spam spam spam

[Guftak69]

hi, how i stop this qmail-remote msa.hinet.net [email protected] [email protected]
my server seems be using for spaming, this is my mail configuration under plesk
Relaying
----authorization is required
----- Pop 3 Lock time 20 Min
Check the password for mailboxes in the dictionary
Enable SPF spam protection
Reject mails when SPF resolves to "softfail"
include:spf.trusted-forwarder.org
a/24 mx/24 ptr
No user account
Enabled MAPS spam protection
sbl-xbl.spamhaus.org
Only use of full POP3/IMAP mail accounts names is allowed checked
a amount of rulz in my virtuozzo firewall , and others rulez in my black list, but the spam is alive, my process apache
UID PID PPID C STIME TTY TIME CMD
apache 11749 11641 0 13:26 ? 00:00:03 /usr/sbin/httpd
apache 7258 11641 0 13:37 ? 00:00:04 /usr/sbin/httpd
apache 9772 11641 0 13:39 ? 00:00:02 /usr/sbin/httpd
PLease help me

 

[Guftak69]

this appear when i run ps fuxwa
any help pleas
RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 1672 620 ? Ss 13:26 0:00 init
root 10222 0.0 0.0 1544 620 ? Ss 13:26 0:00 syslogd -m 0
named 11275 0.0 0.0 30528 3288 ? Ssl 13:26 0:00 /usr/sbin/named -u named -n1 -c /etc/named.conf -u named -t /var/named/run-root
root 11291 0.0 0.0 4320 1744 ? Ss 13:26 0:00 /usr/sbin/sshd
root 5492 0.0 0.0 8680 2668 ? Ss 14:26 0:00 \_ sshd: root@ttyp0
root 5512 0.0 0.0 2372 1372 ttyp0 Ss+ 14:26 0:00 | \_ -bash
root 12212 0.0 0.0 8680 2668 ? Ss 15:26 0:00 \_ sshd: root@ttyp1
root 12241 0.0 0.0 2368 1340 ttyp1 Ss 15:26 0:00 \_ -bash
root 22491 0.0 0.0 2376 1336 ttyp1 S 15:32 0:00 \_ /bin/bash
root 25934 0.0 0.0 2328 796 ttyp1 R+ 15:34 0:00 \_ ps fuxwa
root 11300 0.0 0.0 2104 956 ? Ss 13:26 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 5991 0.0 0.0 3724 988 ? SNs 15:22 0:00 \_ bin/qmail-smtpd
root 11378 0.0 0.0 2228 1128 ? S 13:26 0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
mysql 11426 0.0 0.2 111800 21872 ? Sl 13:26 0:00 \_ /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --socket=/var/lib/mysql/mysql.sock
qmails 11519 0.0 0.0 1524 492 ? S 13:26 0:01 qmail-send
qmaill 11521 0.0 0.0 1472 452 ? S 13:26 0:00 \_ splogger qmail
root 11524 0.0 0.0 1504 384 ? S 13:26 0:00 \_ qmail-lspawn ./Maildir/
qmailr 11525 0.0 0.0 1632 528 ? S 13:26 0:00 \_ qmail-rspawn
qmailr 22394 0.0 0.0 3708 1044 ? S 14:54 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 22149 0.0 0.0 3700 1036 ? S 15:12 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 23585 0.0 0.0 3704 1036 ? S 15:13 0:00 | \_ qmail-remote msa.hinet.net [email protected]
qmailr 3352 0.0 0.0 3704 1036 ? S 15:20 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 5667 0.0 0.0 3704 1036 ? S 15:22 0:00 | \_ qmail-remote msa.hinet.net [email protected]
qmailr 6036 0.0 0.0 3704 1040 ? S 15:22 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 7555 0.0 0.0 3700 1032 ? S 15:23 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 9836 0.0 0.0 3704 1040 ? S 15:24 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 10152 0.0 0.0 3704 1036 ? S 15:25 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 11898 0.0 0.0 3708 1040 ? S 15:26 0:00 | \_ qmail-remote allergist.com [email protected] [email protected]
qmailr 12016 0.0 0.0 3704 1036 ? S 15:26 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 13430 0.0 0.0 3708 1040 ? S 15:26 0:00 | \_ qmail-remote msa.hinet.net [email protected]
qmailr 14168 0.0 0.0 3704 1040 ? S 15:27 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 14219 0.0 0.0 3700 1032 ? S 15:27 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 15514 0.0 0.0 3704 1036 ? S 15:27 0:00 | \_ qmail-remote sinamail.com [email protected] [email protected]
qmailr 15871 0.0 0.0 3708 1036 ? S 15:28 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 17880 0.0 0.0 3704 1036 ? S 15:29 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 18073 0.0 0.0 3704 1036 ? S 15:29 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 20192 0.0 0.0 3704 1036 ? S 15:30 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailr 24343 0.0 0.0 3704 1036 ? S 15:33 0:00 | \_ qmail-remote msa.hinet.net [email protected] [email protected]
qmailq 11526 0.0 0.0 1468 348 ? S 13:26 0:00 \_ qmail-clean
root 11641 0.0 0.1 32088 14372 ? Ss 13:26 0:00 /usr/sbin/httpd
root 11676 0.0 0.0 18072 8192 ? S 13:26 0:00 \_ /usr/sbin/httpd
apache 11749 0.0 0.2 42428 23160 ? S 13:26 0:04 \_ /usr/sbin/httpd
apache 7258 0.1 0.2 43156 24016 ? S 13:37 0:08 \_ /usr/sbin/httpd
apache 9772 0.0 0.2 42660 23396 ? S 13:39 0:03 \_ /usr/sbin/httpd
apache 5168 0.0 0.2 41684 22216 ? S 15:02 0:00 \_ /usr/sbin/httpd
apache 17549 0.0 0.1 32088 14520 ? S 15:28 0:00 \_ /usr/sbin/httpd
root 11798 0.0 0.0 48016 5528 ? Ss 13:26 0:00 /usr/local/psa/admin/bin/httpsd
psaadm 12072 0.0 0.2 54436 17096 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
psaadm 12097 0.0 0.1 51892 8892 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
psaadm 12117 0.0 0.0 48156 5676 ? S 14:30 0:00 \_ /usr/local/psa/admin/bin/httpsd
root 11881 0.0 0.0 2496 1076 ? Ss 13:26 0:00 crond
root 11889 0.0 0.0 4356 1252 ? Ss 13:26 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1

