[SOLVED] Server has been spamming, can't figure out where
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I did look for vulnerabilities within J1.5 but I didn't see anything.
Here is the one I found (hence my question): http://website-security.info/resolve...pam-mail-relay It also has a link to the original Joomla bug tracker that shows how to generate the SPAM by posting comments: http://joomlacode.org/gf/project/joo..._item_id=24289. There seems to be a patch available (claims that this has been resolved and posted in the SVN repository). However, if you are running versions 1.5.22 and earlier it is entirely possible that you are dealing with a known vulnerability.
Noway2: Okay... I have upgraded the websites in question to 1.5.26. Hopefully this fixes the issue. Nov 5 was the last spam attack. However, the pattern has been on odd days, so today should be the real test.
Unspawn: The "file" command is not working. I'm running CentOS 6.3. I typed "file" at cli to see what would happen and it is returning a bad command error. I have tried using the last command that you gave me:
cat find.log | while read ITEM; do file "${ITEM}" 2>&1; done > tee ./file.log
But it is not working, returning: -bash: syntax error near unexpected token `./file.log'
FYI: I did not obfuscate those log files at all. Those curious ?'s are in the file. I don't know why either.
Last edited by jim.thornton; 11-07-2012 at 09:21 AM.
-bash: syntax error near unexpected token `./file.log'
Sorry, made a mistake, leave out the "tee":
Code:
cat find.log | while read ITEM; do file "${ITEM}" 2>&1; done > ./file.log
Quote:
Originally Posted by jim.thornton
FYI: I did not obfuscate those log files at all. Those curious ?'s are in the file. I don't know why either.
Hmm. Interesting. In any case the processes weren't associated with user-owned open files or existing network connections so I'll give it a lower priority for now.
So here's what's left:
1. Run the find / file commands as explained above,
Done: However the file was filled with 4.6M of:
Code:
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
-bash: file: command not found
2. Do scan regular temporary directories like /tmp and /var/tmp and
other directories where the web server (/var/www?) and Proftpd
(/var/ftp?) can write to with clamscan or maldet.
I scanned just the home directories because the websites are all located there. I will run the other directories and include the results.
maldet on /tmp:
Code:
/tmp
root@s1: pts/0: 935 files 4.0Mb -> maldet -a .
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(28925): {scan} signatures loaded: 10064 (8195 MD5 / 1869 HEX)
maldet(28925): {scan} building file list for ., this might take awhile...
maldet(28925): {scan} file list completed, found 912 files...
maldet(28925): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(28925): {scan} scan of . (912 files) in progress...
maldet(28925): {scan} scan completed on .: files 912, malware hits 0, cleaned hits 0
maldet(28925): {scan} scan report saved, to view run: maldet --report 110712-1037.28925
maldet on /var/tmp... Looks like they are the same directory (same files) but there isn't a symbolic link pointing /var/tmp to /tmp:
Code:
maldet -a /var/tmp
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <proj@r-fx.org>
(C) 2011, Ryan MacDonald <ryan@r-fx.org>
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(30751): {scan} signatures loaded: 10064 (8195 MD5 / 1869 HEX)
maldet(30751): {scan} building file list for /var/tmp, this might take awhile...
maldet(30751): {scan} file list completed, found 912 files...
maldet(30751): {scan} found ClamAV clamscan binary, using as scanner engine...
maldet(30751): {scan} scan of /var/tmp (912 files) in progress...
maldet(30751): {scan} scan completed on /var/tmp: files 912, malware hits 0, cleaned hits 0
maldet(30751): {scan} scan report saved, to view run: maldet --report 110712-1044.30751
/var/proftpd: no directory
/var/www: not writeable by apache because I am running suphp.
4. Please give me an indication of the size of /var/log/httpd excluding the "bytes" files as I'm thinking of doing the log analysis myself.
Done: I have created a directory listing of /var/log/httpd and /var/log/httpd/domains excluding the bytes files as requested. I figured it was better showing you everything rather than me sending you insufficient information.
Ran: tar cjf httpd_logs.tar.bz2 $(find /var/log/httpd -type f -not -iname \*bytes\*)
Download: You can go to the same server/location as last time with the same credentials. The file name is - httpd_logs.tar.bz2
Ran the Find command as described about with cat to file utility.
Download: Same -- Filename is - file.log.bz2
The logs (thanks) oldest entry is October 8th. Logs contain no trace of shell commands. Good. Logs do contain a few com_mailto lines with a "link=aHR0cDov.*" string as Noway2 pointed out in post #16 but the decoded URI's are all related to the Vhosts themselves. Good.
So,, do you spell think that's my server was compromised or
I never said your server was compromised.
Quote:
Originally Posted by jim.thornton
that it was more likely the Joomla vulnerability?
Given what I said in my first reply about web stack piggybacking and your account of what vulnerable software you ran the latter would be more likely. But so far reporting / logging hasn't been comprehensive enough to either confirm or deny that and I'm not given to speculating.
I know you never said it was compromised. I was referring to my subject line.
Fixed that.
Quote:
Originally Posted by jim.thornton
What should I do next?
- You still could check the plugins (refer to email).
- The file.log.bz2 was not usable: it contained only error messages. I've mixed up two ways of doing things. Please run either:
Code:
find /somepath -type f -printf "file \"%p\"\n"|/bin/bash|tee /tmp/file.log
bzip2 /tmp/file.log
or:
Code:
find /somepath -type f > /tmp/find.log
cat /tmp/find.log | while read ITEM; do file "${ITEM}" 2>&1; done > /tmp/file.log
bzip2 /tmp/file.log
- I'm thinking if it would be worth something to look at other or older logs. When was this machine upgraded to CentOS-6.3? Do you keep off site backups?
The machine wasn't "upgraded" to CentOS 6.3 -- It was a completely new box, so I don't have any older logs. My 5.3 server was running, got the 6.3 server setup, backed up the individual websites and restored them on the new machine.
As for the log file: I did it again and it definitely worked this time. Same location and creditials but the filename is file.log.bz2
The machine wasn't "upgraded" to CentOS 6.3 -- It was a completely new box, so I don't have any older logs.
Ah, OK.
Quote:
Originally Posted by jim.thornton
As for the log file: I did it again and it definitely worked this time.
Thanks.
How is verifying components / plugins going?
And could I request a tarball with messages, secure and exim logs? Better look for clues there if there's nothing else.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.