• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Need Urgent Help - Spammer email problem

S

Sevenhelmets

Guest
I posted this question in reply to another similar posting elsewhere on the site, but I think it was under the incorrect catagory and listing, so I thought I'd better create a new thread and start again.

First of all I should mention that I am a relative amature when it comes to running a server. I have a VDS with Godaddy and have the Plesk platform and Qmail as part of the package. Until this problem popped up, I'd never used SSH before (Putty), and just had to learn the basics of it yesterday, by trial and error.

My server hosts a few sites that I have built and maintain by myself (using Plesk and FTP to do everything). Everything is self-taught, and therefore pretty easy to see how a spammer can break any of my site's relatively poor defenses.

Yesterday, a spammer managed to start using my server as a "relay" to spam another site. I have checked Plesk settings, and followed all the basic steps (Open Relay was never on etc), and it seems fine. I read the forum posting here:
http://forum.parallels.com/showthread.php?t=82043&highlight=qmail+spam+relay+server
Which is VERY close to what I'm experiencing.

In any case, by following the solution here:
http://kb.odin.com/en/766

I found that the spammer was most likely using a PHP script, as the headers in the emails looked like this:

Received: (qmail 20387 invoked by uid 48); 6 Jul 2009 22:45:08 -0700
Date: 6 Jul 2009 22:45:08 -0700
Message-ID: <20090707054508.20385.qmail@ip-xxx-xxx-xxx-xxx.ip.secureserver.net>
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected]
Subject: ???? ?????? ? ??????? ?????????? c3kc?? superrr_vkbs
From: [email protected]
Content-type: text/html; charset=windows-1251

Based on the text:
If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48) - it means that spam was sent through a PHP script.

However the string of code suggested:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

didn't work under SSH - I got a lot of errors. However this could be due to my lack of experience in using it. Any suggestions?

I was then recommended to follow the instructions given from:
http://kb.odin.com/en/1711

However, I can't understand the line:
"1) create /var/qmail/bin/sendmail-wrapper script with the content..."

My question is - how do I create a wrapper script? As an ASCII text file which I must upload to the server? Or is it something that can be created directly via SSH?

If someone could explain these steps in a little more detail, I would REALLY appreciate it.
The script the spammer is using is still running, and although I have switched off the SMTP part of the server, messages keep stacking up in the Preprocess part, at a rate of about 10 emails a second. We really need to switch the server back on so we can actually start sending emails again (one of the main sites is my company website), so please please, if someone could help out a very confused and frustrated guy, I'd be very very thankful!!

Seven
 
Either edit the file and upload it to the server or create it on the server using an editor such as nano.

Check your apache logs, Look for strange requests there such as pages on your site being called with arguments that you dont normally use.
 
Thank you for the reply John. My question is, you said I can just edit the file and upload to the server. After I edit the file, how do I save it? As a .php file? .txt?
I'll look into the editor you suggested, perhaps that'll be easier.

In regards to your second solution, unfortunately I would have no idea where to start, because I wouldn't know what I'm looking for ("strange requests there such as pages on your site being called with arguments that you dont normally use"). I wouldn't know what strange request would look like compared to a normal one!
Unfortunately my company is rather small, so I cannot afford to hire out to an sys admin at this stage, hence why everything is self taught and I am not the best for this.....!
 
Back
Top