Spam from hole in Plesk?

[HoracioS]

Hi!

I can see in server running Centos 6 Plesk 11.5.30 MU#14 a lot of spam generated by [email protected]

I was implemented the script suggested by this article to detect the the site are sending the spam: http://kb.parallels.com/article_22_1711_en.html

The problem is I can´t detect the spam source, the texts in /var/tmp/mail.send says nothing about the complete path. Please help!


X-Additional-Header: /var/www
From: =?UTF-8?B?RnJlc2ggVmVnYXM=?= <[email protected]>
To: "loyer mathieu" <[email protected]>
Subject: =?UTF-8?B?SGVsbG8gbG95ZXIgbWF0aGlldS4gR29sZGVuIFRpZ2VyIC0gQ0EkMTUwMCBGUkVFICsgMSBIb3VyIEZyZWUgUGxheSE=?=
Content-Type: multipart/mixed; boundary="PHP-mixed-b309435230a259485b67eaac5cda8c9a"

--PHP-mixed-b309435230a259485b67eaac5cda8c9a
Content-Type: multipart/alternative; boundary="PHP-alt-b309435230a259485b67eaac5cda8c9a"

--PHP-alt-b309435230a259485b67eaac5cda8c9a
Content-Type: text/plain; charset="utf-8""
Content-Transfer-Encoding: 7bit

http://thoxywrrzb.fresh-vegas.org

--PHP-alt-b309435230a259485b67eaac5cda8c9a
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

 

[Faris Raouf]

Argh! That's horrible. I take it that there is no code in /var/www ?

You can, in an emergency, try grepping for scripts that use the mail function and then investigate them.

grep -ri 'mail(' /var/www/

But that's not good snippet -- it will search every file, including logs and stats and binaries, which isn't what you want but it is all I could come up with instantly.

Maybe someone with more time will come up with a better solution, or an answer as to why $PWD isn't showing the full path.

 

[HoracioS]

I was disable NGINX to check if show the $PWD but no luck :-(

Somebody from Parallels PLEASE HELP!!!

 

[IgorG]

Do you really have Qmail as MTA on your Plesk? Postfix is default MTA and you should use article http://kb.parallels.com/en/114845 in that case.

 

[HoracioS]

Do you really have Qmail as MTA on your Plesk? Postfix is default MTA and you should use article http://kb.parallels.com/en/114845 in that case.

Strange question, but yes, I can confirm QMAIL is the MTA...
psa-qmail 1.03-cos6.build115130805.16
psa-qmail-rblsmtpd 0.88-cos6.build115130313.15

Best regards,
Horacio

 

[eugenevdm]

Postfix wrapper doesn't work because X-Additional-Header is wrong or missing

We have a similar problem, but we're running Postfix.
We are also using CentOS release 6.3 (Final) 64-bit but with PPA.

We normally use this KB to catch Postfix spammers that use PHP scripts:
http://kb.parallels.com/en/114845
"Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?"

On our system the script works - for sites hosted in Plesk. For example, when we do:

[root@web5 tmp]# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `
X-Additional-Header: /var/www/vhosts/sitename.com/httpdocs

In the instance above, there is a site hosted and the user has Wordpress and their comments form is being spammed.

HOWEVER, the real problem is this event caught in the /var/tmp/mail.send file:

"X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards

Note the following attributes of this X-Additional-Header:

1. It doesn't include a Plesk path.
2. It says root@localhost
3. This particular message is preceded by amount a minute of spamming and thousands of messages.

The particular spammer is very devious, in that he times his attacks spaced out in time. For example, we noticed a breach half hours apart.

We suspect the last message quoted here is his "signature" to make sure the server is still compromised.

At this point we also suspect there is a hole somewhere, but the standard method does not work.

 

[HoracioS]

Unfortunatelly Parallels not replied with this serious problem/bug.

- I founded in the PHP-FPM module has the security problem... Please REMOVE it from your server using Parallels Installer.
- In each domain PHP Panel, put an additional PHP directive like this:
disable_functions="dl,exec,fsockopen,passthru,pcntl_exec,pfsockopen,popen,posix_kill,posix_mkfifo,posix_setuid,proc_close,proc_open,proc_terminate,shell_exec,system"

I was solved 4 compromised servers with this method.


Best regards,
Horacio

We have a similar problem, but we're running Postfix.
We are also using CentOS release 6.3 (Final) 64-bit but with PPA.

We normally use this KB to catch Postfix spammers that use PHP scripts:
http://kb.parallels.com/en/114845
"Many email messages are sent from PHP scripts on the server. How can I find the domains on which these scripts are running if I am using Postfix?"

On our system the script works - for sites hosted in Plesk. For example, when we do:


In the instance above, there is a site hosted and the user has Wordpress and their comments form is being spammed.

HOWEVER, the real problem is this event caught in the /var/tmp/mail.send file:


Note the following attributes of this X-Additional-Header:

1. It doesn't include a Plesk path.
2. It says root@localhost
3. This particular message is preceded by amount a minute of spamming and thousands of messages.

