Spam send form server

[poker]

Hi Guys,

Our server is used to send spam !
But I can't find what to do about it.

Ofcourse I'be read the KB
http://kb.swsoft.com/article_22_766_en.html article but this doesn't help.
At the end it says " if there is al ine like Received: (qmail 19622 invoked from network); 13 Sep 2005 17:52:36 +0700 " it means that "the message was accepted for delivery via SMTP and the sender is an authorized mail user"

There is no uid but it comes from the network. H
How can I check where it comes from, and what to do about it ?
(queue is filling up quite fast)

T.i.a. Paul

 

[jamesyeeoc]

You say you read the article, but did you actually perform each step they say to do? Such as use 'reject' instead of 'bounce', and used the utility qmail-qread ?

If so, then when you ran their script to show what PHP processes were running, what were the results?
Even if you don't *think* it's related, run the script anyways.

You can download and use qmHandle to view some of the queued messages to possibly find some info. http://sourceforge.net/projects/qmhandle

Check the contents of your /tmp directory, look for hidden files/directories (use 'ls -al /tmp') or any files/directories which seem abnormal.

Install, update, and run RKHunter (better) and CHKRootkit (not as thorough). These may show if your server has been compromised. (www.rootkit.nl or www.rkhunter.org , and www.chkrootkit.org)

Install mod_security and it's rulesets. (www.gotroot.com) This one is a definite MUST for all servers. Alternatively, there is also Atomic Secured Linux which includes mod_security, it is a much better solution to server security, but is not free. It does not cost a lot and is well worth it.

Additionally, if you were to post a full header or two, it may help other forum members to assist you, instead of guessing at answers.

 

[poker]

James,

Thank you very must for your complete en quick answer.
I did actually perform all steps.

It seems there was a mailbot installed in the var / tmp dir.

How it's possible to install, I don't know, but SW soft is llooking into it......

I'll update when I've got more info.

 

[jamesyeeoc]

There are many ways they can upload things into your /tmp (exploitable php scripts, rootkits,etc)

This is one reason to do:
Install, update, and run RKHunter (better) and CHKRootkit (not as thorough). These may show if your server has been compromised. (www.rootkit.nl or www.rkhunter.org , and www.chkrootkit.org)

Install mod_security and it's rulesets. (www.gotroot.com) This one is a definite MUST for all servers. Alternatively, there is also Atomic Secured Linux (ASL) which includes mod_security, it is a much better solution to server security, but is not free. It does not cost a lot and is well worth it.
Click here for ASL info

As far as I'm concerned, anyone owning/running/administrating a server should have all of these and more already in place before even creating the first hosted domain. (my 2 cents)

Then there is the firewall configuration, spamassassin and it's add-ons (RDJ, etc), anti-virus (at least one if not multiple), PHP settings (register_globals=off, safe_mode=on, etc), and a hundred other things...

 

[wagnerch]

Most of those scripts are not detectable via rootkit detectors, but mod security will save you from poorly written php scripts.

The bottom line here is that *some* scripts you have installed on some domains have remote code execution vulnerabilities.

Next time this happens, you need to get the process start time of the "mail bot" and try to correlate that time to an entry in ALL of your domain's access_log files. It is really the only way you will identify what script is vulnerable. Or you can also install modsecurity and hope it has rules to catch the vulnerability.

Be warned that modsecurity will require some tuning out of the box, and I also highly recommend using the gotroot rules. Don't use the modsecurity rules, they are way too agressive. GotRoot's are pretty decent, but do require some tuning.