Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th April 2007, 10:56
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default SPAM-Mail, www-data, per user php mail

Hi 2gether

I have noticed a big traffic on my server network interface, so I examined the connections. There were a extraordinary load of mails. So I shut down SMTP Service and checked postfix's mail queue. There were over 500 mails in the queue...actually this was very strange, because for domain e-mail I use an external mailserver, not the ISPConfig Mailserver. I need the ISPConfig Mailserver only for delivering mails out of the users pages, like from contact formulars etc (mostly via php mail on the users webpages).

I discovered that the 500 mails in the queue were all SPAM-Mails. They should be sent over the virtual network interface configured during install procedure on perfect how-to for Debian 3 for SSL... How was it possible to inject these SPAM e-mails in my ISPConfig SMTP Server? It shouldn't be an open-relay mail-server in standard configuration, but somebody could use as it?! Recently I installed a webpage on "drupal 5.1" with contact form. I guess it was send via an security hole on that page. But it shouldn't be possible, shoud it? ISPConfig Server should block that? Otherwise I'm always exposed to the risk of the webpages of my users? Perhaps I should solve that with more restrictive rules.. ? :-)

I checked also /var/mail/ and there is a very big file for "www-data", it's about 250 MB. I guess this is the mailbox for user "www-data". I don't know who or what should be in there, in that mailbox for user "www-data"...I guess returned e-mails or something like that?

How can I a) access the "www-data" mailbox (what password?) and delete these e-mails?

And b) WHY is there that much data in? As far as I can see, "www-data" is my apache user which is used everytime an user of a users-page sends a e-mail via e.g. a web form like contact or similar. Can I change this? Is it possible each user has to authenticate or that I can see which of my users/customers has send out certain mails or which website was (mis)used for that? (instead of "www-data"). Does "suexec" also works for that? I guess it's only for CGI...actually I don't have checked "suexec" in my ISPConfig config.

How can I bring ISPConfig Server to send out mails from a domain that is hosted on that server, but e-mails are processed by an other, external e-mail server in my DMZ? Can I just choose Mailserver: External Mailserver under "options" of my ISP Web settings? Otherwise mails via an customers contact formular are not send out, because DNS reports the same external IP for my web and mail server (it's in the same LAN/DMZ), so ISPConfig Server tries to send it locally. But there is no such e-mail-user on ISPConfig Server, because I want to send those e-mails to my mailserver who's handling these e-mails for that domains...

Thanks so much for any help in advance,
p@sco

Last edited by Pasco; 10th April 2007 at 11:01.
Reply With Quote
Sponsored Links
  #2  
Old 10th April 2007, 18:16
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

by the way: it's very strange, that the mails have sent out from my virtual network interface, isn't it? Now I "discovered" also "man" in my /var/mail directory. I don't have an user/mailbox called "man". Is this a trace from a hacker?

my "external-mail-server"-Problem is related to my dns entries I guess. I use the webserver also as primary dns server. So the mx record points to the external IP. Port 25 is forwarded to my mailserver, Ports 53 and 80 to my web-/dns-ISPConfig-Server.

Now the mails dont leave the ISPConfig Server, it tries to send them locally. I tried to take "use external mailserver". Does perhaps an entry to the hosts file solve the problem? Or do I need to configure an alias in postfix?
Reply With Quote
  #3  
Old 11th April 2007, 09:45
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,430
Thanks: 813
Thanked 5,208 Times in 4,084 Posts
Default

Your problem might be caused by a form script e.g. written in PHP that does not check all parameters correctly and so allows spam mail injection. Even some older versions of common CMS systems have these problems.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 11th April 2007, 09:55
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

Thx. Yes, I have three different CMS installed. So it might be a security hole in one of them. But why are mails sent out on the virtual network interface?

And how can I prevent that my server will get misused? Now, there are only my pages hosted on my server, but if I have a lot of users, and I don't know exactly what kind of form scripts they have on their sites?

