Postifx sends spam. Need to prevent

Question

Possible Duplicate:
My server's been hacked EMERGENCY

I have a configured dovecot + postfix + mysql. Few days ago i have received abuse from DC that i am sending spam.

And really in the /var/log/mail.log i have found records of sending mails not by me , or my website. I have blocked outgoing 25 port as a precoution. First of all i have greped all the PHP scripts for base64_decode, eval and so on. No success. Also i have turned mail function from php by adding it to disable_function list. But spam is still going from my server and i do not understand where does it come from. Which application or which script causes that.

In /var/log/mail* logs i only see the fact that email was sent. I can see the content of it looking into /var/spool/postfix/... . But i need to find the PID or the PHP script which sends it.

Do you have any ideas on how to do it? I see that email comes from "root@..." so maybe it`s root-level running backdoor or something. Please, help.

Can you post an excerpt of the outgoing logs? Specifically the lines you have pointed out above? — Tim, Dec 25 '11 at 01:41

score 1 · Answer 1 · answered Dec 25 '11 at 01:45

It could certainly smell like someone is doing something rather nasty on your machine.

First, you might want to check /tmp. Very often attackers put their "programs" down there, because they have easy access to it there. Simply list the files and look for anything unusual.

Next thing, take a process list "ps auxf" which should give you a nested overview. Go through every single line, see if a process you don't know is running. If there is something unfamiliar, google the name and see if teh interwebz knows something.

You can also do "netstat -nap" to see network connections and the process they belong to.

It can be quite a job to hunt this down, but it sounds like something on your server is the sinner, if you see nothing in the maillog about a connection coming from somewhere else.

I thought they somehow used postfix as a open relay so i tcpdump dst port 25 tcp but no success. Incoming packets where not ones that contained that spam. I do not see something suspicious in netstat -nlp and ps aux ... — Radium, Dec 25 '11 at 07:54

score 1 · Answer 2 · answered Dec 25 '11 at 09:27

1

If you are not seeing any suspect connection in netstat and you've already closed port 25, the spammer may be very well sending using the local /usr/bin/sendmail via php Mail() instead of connecting from the outside.

When every other method fails, you could also substitute /usr/bin/sendmail with a script which prints the PID of its parent process, as in the following:

#!/bin/bash
echo $PPID > /tmp/parent_pids.log

answered Dec 25 '11 at 09:27

S19N

1,693
1
17
28

Why? In 99% of all cases it will be the apache process. – mailq Dec 25 '11 at 11:21

Postifx sends spam. Need to prevent

2 Answers2