 

[Guftak69]

i found this article in the knowledge base http://kb.swsoft.com/article_22_766_en.html

so i found an email so this is the answer of my comand grep 0 etc/passwd

[root@localhost 20]# grep 0 /etc/passwd
root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0perator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
webadmin:x:500:500::/home/webadmin:/bin/bash
popa3d:x:84:501::/dev/null:/dev/null
alias:x:2021:2020:Qmail User:/var/qmail/alias:/bin/false
qmaild:x:2020:2020:Qmail User:/var/qmail/:/bin/false
qmaill:x:2022:2020:Qmail User:/var/qmail/:/bin/false
qmailp:x:2023:2020:Qmail User:/var/qmail/:/bin/false
qmailq:x:2520:2520:Qmail User:/var/qmail/:/bin/false
qmailr:x:2521:2520:Qmail User:/var/qmail/:/bin/false
qmails:x:2522:2520:Qmail User:/var/qmail/:/bin/false
popuser:x:110:31OP3 service user:/:/bin/false
agracoco:x:10001:10001::/var/www/vhosts/agraco.com:/bin/false

 

[lvalics]

maybe one of your application on server is vulnerable (like phpBB, etc) and is used to spam. Alos a lot of contat form is badly written and allow spam.

We used an idea from
http://www.securephpwiki.com/index.php/Email_Injection?seenIEPage=1
in mod security rule,
SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

This solved the problem ans spammers not use anymore our servers.