1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server compromised, need help.

Discussion in 'Plesk for Linux - 8.x and Older' started by marcus@, Jan 3, 2007.

  1. marcus@

    marcus@ Guest

    I'm getting bounced mail from a couple domains that looks like my server has been compromised to send spam. The mail comes from domains I have but not from mail users I have set up in Plesk/qmail.

    For example, one was sent from:
    From: "bucktoothed" <vdsa@domain-on-my-server.com>

    I need some help in knowing where to start looking for the vulnerability.

    I've ran chkrootkit and rkhunter and come up clean in both cases. I've also attempted looking at the
    /var/qmail/mailnames/domain.com/legit-user/Maildir/.sent-mail/ folders for signs of the spam but since it's coming from users that shouldn't even exist there's nothing there.

    I've checked my outgoing mail relay settings and it requires SMTP authentication.

    The domain(s) in question are not running any scripts--in fact, one only has a single .html file and an image in the httpdocs dir.

    I'm not sure where to go from here.
  2. marcus@

    marcus@ Guest

    Since last night I've figured out that they can send mail from apparently *any* domain on the server, regardless of whether the domain is enabled or not. I disabled all domains and spam is still being sent. HTTPD must, however be running.

    It's sending about 3 messages a minute.

    ps -fuapache does not show any PPID's of 1.

    I've installed mod_security but honestly I'm not really sure to start with it. One strange, repeated entry I've noticed is:

    Apache-Error: [file "/usr/src/build/584794-i386/BUILD/httpd-2.0.46/server/core.c"] [line 3452] [level 3] File does not exist: /home/httpd/vhosts/default/htdocs/blog
    Stopwatch: 1167915372113894 2112 (- - -)
    Producer: ModSecurity v2.0.4 (Apache 2.x)
    Server: Apache

    I have neither the /sr/src/build/... folder or the /home/httpd/vhosts/default/htdocs/blog folders on my server.
  3. nickbrown

    nickbrown Guest

    Are you sure the mail is actually originating from your server, and it is not just a spammer spoofing the 'From' address?

    Think of it this way
    1. Spammer harvests domain names, sends spam out using anymailname@yourdomain.com
    2. One of the spam emails sent out was delivered to a mailbox that did not exist
    3. As the mailbox did not exist the mail will bounce back to your domain, as the receiving mail server believes thats where the email originated from

    Can you paste in the mail headers from one of the emails?