spam mails

Discussion in 'General' started by jboud, Nov 28, 2013.

  1. jboud

    jboud Member

    Good evening everyone,

    I'm having trouble tracking down some weird spam happening on my server. The one thing i'd like someone to tell me is, how to identify an outgoing email when it's described as [email protected]ere. All of the emails, actually thousends of them, are using this name, when of course there is no account named after that. The system is identifying it as some alias i guess.

    Any help is very welcomed.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that the email is send by a web script in site 41. Run:

    ls -la /var/www | grep web41

    to see the domain name. If there are messages in the mailqueue, then you an view them with postcat, if the message is sent by php, then you should find the name of the sending php script in the mail header.
  3. jboud

    jboud Member

    Hey Till, thanks for the quick response.

    I had that thought myself, so I dissabled that website 2 hours ago. The problem is that they're still comming through, I had to "postsuper -d ALL" 8000 emails after disabling it. Any other hints you can offer?

    I'll run a maldet on that website to check about scripts meanwhile.
  4. jboud

    jboud Member

    Ok, talking to you helped clearing my head. Take a look on the maldet resolts, just for feedback.

    malware detect scan report for ---------.--:
    SCAN ID: 112813-0847.11775
    TIME: Nov 28 08:48:46 -0600
    PATH: /var/www/--------.--/web/
    TOTAL FILES: 3903

    {HEX}php.cmdshell.unclassed.344 : /var/www/-------.--/web/modules/mod_ya/mod_ya.php => /usr/local/maldetect/quarantine/mod_ya.php.25415
    {HEX}php.mailer.unclassed.494 : /var/www/-------.--/web/modules/mod_ya/themes4.php => /usr/local/maldetect/quarantine/themes4.php.23131
    {HEX}php.mailer.unclassed.494 : /var/www/-------.--/web/modules/mod_ya/temp/plugin.php => /usr/local/maldetect/quarantine/plugin.php.12372
    {HEX}php.cmdshell.unclassed.344 : /var/www/-------.--/web/administrator/img.php => /usr/local/maldetect/quarantine/img.php.1665
    Linux Malware Detect v1.4.2 < [email protected] >

    Thanks a lot.
    Last edited: Nov 28, 2013
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    before deleting the mails, did you inspect one of them with postcat?
  6. jboud

    jboud Member

    No unfortunately spam was so intense I didn't have a clear head about it. It was like a bombardment, abour 15 mails per second. I know I shouldn't panic but sometimes even the chilheads freak out :D
  7. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have you checked running processes?

    ps aux | grep 'web41'
  8. jboud

    jboud Member

    Ok, this is getting juicy. No I haven't but this is the response:

    [email protected]_of_the_server:~# ps aux | grep 'web41'
    root 5861 0.0 0.0 7548 836 pts/0 S+ 10:02 0:00 grep web41
    web41 25144 0.1 0.4 38416 4956 ? S Nov27 2:45 /usr/bin/crond

    How can i check the crontab for this user? "crontab -u web41 -e"? Seems pretty empty. Just default commented (#) stuff.
    Last edited: Nov 28, 2013
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    /etc/cron.* files

    BEFORE try
    lsof -p  25144
    to check what files this script accesses. Might be that it only seems to be a cron. Script in carmouflage ;D
  10. jboud

    jboud Member

    Nothing good there, they dont even exists but hey... the spams are back and I have the postcat :D

    Here it goes:

    [email protected]_of_the_server:/etc# postcat -q 15944EEA33
    *** ENVELOPE RECORDS active/15944EEA33 ***
    message_size: 10006 197 1 0 10006
    content_filter: amavis:[]:10024
    message_arrival_time: Thu Nov 28 10:10:43 2013
    create_time: Thu Nov 28 10:10:43 2013
    named_attribute: rewrite_context=local
    sender: [email protected]ere
    *** MESSAGE CONTENTS active/15944EEA33 ***
    Received: by primarysomain.somewhere (Postfix, from userid 5035)
    id 15944EEA33; Thu, 28 Nov 2013 10:10:43 -0600 (CST)
    From: [email protected]
    To: [email protected]
    Subject: =?UTF-8?B?V2lmZW9udGhlc2lkZSBoYXMgY3JlYXRlZCBhIG5ldyBhbGJ1bSBmb3IgLg==?=
    MIME-Version: 1.0
    Content-Type: multipart/related;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
    Message-Id: <[email protected]>
    Date: Thu, 28 Nov 2013 10:10:43 -0600 (CST)

    This is a multi-part message in MIME format.

