tracking down a script

[DarkHorizons]

Hi,

On a server with a couple hundred domains on it, how can I find a script that is using apache to send spam email? The messages only have UID 48 (apache) on them and they are obviously outgoing spam, which of course causes lots of problems when dealing with AOL, etc.

I haven't found any unusual processes running that seem to be causing this but I know that something is out there somewhere.

I have tried going through a lot of the other threads and couldn't find anything based on their suggestions.

This is on a plesk 7.5.4 server. /tmp has been secured for some time so scripts can not operate out of that location. There has to be a script parked on some domain somewhere that starts up every once in a while which is causing this.

Any help is much appreciated.

Thanks

 

[wagnerch]

Heh, don't be fooled by "securing /tmp". It isn't secure. There is some pretty trivial ways around it.

In any case did you run "ps -fuapache" and look for any processes with a ppid of 1. Most of them should have the same ppid.

It is possible they have rooted your box and are using the root user. So if you don't find anything unusual then you might want to look at the root processes and possibly try running a rootkit checker.

 

[DarkHorizons]

I have run a couple of different root kit checkers and the server is fine as far as that goes. In my experience, if someone gains root access to your server then you are completely screwed to the point where it is a lot worse then a script sending out some spam.

Checking the apache processes shows only the httpd processes, all of the same PID.

I am pretty sure it is a script. Usually when it happens, the server load will go up and in the past, instead of hunting around to see what happened I would restart the server and everything would be fine. However, once I started to get spam bounces coming back from the AOL feedback loop I figured that there was a script running that shouldn't be. The server restart kills the script and then whoever activated it would find out several days later that it wasn't running and fire it again. At this point I pretty much will need to wait for it to go again and then try to nail it while it is running.

 

[wagnerch]

Not all folks who root your box will a) screw it up, or b) leave trails behind that a root kit will find.

It is possible that someone is using a script that is not validating input and is able to inject spam. I would use your friend 'grep' to hunt them down. The quickest and dirtiest way to do this is to...

1. identify the approximate time that your server processed the spam message from the headers.
2. grep the Apache access logs for your domains for that specific date/time stamp:
grep '05\/Dec\/2006:06:57:28' /home/httpd/vhosts/*/statistics/logs/access_log

That would be Dec 5th 2006, 6:57:28 AM. Naturally the access_log entry should be a few seconds before the timestamp in your outbound spam message. So you may want to tweak the timestamp. If you have too many virtual domains then you may need to script it or use xargs to break it into multiples.

 

[DarkHorizons]

Good idea. thanks. I'll let you know if I find anything. It would probably be easier to wildcard the "seconds" on the timestamp then doing the search multiple times looking for the exact entry.