Massive spam generated by my server, can't find php script/cause.

[damon]

Some php script on my server is being used to crank out massive numbers of spam emails and I can't find the source.

I've tried the suggesions in the sw-soft.com knowledgebase.
http://kb.swsoft.com/article_22_766_en.html


Example header from the latest batch.

Received: (qmail 11909 invoked by uid 48); 23 Apr 2007 03:57:53 -0500
Date: 23 Apr 2007 03:57:53 -0500
Message-ID: <20070423085753.11907.qmail@example>
To: [email protected]
Subject: HSBC LONDON
From: Benjamin Ghanemy <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

from sw-soft

If 'Received' line contains UID of 'apache' user (for example "invoked by uid 48") - it means that theSPAM was sent via some PHP script. In this case you can try to find the spammer using information from thespam mails (from/to addresses, subjects or anything else). But usually it is very hard to find SPAMsource in this case. If you are sure that at the current moment some script is sending SPAM (queuegrows very fast), you can use this little script to find out what PHP scripts are running in real-time:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

I've run that and it shows all the php scripts that run, but doesn't help find the bad script, since most of the sites on the server run php scripts of various kinds.

Any suggestions? This is driving me crazy and I'm sure will lead to my new IP's getting on block lists.

Damon

 

[gornbo]

Often the exploit is through a contact form. If you don't filter input then it is fairly easy to send SPAM through a contact form.

I use this function to filter any malicious stuff:


function nospam($name)
{
return(str_replace(array("\r", "\n", "%OA", "%oa", "%OD", "%od","Content-Type:","BCC:","bcc:", "CC:","cc:"), "", $name));
}

HTH

 

[damon]

Found the spam source

Thanks for the reply gornbo,

I wanted to report that I did find the php script that was causing the spam email. It turned out to be a well known PHP script designed for this purpose.

Just thought I'd outline what it took to find the spam source and get rid of the several hundred thousand spam emails in the remote mail queue.

The information to find the spam is in several knowledge base articles here at SWSOFT.

First there is this FAQ on the general problem

The server is overloaded with SPAM. There are many messages in queue. Mail is delivered slowly.
http://kb.swsoft.com/article_22_766_en.html

That FAQ helps figure out if the cause is a server exploit, cgi script, or php script.

It turns out that PHP scripts are the hardest to find, to find where the spam is coming from see this FAQ

Many email messages are sent from PHP scripts on the server. How can I find what domains these scripts are running on?
http://kb.swsoft.com/article_22_1711_en.html

Then after you've found and eliminated the bad script, you'll need to get rid of the spams in the mail queue, if there are tens of thousands (or more) it can take a long time to delete them. A faster method is to rebuild the qmail mail queue.

Instructions for that are located in this FAQ

How do I rebuild qmail`s queue if it is damaged or consists of a lot of spam messages?
http://kb.swsoft.com/article_22_252_en.html


Hope that saves someone time fixing their server in the future.

Damon