SMTP log - SPAM

[Luisgon]

Hi,

I'm getting some spam attack, sending barclays emails from my server.

Already checked the messages log:

tons of this:

Mar 30 10:36:41 xxxxx xinetd[25053]: START: smtp pid=16019 from=::ffff:94.23.176.240
Mar 30 10:36:42 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16019 duration=1(sec)
Mar 30 10:36:42 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16005 duration=7(sec)
Mar 30 10:36:43 xxxxx xinetd[25053]: START: smtp pid=16022 from=::ffff:89.78.254.49
Mar 30 10:36:44 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16022 duration=1(sec)
Mar 30 10:36:45 xxxxx xinetd[25053]: START: smtp pid=16034 from=::ffff:82.102.7.202
Mar 30 10:36:45 xxxxx xinetd[25053]: START: smtp pid=16042 from=::ffff:195.22.26.214
Mar 30 10:36:45 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16034 duration=0(sec)
Mar 30 10:36:45 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16042 duration=0(sec)
Mar 30 10:36:46 xxxxx xinetd[25053]: START: smtp pid=16050 from=::ffff:195.22.26.214
Mar 30 10:36:46 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16050 duration=0(sec)
Mar 30 10:36:47 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=15927 duration=41(sec)
Mar 30 10:36:53 xxxxx xinetd[25053]: START: smtp pid=16062 from=::ffff:175.212.76.200
Mar 30 10:36:56 xxxxx xinetd[25053]: START: smtp pid=16068 from=::ffff:94.23.176.240
Mar 30 10:36:56 xxxxx xinetd[25053]: EXIT: smtp status=0 pid=16068 duration=0(sec)


Also checked the maillog:
Apr 2 09:14:51 xxxxx qmail: 1396426491.604793 starting delivery 1405801: msg 82641681 to remote [email protected]
Apr 2 09:14:51 xxxxx qmail: 1396426491.604831 status: local 0/10 remote 4/20
Apr 2 09:14:51 xxxxx qmail: 1396426491.604960 new msg 46268182
Apr 2 09:14:51 xxxxx qmail: 1396426491.605016 info msg 46268182: bytes 105277 from <> qp 7030 uid 2020
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7031]: Handlers Filter before-remote for qmail started ...
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7031]: [email protected]
Apr 2 09:14:51 xxxxx qmail: 1396426491.647172 starting delivery 1405802: msg 82641681 to remote [email protected]
Apr 2 09:14:51 xxxxx qmail: 1396426491.647196 status: local 0/10 remote 5/20
Apr 2 09:14:51 xxxxx qmail: 1396426491.647411 starting delivery 1405803: msg 46268182 to remote [email protected]
Apr 2 09:14:51 xxxxx qmail: 1396426491.647425 status: local 0/10 remote 6/20
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7032]: Handlers Filter before-remote for qmail started ...
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7031]: [email protected]
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7033]: Handlers Filter before-remote for qmail started ...
Apr 2 09:14:51 xxxxx qmail-remote-handlers[7032]: [email protected]

The mails aren't sent by php mail() script, I have a log for the mail() function and nothing was detected.
I suppose that the mails are being sent by SMTP (compromissed account?!) but how can I find the user/login that is being used??
I'm getting crazy with this...

Thanks for the help,
Luís

 

[Faris Raouf]

This can be difficult to resolve because you don't see the smoking gun -- the "login".

What happens in some cases (such as yours, from the look of it) is that there is one login, ages ago, which the spammers then use to send spam in quantity as opposed to them logging in to send each message. At least is the reason I assume you aren't seeing the logins.

You can't (easily) firewall the offending IPs because it looks like it is a botnet with lots of different IPs.

So the key is to cause the bad guys to login. You do this by stopping qmail (or postfix) AND (and this is important!!!!) killing any lingering qmail-send or postfix processes. This is important because stopping qmail (or postfix) does NOT stop an ongoing connection. I found this out the hard way.

So:

service qmail stop
service xinetd stop

ps awwx | grep 'qmail'
(find pids of qmail processes)
kill (pid of qmail process) (repeat for each qmail process) (you are mainly looking for qmail-send I think, but use your judgement)

Use qmhandle.pl (available in the atomic repo) to kill any residual spam in your mail queue.
Or use Plesk's mail configuration section to remove them.


Now check the log in realtime:
tail -f /usr/local/psa/var/log/maillog

Make sure no spam is going through.

Now while still looking at the maillog:

service qmail start
service xinetd start

(adjust the above if you are using postfix)

And you should see the login with the username of the client with the compromised account.

This is all rough and ready, written quickly in the hop of helping you. But I may have made errors or missed something out, so don't assume everything is 100% correct of helpful.

 

[Luisgon]

Faris,

Thanks!

With your help I was able to catch the login and find the compromissed account.

PS. An email with '123456789' password... GRRrrrrrr!!!

 

[Faris Raouf]

I'm really pleased I was able to help. This sort of situation can be very annoying and sometimes difficult to deal with, especially in a panic. Been there, done that, so I know it can be stressful.