Hi
Firstly, I'm really sorry if this has been dealt with before; if it has, please point me in the right direction.
Basically, a few months ago a few of sites on our server started getting acripts uploaded to them. Usually, these scripts have been removed within a maximum of 6 hours. Immediately after finding these scripts I check the Virtualmin Sys Info page and occasionally the affected sites have been running the HOST command at ridiculous CPU usages. I haven't seen this happening receently
But, last week I got a warning that the server was creating backscatter spam. I'm really not too familiar with this, but I made sure with several online tools and the server isn't an open relay. I'm really confused
The main problem, though, is that several site have suddenly started sending spam. I got a complaint about mail not being delivered and found the mail queue was 30,000 emails strong, all linked to the domains that have had previous issues. Most of the senders are not in the users table for having accounts. I managed to find a command that cleared the mail from the offending sites, but an attempt to flush the mail queue had no effect and the outgoing spam is building up
I run maldet with hourly updates and a 6 hour scan cron. I also have Clam which auto-updates and runs a scan once a day. I have also run chkrootkit
I am really stuck here because I've just started a new job and am only trying to help out my ex-boss but I'm getting a lot of flak for this and it is really stressing me out
Any help would be greatly appreciated. Really
Thanks in advance
Dan
Howdy,
It sounds like you're doing all the right things, but these spammers can be, well, sneaky.
My suspicion is that either they know about a hole in one of your websites, or that they're accessing an account on your server.
What you may want to try is to review the email headers for one of the messages in your outgoing mail queue. When doing that, any of the headers could be helpful, but in particular check out the "Received" headers. They can assist in showing where the email is coming from.
With that, you may then be able to link the time in the "Received" header with the activity on your website, or with users logged into your server. However, it should also point you towards which site/user is responsible.
Feel free to post the header information here if you'd like a hand dissecting what's in there.
-Eric
Hi Eric
Thank you for your advice. Here are the headers of one of the offending emails
I can find and kill the scripts but I have a few questions:
1) How come maldet and Clam missed this (there are a few other files doing the same)
2) How do I get postfix to not send unless there is an actual valid user sending (rather than the script making stuff up)
3) The mail queue is stalled; how can I get it running again? I've tried flushing the queue but to no avail
I'm sorry it took me so long to reply; Just started a new job and am helping out my old one
I really do very much appreciate any and all help with this; people are getting very angry with me
Thanks
Dan
Howdy,
How come maldet and Clam missed this (there are a few other files doing the same)
Those apps can find a lot of malware, but not all of it.
How do I get postfix to not send unless there is an actual valid user sending (rather than the script making stuff up)
I haven't tried these settings before, but you could try looking into the Postfix options "smtpd_reject_unlisted_sender " and "reject_unlisted_sender". You can read about those here:
http://www.postfix.org/postconf.5.html
The mail queue is stalled; how can I get it running again? I've tried flushing the queue but to no avail
Hmm, what do you mean by it being stalled? Are you seeing an error of some sort?
Here are the headers of one of the offending emails
That only appears to be a few of the headers, not all of them... though based on that you may want to look for the file "odfd.php" on your system, it appears that is what was used for sending those emails.
-Eric
Hi Eric
Thanks for your prompt response. I get the maldet and Clam issues; I'm just a bit panicky
I identified the odfd.php header (after your prompt to check them; something I should've already done) and have deleted it. I also found another script and deleted that too
I suppose the next thing to check is the cron jobs.
Oh, when I say the mail queue has stalled, I mean that no mail is not going out at all; I've tried flushing the queue but nothing changes. The mail queue remains the same (nothing gets sent)
Also, do you have any pointers on the backscatter issue (I am researching this)? I am sorry for asking so much but the timing of this is really horrible
Many thanks
Dan
In regards to your mail queue -- you may want to run "mailq", and look for any errors/warnings that show up next to messages in the queue.
You may also want to review the email logs in /var/log/maillog or /var/log/mail.log to look for further clues.
-Eric
Hi Eric
Thanks for your help. Your prompt to check the headers allowed me to identify the offending scripts and made me think about using find command to find and delete the offending scripts. A friend found a queue clearing command:
WARNING: THIS WILL DELETE ALL EMAILS FOR A DOMAIN IN THE QUEUE
mailq | grep senderhostname | awk '{ print $1'} | postsuper -d -Replace senderhostname with your offending domain
Again, thanks Eric!
Dan