Is there a possibility to prevent this?

And can you give me a hint please, how I can access "www-data"'s, root's and others mailboxes? I even don't know the password for "www-data"...
Reply With Quote
  #5  
Old 11th April 2007, 10:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,430
Thanks: 813
Thanked 5,208 Times in 4,084 Posts
Default

As far as I know, here is no 100% solution to prevent misuse of mail forms. If you run PHP under different users with e.g. suphp, you will at least be able to see which website has the vulnerable script. One other option might be to configure your postfix so that outgoing emails are scanned by a spamassassin instance, but this may lead to undelivered mails if a false positive is rejected.

You can access the mailboxes of the users by switching with su to the user and then use a commandline program like elm to read the mails. But in most cases it might be enough to just delete the complete mailbox file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 11th April 2007, 14:39
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

OK. I'll install SuPHP in that case. I just want to prevent that my server/IP will be listet on SPAM BlackLists and that people can send out unsoliced mail.

Thx for the hint for accessing the mailboxes. Can I just delete the mailbox file and postfix will create a new one, if mail will be delivered to that user again? Anyhow, is there a way to access mailbox of www-data via IMAP? And what is the password then for user "www-data"? I don't know if I had configured that?!

Is it possible that somebody has created a new mailbox-user on my system without my knowledge? There seems to be the mailbox-user "man" on my box, who I don't know...
Reply With Quote
  #7  
Old 11th April 2007, 15:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Quote:
Originally Posted by Pasco
Can I just delete the mailbox file and postfix will create a new one, if mail will be delivered to that user again?
There's an easier way to delete mails in an mbox file:
Code:
cat /dev/null > /path/to/mbox
Quote:
Originally Posted by Pasco
Anyhow, is there a way to access mailbox of www-data via IMAP? And what is the password then for user "www-data"? I don't know if I had configured that?!
You 'd have to give www-data a password first (normally that user has no password):
Code:
passwd www-data
But this might be a security risk. It's better to create an alias for www-data in /etc/aliases so that the mails go to another account. Don't foret to run
Code:
newaliases
afterwards and restart Postfix.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 11th April 2007, 16:30
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
Default

cool. thx for your help.

Quote:
(normally that user has no password)
That means, nobody can log-in with this user, right?

I deleted all the crap in www-data mailbox now . Thx. And I found the contact form that was misused and took it off the public web content. It was a self-made CMS System (not by me ) ...pfff.. Let's see if the SPAM stops now, but I'm pretty sure.

Can you tell me, why the unwanted mail was sent out on the virtual network interface, that was configured for SSL?
Reply With Quote
  #9  
Old 12th April 2007, 16:22
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,721 Times in 2,562 Posts
Default

Quote:
Originally Posted by Pasco
That means, nobody can log-in with this user, right?
Right.

Quote:
Originally Posted by Pasco
Can you tell me, why the unwanted mail was sent out on the virtual network interface, that was configured for SSL?
Is it the same IP address than the one where the Apache vhost with the vulnerable web form is listening on?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 13th April 2007, 19:06
Pasco Pasco is offline
Member
 
Join Date: Aug 2005
Location: Switzerland
Posts: 94
Thanks: 11
Thanked 0 Times in 0 Posts
 
Default

Quote:
Is it the same IP address than the one where the Apache vhost with the vulnerable web form is listening on?
No, not one of the Apache vhosts uses the virtual ip adress actually...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd 6.1 support misterm Installation/Configuration 10 9th April 2009 09:29
Apache2 Freezes celtic Server Operation 31 28th May 2007 17:18
Postfix reject connections gabrix Server Operation 27 25th January 2007 08:37
Core 4: Error Messages on Fresh Install re CTX/SSL jjw Installation/Configuration 30 6th September 2006 12:16
Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAs ebbay Installation/Configuration 9 4th March 2006 11:47


All times are GMT +2. The time now is 10:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.