Forum Moderators: bakedjake
I've recently got some abuse warnings about spam that seems to be coming from my server. After searching my exim logs for the relevant email, I found the following enteries..
2009-02-26 13:08:35 1Lckex-0005nT-6B <= apache@x.y.com U=apache P=local S=641 T="Online Banking - Important notice !" from <apache@x.y.com> for someone@hotmail.com
2009-02-26 13:08:35 1Lckex-0005nT-6B => someone@hotmail.com <someone@hotmail.com> F=<apache@x.y.com> R=lookuphost T=remote_smtp S=659 H=mx4.hotmail.com [65.55.37.88] C="250$
2009-02-26 13:08:35 1Lckex-0005nT-6B Completed
2009-02-26 13:08:35 1Lckex-0005nR-5H <= apache@x.y.com U=apache P=local S=641 T="Online Banking - Important notice !" from <apache@x.y.com> for someone@hotmail.com
2009-02-26 13:08:35 1Lckex-0005nR-5H => someone@hotmail.com F=<apache@x.y.com> R=lookuphost T=remote_smtp S=659 H=mx4.hotmail.com [65.54.245.104] C="250 <E1Lckex-0005nR-5H@x.y.com$
2009-02-26 13:08:35 1Lckex-0005nR-5H Completed
I don't actually need to use exim on this server as it's simply a streaming server, so I shut it down. However, I'd like to know how this is happening. I don't know much about exim, so I was wondering if anyone can find anything useful in these log entries? I was guessing perhaps that the emails were sent via apache somehow, which might mean a server side script that someone managed to upload to my server. Does anyone have any other ideas about how this could be happening?
Thank you!
Spammers often target form to email scripts, PHP applications, and other software to use it to inject spam.
If the exploit is severe, such as a XSS exploit (http://en.wikipedia.org/wiki/Cross-site_scripting), then they may be able to set up a re-mailer on your system, upload files, or further compromise the system.
Turning off exim will prevent the outbound email but it does not remedy the underlying security issues.
If you are using an off-the-shelf program, check with the software vendor for an update.
If you have a form to email script, that is where I would start to look. After that, start looking at the attributes on URL hits in your logs. Often you will see odd things like "=http://www.somesite.com" that is trying to pull in malicious code.
Here is some information about what I've found..
* A processed called "stealth" that's owned by apache and uses lots of CPU.
* A perl file called dc.pl which allowed one to run commands without logging in.
* A C++ file called k.c.1 which connects to an IRC server and does some stuff, probably allowing one to run commands.
* Several rather random processes running as apache.
* Many files, including the stealth binary, in the directory /dev/shm/.MySQL/*, many of which have references to under_chat.org and various other IRC and bot related stuff.
* Connections from hax0r.cn and various IRC servers.