    Content-Type: multipart/alternative;

    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable

    Hi .
    Wifeontheside has created a new album.

    Support team.

    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <META content=3D"text/html; charset=3Dkoi8-r" http-equiv=3DContent-Type>
    <META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19019">
    <BODY bgColor=3D#c8e0d8>
    <DIV><FONT size=3D2 face=3DArial>Hi .</FONT></DIV>
    <DIV><FONT size=3D2 face=3DArial>Wifeontheside has created a new =
    <DIV><FONT size=3D2 face=3DArial><A href=3D""><IMG =
    hspace=3D0 alt=3D"" align=3Dbaseline=20
    src=3D"cid:[email protected]"></A></FONT></DIV>
    <DIV><FONT size=3D2 face=3DArial></FONT>&nbsp;</DIV>
    <DIV><FONT size=3D2 face=3DArial><A =
    <DIV><FONT size=3D2 face=3DArial></FONT>&nbsp;</DIV>
    <DIV><FONT size=3D2 face=3DArial>Support team.</FONT></DIV>
    <DIV><FONT size=3D2 face=3DArial></FONT>&nbsp;</DIV>
    <img width=1 src=3D"[email protected]&mid=3D21979">
    <table border=0 cellpadding=10 cellspaccing=10><tr>
    <td> <a href=3D"http://[email protected]"> Report SPAM </a> </td>
    <td> <a href=3D""> UNSUBSCRIBE (if you do not want to receive any meesages from other users) </a></center> </td>


    Content-Type: image/jpeg;
    Content-Transfer-Encoding: base64
    Content-ID: <[email protected]>


    (--- some junk like above lines---)


    *** HEADER EXTRACTED active/15944EEA33 ***
    original_recipient: [email protected]
    recipient: [email protected]
    *** MESSAGE FILE END active/15944EEA33 ***
    [email protected]_of_the_server:/etc#

    That's it.
  11. jboud

    jboud Member

    I also did a "kill -9" on a perl that was running and an apache restart, I suppose if the threat was eliminated by maldet, I would have to kill the running processes too, right? Checking the mailq to see if it's rising.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Which Linux distribution and version do oyu use? And please post the output of:

    php -v
  13. jboud

    jboud Member

    I'm using debian 6

    PHP 5.3.3-7+squeeze17 with Suhosin-Patch (cli) (built: Aug 23 2013 15:06:16)
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
  14. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Just to check:
    /usr/lib/cgi-bin/php5 -v
    same version?
  15. jboud

    jboud Member

    Seems like:

    PHP 5.3.3-7+squeeze17 with Suhosin-Patch (cgi-fcgi) (built: Aug 23 2013 15:06:07)
    Copyright (c) 1997-2009 The PHP Group
    Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
  16. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Did you do the "lsof -p" command from my post on the first page on the running "crond" process of web41?
  17. jboud

    jboud Member

    Seems like the issue was the compromised website, which is an old version of joomla. The remedy was maldet + killing the perl script that was running (a reboot would do the job too, but i'm against it) + restarting the apache.

    I don't see anymore spam mails queueing up. I consider the problem solved but I'm still keeping an eye on it. Thanks a lot for helping, Till and Croydon. :D
  18. jboud

    jboud Member

    Yes, it's not giving me anything.
  19. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Ok, but the crond is still in "ps aux" or have you killed it?
    The number after "lsof -p" is the process id, so you might have to adjust it to the id of the running web41 process.
  20. jboud

    jboud Member

    You're right, fortunately when I "ps aux | grep 'web41'" it doesn't return cron anymore... thank God :D

    Thanks for reminding me :)

Share This Page