EC2 instance relaying spam through sendmail, can't figure out how to stop it
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
EC2 instance relaying spam through sendmail, can't figure out how to stop it
I must mention that email hosting protocols are very foreign to me, so please bare with me if I don't really know what I'm talking about.
I am running an Amazon Web Services EC2 Instance for a dedicated web server among other services. I received an email about spam coming from my server and so I check my mail log. Sure enough, I am getting what appears to be SMTP relays from my server's "Private DNS" using my server's www account name with spoofed addresses from my domains that are pointed to this server. I turn off sendmail service and I'm still getting relay requests which are denied. See the current log messages below.
I'd really like to turn sendmail back on for the websites to be able to send email, but don't want this relaying to continue. What should I do to stop this? Can you help me understand what's going on here?
I've changed the IPs, domains and emails below.
Quote:
**MAIL LOG**
Feb 5 20:45:28 ip-(private IP) sendmail[9251]: t15KjSdo009251: Authentication-Warning: ip-(private IP).ec2.internal: www set sender to ******@my-domain.com using -f
Feb 5 20:45:28 ip-(private IP) sendmail[9251]: t15KjSdo009251: from=******@my-domain.com, size=516, class=0, nrcpts=1, msgid=<201502052045.t15KjSdo009251@ip-(private IP).ec2.internal>, relay=www@localhost
Feb 5 20:45:28 ip-(private IP) sendmail[9251]: t15KjSdo009251: to=****@hotmail.com, ctladdr=******@my-domain.com (501/503), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30516, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
For us to help you, it is always best to indicate what 'flavor' your EC2 instance is ( Centos, Ubuntu etc ) the verson number, and the contents of the config files for sendmail and whatever else you use for mail.
What are your webservers built on ? Apache ? and what do you use them for ?
What are the 'other services' you are using ?
The more RELEVANT info you can give, the better.
No guarantee of a reply, but your chances are better this way.
[root ~]# cat /etc/*-release
NAME="Amazon Linux AMI"
VERSION="2014.09"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2014.09"
PRETTY_NAME="Amazon Linux AMI 2014.09"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2014.09:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2014.09
The nature of the websites are CMS based sites and all outgoing mail logs for all published sites have no leaks. All CMS versions are up to date.
My other service is an HTTP based custom application that only communicates with one other server and ssh shell of course. I checked SSH logins, there's no logging in by any user but me.
Only ports 22 and 80 are open to all IPs on the AWS security group. (so I'm not sure how they're getting past no open port 25)
Running Services
Quote:
]# service --status-all
acpid is stopped
atd (pid 1251) is running...
auditd (pid 1061) is running...
cfn-hup is stopped
Stopped
cgred is stopped
Checking for service cloud-init:Checking for service cloud-init:Checking for ser vice cloud-init:Checking for service cloud-init:conmand is stopped
crond dead but subsys locked
htcacheclean is stopped
httpd (pid 1234) is running...
ip6tables: Firewall is not running.
iptables: Firewall is not running.
irqbalance is stopped
lvmetad is stopped
mdmonitor is stopped
messagebus (pid 1095) is running...
mysqld (pid 4543) is running...
netconsole module not loaded
Configured devices:
lo eth0
Currently active devices:
lo eth0
ntpd (pid 1201) is running...
Process accounting is disabled.
quota_nld is stopped
racoon is stopped
rdisc is stopped
rngd is stopped
rsyslogd (pid 1074) is running...
saslauthd is stopped
sendmail is stopped
sm-client is stopped
spamd is stopped
openssh-daemon (pid 1182) is running...
vsftpd is stopped
Webmin (pid 1294) is running
yum-updatesd (pid 1289) is running...
Looked at he mail files under /var/spool/mail and both root and www accounts have large mail files. And the mail queues fill fast when I enable sendmail.
There is an EIP attached and all the domains are pointed to this, correct.
CMS wordpress and drupal websites. I did just find a bunch of odd files and users in one of my drupal installations that gave write permissions on the directory to the www. I took that site down and the queue seemed to stop growing. This might be it. I'll monitor the problem and report back if it continues.
How does giving write permission to the www user allow someone to add files?
I could just attach an SES account to all the sites, but this will create more headaches. I'd rather just stop this intrusion.
So the rogue files in my drupal installation are not the problem, maybe the point of entry, but removing them did not stop the attack. What should I be looking for?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.