1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SPAM issue - initiating from Apache, how?!

Discussion in 'Plesk for Linux - 8.x and Older' started by rvogti, Jun 11, 2008.

  1. rvogti

    rvogti Guest

    0
     
    I'm seeing tons of these:
    Jun 11 17:11:21 jupiter qmail: 1213218681.508769 info msg 2982712: bytes 9087 from <anonymous@jupiter.arborhost.com> qp 28093 uid 48

    I had to empty the mail queue when it got up to 789,000 ...

    If I do a:

    apache 25649 25640 0 15:57 ? 00:00:08 /usr/sbin/httpd
    apache 25650 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
    apache 25651 25640 0 15:57 ? 00:00:01 /usr/sbin/httpd
    apache 25652 25640 0 15:57 ? 00:00:07 /usr/sbin/httpd
    apache 25653 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
    apache 25654 25640 0 15:57 ? 00:00:05 /usr/sbin/httpd
    apache 25655 25640 0 15:57 ? 00:00:05 /usr/sbin/httpd
    apache 25656 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
    apache 25662 25640 0 15:58 ? 00:00:07 /usr/sbin/httpd
    apache 25669 25640 0 15:58 ? 00:00:06 /usr/sbin/httpd
    apache 25670 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
    apache 25673 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
    apache 25674 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
    apache 25675 25640 0 15:58 ? 00:00:02 /usr/sbin/httpd
    apache 26513 25640 0 16:25 ? 00:00:03 /usr/sbin/httpd
    apache 26516 25640 0 16:25 ? 00:00:03 /usr/sbin/httpd
    apache 26517 25640 0 16:25 ? 00:00:04 /usr/sbin/httpd
    apache 26609 25640 0 16:28 ? 00:00:05 /usr/sbin/httpd
    apache 28273 25651 0 17:10 ? 00:00:00 bin/qmail-inject -H --

    And if I kill qmail-inject, it doesn't really do anything. I'm guessing that some script on the webserver is responsible for this, but when I look at the log files for apache, there is nothing going on at that time... Ideas?

    -Robert
     
  2. Spazholio@

    Spazholio@ Guest

    0
     
    Check your /tmp dir for something....fishy. That's where I used to find 99% of the exploits on my servers.
     
  3. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
  4. Spazholio@

    Spazholio@ Guest

    0
     
    Dude, poplocking went out in the 80's. =)
     
  5. rvogti

    rvogti Guest

    0
     
    Yeah, I actually used that as one of my references in debugging. I was assuming that the access_log file would have any traffic that might be related to a web script, but I guess Plesk has different log files for each domain... I ended up putting a script in between their script and sendmail, and that logged all the traffic. Turned out some spammer had put a fairly elaborate php-based spamming script as the index.php for a domain... Yay for jerks... So now that's fixed. Thanks!

    This is the script i found (forget where):
    #!/usr/bin/perl

    # use strict;
    use Env;
    my $date = `date`;
    chomp $date;
    open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
    my $uid = $>;
    my @info = getpwuid($uid);
    if($REMOTE_ADDR) {
    print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
    } else {

    print INFO "$date - $PWD - $SCRIPT_NAME @info\n";
    }
    my $mailprog = '/etc/alternatives/mta.hidden';
    foreach (@ARGV) {
    $arg="$arg" . " $_";
    }

    open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
    while (<STDIN> ) {
    print MAIL;
    }
    close (INFO);
    close (MAIL);


    So, in /etc/alternatives/ I renamed mta to mta.hidden and then put the above script as mta and chmod a+x mta

    Then I get a nice log file:

    Wed Jun 11 21:26:53 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:53 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
    Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
     
Loading...