how to see which user is running a php spam script

[goldahamster]

our server uses postfix and runs an php script sending out SPAM mails to mostly aol.com accounts
which fills up the mail queue

the detail of each mail says

X-PHP-Originating-Script: 502:admin.php

in other words: user with the UID 502 is sending out mails using a PHP script - right?

=> where can I see a list of users with corresponding domains to stop that?

thanks to all

Stefan

 

[marko1103]

use:
grep UID /etc/passwd

 

[goldahamster]

use:
grep UID /etc/passwd

I tried, but it shows only, that the user is not loged in.

I guess I found a solution by using the msql psa database
with this selection:

select domains.name,sys_users.login,accounts.password,sys_users.account_id from domains,sys_users,hosting,accounts where domains.id=hosting.dom_id and hosting.sys_user_id=sys_users.id and sys_users.account_id=accounts.id order by domains.name;

it showed me which the UID and the domain
and since I stopped all mail serices on this domain
no more SPAM was send out. :-o

but thanks for the hint !

 

[marko1103]

I tried, but it shows only, that the user is not loged in.

I don`t undestand this grep command doesn`t write output from passwd file showing that comment
I think you have done someting wrong.
You should login as ROOT on your terminal end enter this:

ROOT [~] # grep 502 /etc/passwd

then you get the output like this:

username:x:502:506:comment:/user/document/root/:/sbin/nologin

Then you change the directory to /user/document/root and you use "find" to find that admin.php file which is probablly infected with spam script or it is by default spam script

If your mail servers use authentication for sending mails through PHP then in that script you`ll probably see which user login data is compromised and you can change only that user credentials without effecting mail services on whole domain

 

[goldahamster]

many thanks!
true - you are right

output after grep with UID 502 is:

psaftp:x:501:502:anonftp psa user:/:/sbin/nologin
apache:x:502:503:Apache server:/:/sbin/nologin

sorry - all this is new to me ... normally I'm into db programming with FileMaker ... something totally different

in which directory shall I find the infected file in the case of these to lines above?
What does the second number stand for?

 

[RobertNic]

I`ve faced this scenario before on a plesk server , if the emails are in queue hundreds of them waiting to be processed take a look at /usr/local/psa/var/log/maillog or use tail -f /usr/local/psa/var/log/maillog and try and identify which is the domain from where apache is engaged to send emails , also I have used a Maldetector software for linux and scanned the directory of that domain and I found the malicios .php file/s . you can give this a try !

 

[marko1103]

many thanks!
true - you are right

output after grep with UID 502 is:

psaftp:x:501:502:anonftp psa user:/:/sbin/nologin
apache:x:502:503:Apache server:/:/sbin/nologin

sorry - all this is new to me ... normally I'm into db programming with FileMaker ... something totally different

in which directory shall I find the infected file in the case of these to lines above?
What does the second number stand for?

This is the right user:
apache:x:502:503:Apache server:/:/sbin/nologin

But in this case you can`t find the website since user ID 502 is for "apache" user wich is used by apache/httpd service. This means that your site is running as apache module instead of CGI or FastCGI module.
Only in CGI or FastCGI mode PHP is interpreted with website username which is usualy zsomething... and with ID`s bigger then 10000 so in such case you can find the infected user with no problem.

Take a look at that mail headers and try to find a field with "sasl_username" just right of that should be e-mail address of that authenticated user and than you should change user credentials for that user to stop spam.
See if that can help...

Also take a look at the post above and try to find problematic domain in /usr/local/psa/var/log/maillog

 

[goldahamster]

many thanks - it helps not to be totally alone with that theme!
... more than the kb ;-)

yes ... I got the tail of the Maillog on the screen the last days
and try to read this - for me - new language.

the last 6 hours another 5000 mails were kept in the queue ...

in other words: I still got to find the php file to stop it or the the user account.
All outgoing emails got the same domain with different names before @
It is one of the domains used on this sever.
Suspending the mail services of this client made noc difference.

I now suspendid all his other domains too ... just as a try.

 

[goldahamster]

Thanks a lot ... it really helps !

yes ... got the tail of the maillog on the screen the last days
and tried to read this - for me new - language of the postfix.

Another 5000 mails came into the queue the last 6 hours.
All from a sender address using different names before @ and a domain from
the server. I already stopped the mailservice for this domain.

Now I stopped the mailservice for all the other domains of that client
and till now there are no more spam in the maillog.

But the php sender changed the way of sending out mails, so I have to check
this later on and got to find the php ... on the webserver of this special client
it seems.

 

[goldahamster]

Take a look at that mail headers and try to find a field with "sasl_username" just right of that should be e-mail address of that authenticated user and than you should change user credentials for that user to stop spam.
See if that can help...

no way ... still SPAM is send by that php and I can not find it.

sasl_username I could not find - any idea?

The header always looks like this:

Received: by our-server.de (Postfix, from userid 502)
id 07EE0D4; Mon, 28 Apr 2014 07:42:23 +0200 (CEST)
To: [email protected]
Subject: RE: Hi Trustworthy Meds Online Goods
X-PHP-Originating-Script: 502:admin.php
From: "Lorrie Dudley" <lorrie_dudley@sender-domain.com>
Reply-To:"Lorrie Dudley" <lorrie_dudley@sender-domain.com>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <20140428054224.07EE0D4@our-server.de>
Date: Mon, 28 Apr 2014 07:42:23 +0200 (CEST)


Thanks

 

[Faris Raouf]

OK, try this as a quick and dirty method:
# updatedb
# locate admin.php

This will show all the admin.php files on the server and where they are. If you only have a small number you should be able to narrow it down a bit.

 

[marko1103]

OK, try this as a quick and dirty method:
# updatedb
# locate admin.php

This will show all the admin.php files on the server and where they are. If you only have a small number you should be able to narrow it down a bit.

This is nice trick.

If you can not find updatedb/locate command you have to install mlocate which provides commands above, on centos it`s: "yum install mlocate"

Also, I would like to suggest you to run your sites as fastCGI module rather than mod PHP since in fastCGI site process is running with its own username and then you have no problem finding problematic user.

 

[goldahamster]

ok - thanks again

As far as I can see the problem in detail is an old one from 2006:
http://forum.parallels.com/showthread.php?290730-Spam-from-hole-in-Plesk

so ... finally I could find the SPAMMER virus today:

it really was an "admin.php" file in var/vhost/www of hte same Domain, which was used as sender domain.
The cliebt of this virtual webserver used Joomla and the main folder, the template folder and a temp folder top level under httpdocs was full of additional php files with lots of special code.
All of thes were easy to detect, because the owner and the group was each time unusual "apache"

As well in the temp folder there was an htaccess file with extra access to all php files in that folder for anyone
In fact the whole system of this virt. webserver could be controlled by all these 50 php files.
If someone is intersted, I can send the names of all files, used by that SPAMMER, in case someone wants to search for it.

 

[marko1103]

Glad you could solve the problem but the main issue is Joomla, I see this cases every day. Just finished cleaning spam couple minutes ago. Only updating Joomla and its plugins can solve the issue. Attackers know how to break in the site you host with no problem and probably it will happen again.

It`s not unusual that apache is the owner of such files because that site is run with mod_php which means that it`s running on apache user and where it has write permissions it can write files and of course the person/service that writes files he owns them.

I usually set password-protection on / of the site if spam continues and tell my customer to update the web, and until then I don`t remove the password protection. Of course customer has credentials to access the web so he can update it but the attacker is denied with the access.