as an IP address or the mail agent that they are using.

Qmail logs to /var/log/qmail/ (at least, it does on my server, but I'm running quite an old configuration). There are various files in subdirectories, each named current, that hold the main logs for each module. You probably want to look at /var/log/qmail/smtpd/current.

The other thing you really should do is tell your server provider. Most providers are very happy to help track down problems when servers may have been compromised, but they will usually want to re-image your server to be sure, so make sure that you have a backup of anything important on the server.
 
Old 11-18-2008, 04:05 PM   #4
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
Quote:
Originally Posted by nepcw View Post
I checked the secure log and see a lot of the lines like the following, some are legit and a lot of not.

Nov 18 15:25:31 u15262964 xinetd[3826]: START: smtp pid=3435 from=202.75.56.43

I checked and this is a AU IP. Some are from Africa, Amsterdam, China, etc



These are obviously the spammers, but are they connecting from the outside world to my server to send?
xinetd is controlled from /etc/xinetd.conf. Generally, it will be configured to spawn a dæmon when an incoming connection arrives on a particular port, so the chances are that this is an incoming connection from the outside world that's forcing its way past your SMTP-AUTH.
 
Old 11-18-2008, 04:08 PM   #5
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rjlee View Post
First, check your SMTP authentication. I'm not clear on the details of SMTP-AUTH, but Wikipedia suggests that it can use password authentication; this could be a simple matter of someone brute-forcing your password. The first thing I'd do is change your password and see if the problem stops.

If the server has been compromised, then the chances are that it's a known rootkit that's being used to send spam; you should probably try running chkrootkit to test for this. http://www.chkrootkit.org/.

Can you get hold of a sample spam message? This may tell you if they are using your mail system or not (qmail headers) and may even yield something about the upstream message sender, such as an IP address or the mail agent that they are using.

Qmail logs to /var/log/qmail/ (at least, it does on my server, but I'm running quite an old configuration). There are various files in subdirectories, each named current, that hold the main logs for each module. You probably want to look at /var/log/qmail/smtpd/current.

The other thing you really should do is tell your server provider. Most providers are very happy to help track down problems when servers may have been compromised, but they will usually want to re-image your server to be sure, so make sure that you have a backup of anything important on the server.
I have SMTP Auth turned on and when I run all my tests it shows the server is not an open relay. I will try to get ahold of a sample spam message so we can take a look at it.
I checked the qmail logs and all they are really telling me is that person@notmydomain.com is attempting to send to person@atnotmydoman.com.
It doesnt really state if it had been delivered and when I check the queue through Plesk I see them sitting there. So I clear them out, then in a few more days they are there again, waiting to be delivered.
I will post up any log you need to see.
I added a boat load of ip's to my host.deny for ssh because I saw there was someone running a dictionary attack on the server as well.

I have spent the last few hours trying to dig deeper into this and it seems I just come up with more questions, lol
 
Old 11-18-2008, 04:16 PM   #6
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
I also ran chkrootkit and the only thing I see that came back infected was:

Checking `bindshell'... INFECTED (PORTS: 465)


Which from what I read might be ok (false negative)
 
Old 11-18-2008, 04:24 PM   #7
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
Quote:
Originally Posted by nepcw View Post
I have SMTP Auth turned on and when I run all my tests it shows the server is not an open relay. I will try to get ahold of a sample spam message so we can take a look at it.
Do you know what version of qmail-smtpd-auth you are using? According to the changelog (http://members.elysium.pl/brush/qmail-smtpd-auth/) there was a fix in version 0.26 that could let an attacker get relay access (not sure under what conditions).

Again, SMTP-AUTH isn't worth anything if your password is guessed, so changing your password really might be worth trying.
 
Old 11-18-2008, 04:26 PM   #8
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rjlee View Post
Do you know what version of qmail-smtpd-auth you are using? According to the changelog (http://members.elysium.pl/brush/qmail-smtpd-auth/) there was a fix in version 0.26 that could let an attacker get relay access (not sure under what conditions).

Again, SMTP-AUTH isn't worth anything if your password is guessed, so changing your password really might be worth trying.
I did change my password as soon as I got the email from 1and1 telling me about the spam. I have about 25 domains on the server right now, so in theory anyone of the accounts setup with mail could of had there passwords guessed and they are using that account right? How would I find out what account it is?

How do I check the version of qmail-smtpd-auth?

Last edited by nepcw; 11-18-2008 at 04:27 PM.
 
Old 11-18-2008, 04:28 PM   #9
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
It's more likely the password of one of the users that is able to relay. You need to work out which user is being authenticated for spamming purposes.
 
Old 11-18-2008, 04:31 PM   #10
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by billymayday View Post
It's more likely the password of one of the users that is able to relay. You need to work out which user is being authenticated for spamming purposes.
How do I go about finding that out? I tried looking in all the logs I have and nothing seems to tell me what AUTH ACCT is sending the spam.
 
Old 11-18-2008, 04:34 PM   #11
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Don't your maillogs tell you anything useful? Who's the sender of mail? Is there an authentication showing up at the same time? What distro are you using?
 
Old 11-18-2008, 04:35 PM   #12
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,990

Rep: Reputation: 67
Quote:
Originally Posted by nepcw View Post
How do I go about finding that out? I tried looking in all the logs I have and nothing seems to tell me what AUTH ACCT is sending the spam.
You should be able to find this out from the headers of one of the spam messages after qmail has added it's headers.

You may also be able to find the version of smtp-auth from your distribution's package manager.
 
Old 11-18-2008, 04:36 PM   #13
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
The distro is FDC 4
The mail logs show me the sender and the recipients email address but never shows me an account it was sent with.

Nov 18 13:35:48 u15262964 qmail-remote-handlers[31212]: from=alert@abbey.com
Nov 18 13:35:48 u15262964 qmail-remote-handlers[31212]: to=zinch@publiconline.co.uk

The secure log shows me smtp access and from what IP address like above but nothing that shows me what account they are using to send, if in fact it is one of my customers email accounts they are using.
 
Old 11-18-2008, 04:39 PM   #14
nepcw
Member
 
Registered: Mar 2004
Posts: 81

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rjlee View Post
You should be able to find this out from the headers of one of the spam messages after qmail has added it's headers.

You may also be able to find the version of smtp-auth from your distribution's package manager.
one of the issues I'm running into is the spam is being sent to people not on our domain so I have no way of getting those headers, unless there is another way from the server level to obtain them.

My customers do get spam from the outside world as most do, we run spamassassin, APF, and a few other security sets to keep that down.
 
Old 11-18-2008, 04:39 PM   #15
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Do you mean Fedora Core 4?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
qmail - mail server hacked,sending spam - help.. > skate Linux - Server 8 07-29-2008 02:25 AM
spam relay question cylarz Linux - Security 5 04-16-2008 06:24 PM
LXer: Mandriva Postfix Anti-Spam, Anti-Virus Relay Server for Exchange Server 2000/2003 LXer Syndicated Linux News 0 06-29-2006 10:21 AM
Qmail as a relay server Jukas Linux - Software 1 10-07-2005 04:07 AM
spam filter for qmail server? maxut Linux - Networking 4 10-11-2004 11:05 AM


All times are GMT -5. The time now is 04:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration