SPAM issue - initiating from Apache, how?!

[rvogti]

I'm seeing tons of these:
Jun 11 17:11:21 jupiter qmail: 1213218681.508769 info msg 2982712: bytes 9087 from <[email protected]> qp 28093 uid 48

I had to empty the mail queue when it got up to 789,000 ...

If I do a:

apache 25649 25640 0 15:57 ? 00:00:08 /usr/sbin/httpd
apache 25650 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
apache 25651 25640 0 15:57 ? 00:00:01 /usr/sbin/httpd
apache 25652 25640 0 15:57 ? 00:00:07 /usr/sbin/httpd
apache 25653 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
apache 25654 25640 0 15:57 ? 00:00:05 /usr/sbin/httpd
apache 25655 25640 0 15:57 ? 00:00:05 /usr/sbin/httpd
apache 25656 25640 0 15:57 ? 00:00:06 /usr/sbin/httpd
apache 25662 25640 0 15:58 ? 00:00:07 /usr/sbin/httpd
apache 25669 25640 0 15:58 ? 00:00:06 /usr/sbin/httpd
apache 25670 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
apache 25673 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
apache 25674 25640 0 15:58 ? 00:00:05 /usr/sbin/httpd
apache 25675 25640 0 15:58 ? 00:00:02 /usr/sbin/httpd
apache 26513 25640 0 16:25 ? 00:00:03 /usr/sbin/httpd
apache 26516 25640 0 16:25 ? 00:00:03 /usr/sbin/httpd
apache 26517 25640 0 16:25 ? 00:00:04 /usr/sbin/httpd
apache 26609 25640 0 16:28 ? 00:00:05 /usr/sbin/httpd
apache 28273 25651 0 17:10 ? 00:00:00 bin/qmail-inject -H --

And if I kill qmail-inject, it doesn't really do anything. I'm guessing that some script on the webserver is responsible for this, but when I look at the log files for apache, there is nothing going on at that time... Ideas?

-Robert

 

[Spazholio@]

Check your /tmp dir for something....fishy. That's where I used to find 99% of the exploits on my servers.

 

[atomicturtle]

Ive got a (rough!) procedure here:

http://www.atomicorp.com/wiki/index.php/Spam

Which shows how to determine if its coming from the mail server (poplocking, smtp_auth) or the web server.

 

[Spazholio@]

Dude, poplocking went out in the 80's. =)

 

[rvogti]

Yeah, I actually used that as one of my references in debugging. I was assuming that the access_log file would have any traffic that might be related to a web script, but I guess Plesk has different log files for each domain... I ended up putting a script in between their script and sendmail, and that logged all the traffic. Turned out some spammer had put a fairly elaborate php-based spamming script as the index.php for a domain... Yay for jerks... So now that's fixed. Thanks!

This is the script i found (forget where):
#!/usr/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME\n";
} else {

print INFO "$date - $PWD - $SCRIPT_NAME @info\n";
}
my $mailprog = '/etc/alternatives/mta.hidden';
foreach (@ARGV) {
$arg="$arg" . " $_";
}

open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while (<STDIN> ) {
print MAIL;
}
close (INFO);
close (MAIL);


So, in /etc/alternatives/ I renamed mta to mta.hidden and then put the above script as mta and chmod a+x mta

Then I get a nice log file:

Wed Jun 11 21:26:53 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:53 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -
Wed Jun 11 21:26:54 EDT 2008 - /home/httpd/vhosts/wickshieldltd.com/httpdocs -