I have noticed, that spammers using my server to send out spams.
I checked all but have no Idea how they do it.
This is part of my log.
What can I do?



vej milter-greylist: lAJDaDge006257: skipping greylist because address 127.0.0.1 is whitelisted, (from=<apache@povej.net>, rcpt=<pnc@mchsi.com>, addr=localhost.localdomain[127.0.0.1])
Nov 19 14:45:30 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgc006257
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: from=<apache@povej.net>, size=2065, class=0, nrcpts=1, msgid=<200711181920.lAIJKao6004104@povej.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: Milter add: header: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (povej.net [127.0.0.1]); Mon, 19 Nov 2007 14:45:30 +0100 (CET)
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: to=<pnc@mchsi.com>, delay=00:00:00, mailer=esmtp, pri=32065, stat=queued
Nov 19 14:45:30 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgU006257
Nov 19 14:45:31 povej sm-msp-queue[6222]: lAIJKao6004104: to=pnc@mchsi.com, ctladdr=apache (48/48), delay=18:24:55, xdelay=00:00:01, mailer=relay, pri=301850, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (lAJDaDge006257 Message accepted for delivery)
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgY006257
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDga006257
Nov 19 14:45:31 povej milter-greylist: lAJDaDgg006257: skipping greylist because address 127.0.0.1 is whitelisted, (from=<apache@povej.net>, rcpt=<wich3@msn.com>, addr=localhost.localdomain[127.0.0.1])
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgW006257
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: from=<apache@povej.net>, size=2065, class=0, nrcpts=1, msgid=<200711182047.lAIKl6xJ026692@povej.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: Milter add: header: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (povej.net [127.0.0.1]); Mon, 19 Nov 2007 14:45:31 +0100 (CET)
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: to=<wich3@msn.com>, delay=00:00:00, mailer=esmtp, pri=32065, stat=queued

First thing you should do is disconnect it from the internet. Please do that NOW, by unplugging the network cable(s).

Shut down your server.

Then you should put that disk aside for forensic analysis later (only mount it as read only and noexec)

Reinstall from scratch, to a new disk. Make sure you have applied all security updates.

Make sure you are not running any unnecessary services. Make sure passwords are strong.
Make sure ssh is secured with key-based authentication only.
Read up on security - many books, and lots on the web.
Rebuild everything, very carefully.

Try and find out what your mistake was, and do not repeat it.
You'll get more specific help to specific questions in the Security forum.

There's a slight difference between a server being (ab)used for spamming and a breach of security. I think the OP first should check if the SMTP service is configured to be a FFA relay where it shouldn't. Check your SMTP daemons docs for relay settings and search for "spam relay check". You'll find a gazillion sites that can help you check like http://www.abuse.net/relay.html.

server is open for relay, but require authentication, so only users can send emails.

And after I block my mailnull user, spam decrease for 95%,
bu there are still mails in queue

I found that there was hidden file like BOGUS.amavis and something in folder /var/mail
This was some script, after I delete it spams stops to get in to mqueue.

I hope that's it.

How to test if anything is ok?

edit the file

/etc/mail/access

add the trusted networks which allowed to use your server to send mails.

example:

192.168. RELAY

spam REJECT

That is not ok, because i cannot send mail from webmail, from some computer.

You should check your webmail software for updates, because most likely this is what spammers used to send spam. If you look at your logs you'll see that sender is apache@povej.net (I guess povej.net is your domain).

I try that too, stops apache, but spams still going out.

Stop apache and run:
to see if there is a script running as apache user and delete it.
Then take a look at the scripts you're running in your webserver (webail or any other php, perl scripts) and see if there are any known vulnerabilites and how to patch them.
Taking a look at the apache logs will help you also to identify the offending script.

this is what i get
root 8905 5150 0 10:46 pts/1 00:00:00 grep apache

but like i mention before, after I delete file Bogus......
in mail folder spams stops.

In apache logs there is nothing about it.

Perhaps deleting that file stopped spam for now, but you should look deeper to see how they put that file there, to prevent this from happening again.

I have an idea about that, I think with some user and with squirrelmail.
I canceled that user.

If you're finding new files being created on your machine, it seems highly likely you've been compromised and may not have any control over it anymore.

First, unplug it from the network. Please, for all of us, pull the network cable.

Second, work your way through the CERT checklist to help you get a handle on what has happened.

I have checked now all the time server, and there is no spam anymore.
I have also raised security level.
and will investigate further what is happend.

I also check if any mail is going out from my server and there is none, only the real one.


TNX for help