The particular spammer is very devious, in that he times his attacks spaced out in time. For example, we noticed a breach half hours apart.

We suspect the last message quoted here is his "signature" to make sure the server is still compromised.

At this point we also suspect there is a hole somewhere, but the standard method does not work.

 

[eugenevdm]

I raised a ticket with Parallels who are helping with the investigation.

I have determined this so far:

1. It's not an Apache hack, in spite of Apache appearing as a username.
2. The hacker gets access to the box by manipulating the CRONs owned by user Apache. See below events from 04:14:32 onwards:

Oct 9 04:10:01 web5 CROND[10841]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Oct 9 04:14:32 web5 /usr/bin/crontab[10942]: (apache) LIST (apache)
Oct 9 04:14:33 web5 /usr/bin/crontab[10944]: (apache) REPLACE (apache)
Oct 9 04:15:01 web5 CROND[10948]: (apache) CMD (sh /tmp/sess_f652da7dd28dce7baeeae54a46ae4099)
Oct 9 04:15:01 web5 /usr/bin/crontab[10950]: (apache) REPLACE (apache)
Oct 9 04:16:01 web5 crond[1975]: (apache) RELOAD (/var/spool/cron/apache)

3. It runs a Perl script, which after attack is removed from disk but retained in memory.

root 1975 1 0 Jul15 ? 00:00:35 crond
root 10947 1975 0 04:15 ? 00:00:00 CROND
apache 10951 1 1 04:15 ? 00:11:28 /usr/bin/crond <---- Does not exist on disk
apache 10977 10947 0 04:15 ? 00:00:00 /usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t -f root <---- Does not exist on disk
apache 29324 10951 0 19:56 ? 00:00:00 curl -s -k --max-time 60 https://xxx.xxx.xxx.xxx:443//b/inde...0&stat=f65d28502eaef95758c5a561bf8e2904e0ef61

4. The command server (probably a list of e-mails to be SPAMmed next) is downloaded from https://xxx.xxx.xxx.xxx:443 using CURL.

5. The Perl script is very aggressive (about every minute, but rests for hours), and sends confirmation of SPAM after every attempt:

X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------
best regards
X-Additional-Header: /var/www
From: root@localhost
To: [email protected]
Subject: Test mail 998319682
Bla-bla-bla
----------------

6. In summary

* Apache user is compromised
* CRONs are manipulated and Perl Scripts added to memory
* Traces deleted from disk

I also leave a `lsof` of once the Perl script runs. This might be pretty useless because at this point the server is already compromised.

[root@web5 tmp]# lsof | grep 10951
perl 10951 apache cwd DIR 253,0 4096 1451538 /var/www
perl 10951 apache rtd DIR 253,0 4096 2 /
perl 10951 apache txt REG 253,0 13200 542299 /usr/bin/perl
perl 10951 apache mem REG 253,0 156872 1966200 /lib64/ld-2.12.so
perl 10951 apache mem REG 253,0 1922152 1966202 /lib64/libc-2.12.so
perl 10951 apache mem REG 253,0 145720 1966204 /lib64/libpthread-2.12.so
perl 10951 apache mem REG 253,0 22536 1966309 /lib64/libdl-2.12.so
perl 10951 apache mem REG 253,0 598680 1966217 /lib64/libm-2.12.so
perl 10951 apache mem REG 253,0 17520 1966488 /lib64/libutil-2.12.so
perl 10951 apache mem REG 253,0 113952 1966475 /lib64/libresolv-2.12.so
perl 10951 apache mem REG 253,0 386040 1966400 /lib64/libfreebl3.so
perl 10951 apache mem REG 253,0 43392 1966405 /lib64/libcrypt-2.12.so
perl 10951 apache mem REG 253,0 1488544 787041 /usr/lib64/perl5/CORE/libperl.so
perl 10951 apache mem REG 253,0 116368 1966313 /lib64/libnsl-2.12.so
perl 10951 apache mem REG 253,0 27424 1966106 /lib64/libnss_dns-2.12.so
perl 10951 apache mem REG 253,0 65928 1966117 /lib64/libnss_files-2.12.so
perl 10951 apache mem REG 253,0 25640 789103 /usr/lib64/perl5/auto/Socket/Socket.so
perl 10951 apache 0r CHR 1,3 0t0 3661 /dev/null
perl 10951 apache 1w FIFO 0,8 0t0 40384749 pipe
perl 10951 apache 2w FIFO 0,8 0t0 40384749 pipe
perl 10951 apache 3r REG 253,0 12613 3020105 /tmp/sess_f652da7dd28dce7baeeae54a46ae4092 (deleted)
perl 10951 apache 4wW REG 253,0 0 3020108 /tmp/...

All I can do now is remove the process from memory and hope I get more information from Parallels. It's a very vanilla PPA server so I don't want to do much more.

 

[HoracioS]

Just a question: Did you installed php-fpm support for nginx from Atomic repo?

Since I was installed it, any server installed was affected with exactly the same attack.

