S
Sevenhelmets
Guest
I posted this question in reply to another similar posting elsewhere on the site, but I think it was under the incorrect catagory and listing, so I thought I'd better create a new thread and start again.
First of all I should mention that I am a relative amature when it comes to running a server. I have a VDS with Godaddy and have the Plesk platform and Qmail as part of the package. Until this problem popped up, I'd never used SSH before (Putty), and just had to learn the basics of it yesterday, by trial and error.
My server hosts a few sites that I have built and maintain by myself (using Plesk and FTP to do everything). Everything is self-taught, and therefore pretty easy to see how a spammer can break any of my site's relatively poor defenses.
Yesterday, a spammer managed to start using my server as a "relay" to spam another site. I have checked Plesk settings, and followed all the basic steps (Open Relay was never on etc), and it seems fine. I read the forum posting here:
http://forum.parallels.com/showthread.php?t=82043&highlight=qmail+spam+relay+server
Which is VERY close to what I'm experiencing.
In any case, by following the solution here:
http://kb.odin.com/en/766
I found that the spammer was most likely using a PHP script, as the headers in the emails looked like this:
Received: (qmail 20387 invoked by uid 48); 6 Jul 2009 22:45:08 -0700
Date: 6 Jul 2009 22:45:08 -0700
Message-ID: <20090707054508.20385.qmail@ip-xxx-xxx-xxx-xxx.ip.secureserver.net>
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected]
Subject: ???? ?????? ? ??????? ?????????? c3kc?? superrr_vkbs
From: [email protected]
Content-type: text/html; charset=windows-1251
Based on the text:
If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48) - it means that spam was sent through a PHP script.
However the string of code suggested:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
didn't work under SSH - I got a lot of errors. However this could be due to my lack of experience in using it. Any suggestions?
I was then recommended to follow the instructions given from:
http://kb.odin.com/en/1711
However, I can't understand the line:
"1) create /var/qmail/bin/sendmail-wrapper script with the content..."
My question is - how do I create a wrapper script? As an ASCII text file which I must upload to the server? Or is it something that can be created directly via SSH?
If someone could explain these steps in a little more detail, I would REALLY appreciate it.
The script the spammer is using is still running, and although I have switched off the SMTP part of the server, messages keep stacking up in the Preprocess part, at a rate of about 10 emails a second. We really need to switch the server back on so we can actually start sending emails again (one of the main sites is my company website), so please please, if someone could help out a very confused and frustrated guy, I'd be very very thankful!!
Seven
First of all I should mention that I am a relative amature when it comes to running a server. I have a VDS with Godaddy and have the Plesk platform and Qmail as part of the package. Until this problem popped up, I'd never used SSH before (Putty), and just had to learn the basics of it yesterday, by trial and error.
My server hosts a few sites that I have built and maintain by myself (using Plesk and FTP to do everything). Everything is self-taught, and therefore pretty easy to see how a spammer can break any of my site's relatively poor defenses.
Yesterday, a spammer managed to start using my server as a "relay" to spam another site. I have checked Plesk settings, and followed all the basic steps (Open Relay was never on etc), and it seems fine. I read the forum posting here:
http://forum.parallels.com/showthread.php?t=82043&highlight=qmail+spam+relay+server
Which is VERY close to what I'm experiencing.
In any case, by following the solution here:
http://kb.odin.com/en/766
I found that the spammer was most likely using a PHP script, as the headers in the emails looked like this:
Received: (qmail 20387 invoked by uid 48); 6 Jul 2009 22:45:08 -0700
Date: 6 Jul 2009 22:45:08 -0700
Message-ID: <20090707054508.20385.qmail@ip-xxx-xxx-xxx-xxx.ip.secureserver.net>
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected]
Subject: ???? ?????? ? ??????? ?????????? c3kc?? superrr_vkbs
From: [email protected]
Content-type: text/html; charset=windows-1251
Based on the text:
If the 'Received' line contains a UID of a user 'apache' (for example invoked by uid 48) - it means that spam was sent through a PHP script.
However the string of code suggested:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php
didn't work under SSH - I got a lot of errors. However this could be due to my lack of experience in using it. Any suggestions?
I was then recommended to follow the instructions given from:
http://kb.odin.com/en/1711
However, I can't understand the line:
"1) create /var/qmail/bin/sendmail-wrapper script with the content..."
My question is - how do I create a wrapper script? As an ASCII text file which I must upload to the server? Or is it something that can be created directly via SSH?
If someone could explain these steps in a little more detail, I would REALLY appreciate it.
The script the spammer is using is still running, and although I have switched off the SMTP part of the server, messages keep stacking up in the Preprocess part, at a rate of about 10 emails a second. We really need to switch the server back on so we can actually start sending emails again (one of the main sites is my company website), so please please, if someone could help out a very confused and frustrated guy, I'd be very very thankful!!
Seven