LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-19-2007, 08:14 AM   #1
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Rep: Reputation: 0
Spammers using my server


I have noticed, that spammers using my server to send out spams.
I checked all but have no Idea how they do it.
This is part of my log.
What can I do?



vej milter-greylist: lAJDaDge006257: skipping greylist because address 127.0.0.1 is whitelisted, (from=<apache@povej.net>, rcpt=<pnc@mchsi.com>, addr=localhost.localdomain[127.0.0.1])
Nov 19 14:45:30 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgc006257
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: from=<apache@povej.net>, size=2065, class=0, nrcpts=1, msgid=<200711181920.lAIJKao6004104@povej.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: Milter add: header: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (povej.net [127.0.0.1]); Mon, 19 Nov 2007 14:45:30 +0100 (CET)
Nov 19 14:45:30 povej sendmail[6257]: lAJDaDge006257: to=<pnc@mchsi.com>, delay=00:00:00, mailer=esmtp, pri=32065, stat=queued
Nov 19 14:45:30 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgU006257
Nov 19 14:45:31 povej sm-msp-queue[6222]: lAIJKao6004104: to=pnc@mchsi.com, ctladdr=apache (48/48), delay=18:24:55, xdelay=00:00:01, mailer=relay, pri=301850, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (lAJDaDge006257 Message accepted for delivery)
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgY006257
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDga006257
Nov 19 14:45:31 povej milter-greylist: lAJDaDgg006257: skipping greylist because address 127.0.0.1 is whitelisted, (from=<apache@povej.net>, rcpt=<wich3@msn.com>, addr=localhost.localdomain[127.0.0.1])
Nov 19 14:45:31 povej MailScanner[6265]: SpamAssassin cache hit for message lAJDaDgW006257
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: from=<apache@povej.net>, size=2065, class=0, nrcpts=1, msgid=<200711182047.lAIKl6xJ026692@povej.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: Milter add: header: X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (povej.net [127.0.0.1]); Mon, 19 Nov 2007 14:45:31 +0100 (CET)
Nov 19 14:45:31 povej sendmail[6257]: lAJDaDgg006257: to=<wich3@msn.com>, delay=00:00:00, mailer=esmtp, pri=32065, stat=queued
 
Old 11-19-2007, 11:03 AM   #2
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Testing"
Posts: 6,116

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
First thing you should do is disconnect it from the internet. Please do that NOW, by unplugging the network cable(s).

Shut down your server.

Then you should put that disk aside for forensic analysis later (only mount it as read only and noexec)

Reinstall from scratch, to a new disk. Make sure you have applied all security updates.

Make sure you are not running any unnecessary services. Make sure passwords are strong.
Make sure ssh is secured with key-based authentication only.
Read up on security - many books, and lots on the web.
Rebuild everything, very carefully.

Try and find out what your mistake was, and do not repeat it.
You'll get more specific help to specific questions in the Security forum.
 
Old 11-19-2007, 12:05 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
There's a slight difference between a server being (ab)used for spamming and a breach of security. I think the OP first should check if the SMTP service is configured to be a FFA relay where it shouldn't. Check your SMTP daemons docs for relay settings and search for "spam relay check". You'll find a gazillion sites that can help you check like http://www.abuse.net/relay.html.
 
Old 11-20-2007, 01:14 AM   #4
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
server is open for relay, but require authentication, so only users can send emails.

And after I block my mailnull user, spam decrease for 95%,
bu there are still mails in queue

Last edited by Blisk; 11-20-2007 at 01:30 AM.
 
Old 11-20-2007, 02:46 AM   #5
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
I found that there was hidden file like BOGUS.amavis and something in folder /var/mail
This was some script, after I delete it spams stops to get in to mqueue.

I hope that's it.

How to test if anything is ok?
 
Old 11-20-2007, 02:58 AM   #6
jaseka
LQ Newbie
 
Registered: Oct 2007
Posts: 15

Rep: Reputation: 0
edit the file

/etc/mail/access

add the trusted networks which allowed to use your server to send mails.

example:

192.168. RELAY

spam REJECT
 
Old 11-20-2007, 03:02 AM   #7
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
That is not ok, because i cannot send mail from webmail, from some computer.
 
Old 11-20-2007, 03:25 AM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,739

Rep: Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838
You should check your webmail software for updates, because most likely this is what spammers used to send spam. If you look at your logs you'll see that sender is apache@povej.net (I guess povej.net is your domain).
 
Old 11-20-2007, 03:28 AM   #9
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
I try that too, stops apache, but spams still going out.
 
Old 11-20-2007, 03:38 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,739

Rep: Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838
Stop apache and run:
Code:
ps -ef|grep apache
to see if there is a script running as apache user and delete it.
Then take a look at the scripts you're running in your webserver (webail or any other php, perl scripts) and see if there are any known vulnerabilites and how to patch them.
Taking a look at the apache logs will help you also to identify the offending script.
 
Old 11-20-2007, 04:16 AM   #11
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
this is what i get
root 8905 5150 0 10:46 pts/1 00:00:00 grep apache

but like i mention before, after I delete file Bogus......
in mail folder spams stops.

In apache logs there is nothing about it.
 
Old 11-20-2007, 05:15 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,739

Rep: Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838Reputation: 1838
Quote:
but like i mention before, after I delete file Bogus......
in mail folder spams stops.
Perhaps deleting that file stopped spam for now, but you should look deeper to see how they put that file there, to prevent this from happening again.
 
Old 11-20-2007, 05:32 AM   #13
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
I have an idea about that, I think with some user and with squirrelmail.
I canceled that user.
 
Old 11-20-2007, 07:34 AM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 420Reputation: 420Reputation: 420Reputation: 420Reputation: 420
If you're finding new files being created on your machine, it seems highly likely you've been compromised and may not have any control over it anymore.

First, unplug it from the network. Please, for all of us, pull the network cable.

Second, work your way through the CERT checklist to help you get a handle on what has happened.
 
Old 11-20-2007, 07:51 AM   #15
Blisk
LQ Newbie
 
Registered: Aug 2004
Posts: 18

Original Poster
Rep: Reputation: 0
I have checked now all the time server, and there is no spam anymore.
I have also raised security level.
and will investigate further what is happend.

I also check if any mail is going out from my server and there is none, only the real one.


TNX for help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can FTP server be "used" by spammers rickh Linux - Networking 1 11-01-2006 02:53 AM
spammers problem hinetvenkat Linux - Security 0 06-07-2005 06:09 AM
Very mad with spammers zidane2010 General 13 05-26-2004 01:57 PM
Spammers... Artimus LQ Suggestions & Feedback 10 03-18-2003 04:24 PM
Damn spammers!!! Noerr Linux - Security 31 06-13-2002 11:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration