|Spam Unknowingly Sent From My Server|
I've recently got some abuse warnings about spam that seems to be coming from my server. After searching my exim logs for the relevant email, I found the following enteries..
2009-02-26 13:08:35 1Lckex-0005nT-6B <= firstname.lastname@example.org U=apache P=local S=641 T="Online Banking - Important notice !" from <email@example.com> for firstname.lastname@example.org
2009-02-26 13:08:35 1Lckex-0005nT-6B => email@example.com <firstname.lastname@example.org> F=<email@example.com> R=lookuphost T=remote_smtp S=659 H=mx4.hotmail.com [188.8.131.52] C="250$
2009-02-26 13:08:35 1Lckex-0005nT-6B Completed
2009-02-26 13:08:35 1Lckex-0005nR-5H <= firstname.lastname@example.org U=apache P=local S=641 T="Online Banking - Important notice !" from <email@example.com> for firstname.lastname@example.org
2009-02-26 13:08:35 1Lckex-0005nR-5H => email@example.com F=<firstname.lastname@example.org> R=lookuphost T=remote_smtp S=659 H=mx4.hotmail.com [184.108.40.206] C="250 <E1Lckex-0005nR-5H@x.y.com$
2009-02-26 13:08:35 1Lckex-0005nR-5H Completed
I don't actually need to use exim on this server as it's simply a streaming server, so I shut it down. However, I'd like to know how this is happening. I don't know much about exim, so I was wondering if anyone can find anything useful in these log entries? I was guessing perhaps that the emails were sent via apache somehow, which might mean a server side script that someone managed to upload to my server. Does anyone have any other ideas about how this could be happening?
The clue here is the F= address which is apache. This is likely from an insecure web application.
Spammers often target form to email scripts, PHP applications, and other software to use it to inject spam.
If the exploit is severe, such as a XSS exploit (http://en.wikipedia.org/wiki/Cross-site_scripting), then they may be able to set up a re-mailer on your system, upload files, or further compromise the system.
Turning off exim will prevent the outbound email but it does not remedy the underlying security issues.
If you are using an off-the-shelf program, check with the software vendor for an update.
If you have a form to email script, that is where I would start to look. After that, start looking at the attributes on URL hits in your logs. Often you will see odd things like "=http://www.somesite.com" that is trying to pull in malicious code.
I found out that this was the result of a script (dc.pl) that was in the /tmp directory. This script allowed someone to run commands on the server, and there were some other scripts they added to send spam. I removed all that stuff and, since the file was in the /tmp directory I figured it was probably from the PHP file uploading I have on this server. I tried to secure the uploading, and I'm pretty sure it's not possible to upload malicious code anymore. However, today I've found a new file called k.c.1, which is a lengthy C++ file which clearly does something with IRC. I've also noticed some connections from people over IRC. My question is, how do I go about stopping this from happening? How is it possible to place something in my /tmp directory? I would like to block all ports that I don't need to use, but I'm not exactly sure how to go about that. Can anyone provide me with any direction?
Here is some information about what I've found..
* A processed called "stealth" that's owned by apache and uses lots of CPU.
* A perl file called dc.pl which allowed one to run commands without logging in.
* A C++ file called k.c.1 which connects to an IRC server and does some stuff, probably allowing one to run commands.
* Several rather random processes running as apache.
* Many files, including the stealth binary, in the directory /dev/shm/.MySQL/*, many of which have references to under_chat.org and various other IRC and bot related stuff.
* Connections from hax0r.cn and various IRC servers.
I believe the issue was that my server had Roundcube Mail 0.1 (via DirectAdmin) which had a PHP vulnerability. I suspected an issue with roundcube after noticing strange requests in my apache access log. This software is known to have a vulnerability. I've disabled this and hopefully no one will be able to get in again.