Specific Domain send spam with unknown way....

[Andrew_Pa]

Hello to the team.

I have a very strange problem and I would like your help.

Let's say that my server name is server.com and a specific domain I use is domain.com

The server has port 25 closed and need authentication for using SMTP.

The domain has no email accounts and also the Mail service has been disabled.. So they can't use email.

Also I have add the following PHP directives

disable_functions = mail,exec,shell_exec,passthru,system,proc_open,popen

I also check if php mail working and it doesn't work.

But this specific domain continue saturated my qmail queue with thousand of spam! I check the UID and I found that the specific domain sent them (I follow this http://kb.parallels.com/en/766 )

The sender always is "[email protected]" .

When I disable the subscription the spam is stop.

Please can you help me how this domain can send emails and how can I stop it?

Thank you very much!!!

 

[CoreyT]

Check the access logs for that domain, there may be a CGI or PHP script being used to exploit the mail server.

 

[Andrew_Pa]

Check the access logs for that domain, there may be a CGI or PHP script being used to exploit the mail server.

Thank you very much for your quick answer! Can you please help me what should I expect to see inside access log file?

 

[CoreyT]

Look for multiple POSTs to the same script or file. Then search the http(s)docs directory for scripts that look suspicious such as PHP scripts that start with eval(), gzinflate(), str_rot13(), str_replace() or base64_decode().

Also try sorting by date modified in the web directory to see what was changed recently.
If you are using SSH try the command: ls -alrth
This will sort all recently modified files at the bottom.

 

[Andrew_Pa]

Look for multiple POSTs to the same script or file. Then search the http(s)docs directory for scripts that look suspicious such as PHP scripts that start with eval(), gzinflate(), str_rot13(), str_replace() or base64_decode().

Also try sorting by date modified in the web directory to see what was changed recently.
If you are using SSH try the command: ls -alrth
This will sort all recently modified files at the bottom.

Indeed there was a specific php file which inside has base64_decode() . I delete it and I change the folder permissions.

I will watch now to see if the problem solved!

But I have a technical question. How it's possible to use PHP for sending emails??? I have disabled the functions...


Thank you very much for your quick answer and thank you so much for helping me solving my problem!!!!

 

[CoreyT]

There are ways to bypass disabling the use of certain functions depending on the PHP version used. Most often these scripts that get dropped in have a whole set of exploits for PHP/Apache and even the OS itself.

 

[Andrew_Pa]

There are ways to bypass disabling the use of certain functions depending on the PHP version used. Most often these scripts that get dropped in have a whole set of exploits for PHP/Apache and even the OS itself.

You are Perfect! Thank you again for one more time!!!!