I raised a ticket with Parallels who are helping with the investigation.

I have determined this so far:

1. It's not an Apache hack, in spite of Apache appearing as a username.
2. The hacker gets access to the box by manipulating the CRONs owned by user Apache. See below events from 04:14:32 onwards:



3. It runs a Perl script, which after attack is removed from disk but retained in memory.

 

[eugenevdm]

Did you installed php-fpm support for nginx from Atomic repo?

No it's a perfectly vanilla installation. In fact, we didn't even install Plesk, it was pushed from the PPA management node. We have done zero customization. The server is about three months old and this is the first problems we've had with it.

 

[davide@]

Here same problem with apache + qmail.
Very difficult to investigate because qmail queue get full and the rest for hours. :-(

 

[davide@]

Bump. Anyone have some news?

 

[JuanCar]

Hole secutiry in Plesk !!

I have the same problem, I have seen all the facts you tell about: /var/www, sign mails previous the massive.....

At this time I have sendmail intercepted woth the wrapper, modified so all the mail is sent to my mailbox, so I avoid outgoing spam, enter in a blackllist and so, and I keep system mails.

Yes, it's a great work. I suspected from a sh with crond parent when I examined the ps... Well now we need work to find a good fix.

Thanks

PD: I edit the message, would be a good idea to change permissions on /tmp/ folder to 666? tmp with 777 is not a good idea, isn't it? Ah, I've found a file with name ... (yes, three points) owned by apache in tmp folder....

 

[JuanCar]

Perhaps this could be useful, or no.
I killed /usr/bin/crond (2 process: one with a sh child and another with a perl as child), and maintain sendmail intercepted with a wrapper.

And now I recevied this mail from my server, and look the date: when I created my first wrapped, it had an error and this mail notifies me about thies error. But the interesting thing is the subject, a Cron in /tmp/ folder
tis file doesn't exist and now I'm looking for the cron process.
And I think the script was not able to stole passwords and sensible data, apache has no privileges. is it OK?

Return-Path: <[email protected]>
Received: (qmail 31938 invoked by uid 48); 17 Oct 2013 22:31:00 +0200
Date: 16 Oct 2013 19:56:21 +0200
Message-ID: <[email protected]>
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <apache@server> sh /tmp/sess_f652da7dd28dce7baeeae54a46ae4099
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/www>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=apache>
X-Cron-Env: <USER=apache>

Rest of the message is about errors due to the wrapper

 

[jukar]

I've suffered again the attack of this bot.
Just like the last time. My server has sent about 11000 mails for last ten hours!!!!!!!
I've deactivated sendmail but I need a real solution, anybody know any fic to this problem?

Thanks

 

[jukar]

I know that the problema entry in the server via /tmp/. A script enters in that folder and creates a crond to send mail.... But no one of domaisn has /tmp/ int their openbasedir, so how can the bot enter in tmp?

Is there any free alternative to Parallels Premium Antivirus?
thanks

 

[jukar]

Hello
My server has been infected again !!!! I've deleted crond and kill related process, but I'm sure this will happen in the future because I can't find the hole used to créate the script in /tmp/ dir... But I'm lerning a lot about security and so

I seen that you get the activity in your sever:

Oct 9 04:10:01 web5 CROND[10841]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Oct 9 04:14:32 web5 /usr/bin/crontab[10942]: (apache) LIST (apache)
Oct 9 04:14:33 web5 /usr/bin/crontab[10944]: (apache) REPLACE (apache)
Oct 9 04:15:01 web5 CROND[10948]: (apache) CMD (sh /tmp/sess_f652da7dd28dce7baeeae54a46ae4099)
Oct 9 04:15:01 web5 /usr/bin/crontab[10950]: (apache) REPLACE (apache)
Oct 9 04:16:01 web5 crond[1975]: (apache) RELOAD (/var/spool/cron/apache)

I cant find a log file with that kind of info, which log can give me these data? I've seen messages, dmessge, audit.... all logs files. And how can I config my system so this kind of events be wrote in logs files?

I am looking for the security hole. I supposse it's an SQL injection (none openbasedir in domain and subdomains includes /tmp/ folder)

Thanks

 

[Faris Raouf]

ossec-hids can monitor logs and notify you. However, I strongly recommend you investigate ASL (which implements ossec-hids as well as a heck of a lot of other things): http://www.atomicorp.com/products/asl.html

As long as you are on Centos/RedHat, ASL is really one of the most comprehensive security solutions you'll find for webhosting companies.

 

[jukar]

Thank you for the info, and did you find the origin of ths spammer script?

Bye

 

[Sempiterna]

Actually, i have the exact same issue with the exact same file "/tmp/sess_f652da7dd28dce7baeeae54a46ae4099". The difference here is that i have plesk 9, and do not run nginx, but i do run qmail. And i also have ASL installed, but that does not seem to stop this from happening. Incidents regarding this exact file have been logged since April 23rd.

I tried to identify and retrieve the deleted file, but it completely vanished. I also have no idea through which site or hole they enter.