Server sending out SPAM

Question

Update:

It does seem as the server is not compromised, but is used as relay server. Now I'm trying to figure out how to disable this.

I have server running Ubuntu 12.04 LTS with several domains running on Apache with virtual hosts. My e-mail is setup via Google Apps.

I've got some complaints regarding the server sending out SPAM.

This is a e-mail I received confirming it:

[ SpamCop V4.8.0.059 ]
This message is brief for your comfort. Please use links below for details.

Email from XXX.XXX.XXX.XXX / Tue, 10 Sep 2013 19:22:59 -0700
http://www.spamcop.net/w3m?i=z6002772272zbb4b8610e997f80936afe5c5a7dd4341z 

[ Offending message ]
Delivered-To: x
Received: by 10.182.37.42 with SMTP id v10csp64759obj;
Tue, 10 Sep 2013 19:23:00 -0700 (PDT)
X-Received: by 10.182.230.135 with SMTP id sy7mr18722181obc.24.1378866179839;
Tue, 10 Sep 2013 19:22:59 -0700 (PDT)
Return-Path: <x>
Received: from MY-DOMAIN.com ([XXX.XXX.XXX.XXX])
by mx.google.com with ESMTPS id t6si11838598oei.122.1969.12.31.16.00.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 10 Sep 2013 19:22:59 -0700 (PDT)
Received-SPF: neutral (google.com: XXX.XXX.XXX.XXX is neither permitted nor denied by best guess record for domain of www-data@MY-DOMAIN.com) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com;
spf=neutral (google.com: XXX.XXX.XXX.XXX is neither permitted nor denied by best guess record for domain of www-data@MY-DOMAIN.com) smtp.mail=www-data@MY-DOMAIN.com 
Received: from MY-DOMAIN.com (localhost [127.0.0.1])
by MY-DOMAIN.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id r8B2Q5Fw006220
for <x>; Wed, 11 Sep 2013 04:26:05 +0200
Received: (from www-data@localhost)
by MY-DOMAIN.com (8.14.3/8.14.3/Submit) id r8B2Q5SA006219;
Wed, 11 Sep 2013 04:26:05 +0200
Date: Wed, 11 Sep 2013 04:26:05 +0200
Message-Id: <2013___________________6219@MY-DOMAIN.com>
To: x
Subject: =?UTF-8?B?SGVsbG8hIENhbiBJIGFzayB5b3UgdG8gcmVhZCB0aGUgbGV0dGVyPw==?=
X-PHP-Originating-Script: 33:collector.php
MIME-Version: 1.0
From: Francine Gillham <francine.gillham@techie.com>
Reply-To: Francine Gillham <x>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8;


Hello! 
My friend showed me your account and I became aroused in anticipation of seeing u and knowing each other a little bit closer. 
I know for sure you couldn't be against of knowing me better after checking up my personal page too. 
What I can tell about myself? I'm a petite brunette beauty with cute face and fresh figure. 
My name is Francine and I am 23 years. Stare at me! 
I'll be waiting for you. 
I'll be glad to meet you life!

x

I have no idea on where to begin and how to solve the problem... Is my server hijacked, is it some malware or... Can anyone help me in the right direction. My server should be able to send out mails via PHP/mail-function, but everything else regarding mails is done via Google Apps.

I've tried to run rkhunter at got these issues:

[20:43:43]   /usr/sbin/adduser                               [ Warning ]
[20:43:43] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable

[20:43:46]   /usr/bin/ldd                                    [ Warning ]
[20:43:46] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable

[20:43:55]   /bin/which                                      [ Warning ]
[20:43:55] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable

[20:46:10]   Checking if SSH root access is allowed          [ Warning ]
[20:46:10] Warning: The SSH and rkhunter configuration options should be the same:
[20:46:10]          SSH configuration option 'PermitRootLogin': yes
[20:46:10]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

[20:46:12]   Checking /dev for suspicious file types         [ Warning ]
[20:46:12] Warning: Suspicious file types found in /dev:
[20:46:12]          /dev/.udev/queue.bin: data
[20:46:12]          /dev/.udev/db/block:xvda1: ASCII text
[20:46:12]          /dev/.udev/db/block:xvda: ASCII text
[20:46:12]          /dev/.udev/db/block:xvdc1: ASCII text
[20:46:12]          /dev/.udev/db/block:xvdc: ASCII text
[20:46:12]          /dev/.udev/db/input:event0: ASCII text
[20:46:12]          /dev/.udev/db/input:mouse0: ASCII text
[20:46:12]          /dev/.udev/db/block:ram7: ASCII text
[20:46:13]          /dev/.udev/db/block:ram14: ASCII text
[20:46:13]          /dev/.udev/db/block:ram15: ASCII text
[20:46:13]          /dev/.udev/db/block:ram10: ASCII text
[20:46:13]          /dev/.udev/db/block:ram5: ASCII text
[20:46:13]          /dev/.udev/db/block:ram13: ASCII text
[20:46:13]          /dev/.udev/db/block:ram6: ASCII text
[20:46:13]          /dev/.udev/db/block:ram1: ASCII text
[20:46:13]          /dev/.udev/db/block:ram4: ASCII text
[20:46:13]          /dev/.udev/db/block:ram3: ASCII text
[20:46:13]          /dev/.udev/db/block:ram2: ASCII text
[20:46:13]          /dev/.udev/db/block:ram8: ASCII text
[20:46:13]          /dev/.udev/db/block:ram12: ASCII text
[20:46:13]          /dev/.udev/db/block:ram9: ASCII text
[20:46:13]          /dev/.udev/db/block:ram0: ASCII text
[20:46:13]          /dev/.udev/db/block:loop7: ASCII text
[20:46:13]          /dev/.udev/db/block:loop4: ASCII text
[20:46:13]          /dev/.udev/db/block:loop6: ASCII text
[20:46:13]          /dev/.udev/db/block:loop2: ASCII text
[20:46:13]          /dev/.udev/db/block:loop5: ASCII text
[20:46:13]          /dev/.udev/db/block:loop3: ASCII text
[20:46:13]          /dev/.udev/db/block:ram11: ASCII text
[20:46:13]          /dev/.udev/db/block:loop1: ASCII text
[20:46:13]          /dev/.udev/db/block:loop0: ASCII text
[20:46:13]          /dev/.udev/rules.d/root.rules: ASCII text

[20:46:14]   Checking for hidden files and directories       [ Warning ]
[20:46:14] Warning: Hidden directory found: '/dev/.udev'
[20:46:14] Warning: Hidden directory found: '/dev/.initramfs'

EDIT, new information:

I've enabled PHP mail.log, but it does not seem to come from PHP files. Looking at my mail.log I can see that there is A LOT mails being send out. So it is my server. Can anyone help my figuring out what is sending out all those e-mails? This is something from the log:

Sep 12 16:16:39 MY-DOMAIN sendmail[5733]: r8CEGdCb005733: from=www-data, size=827, class=0, nrcpts=1, msgid=<201309121416.r8CEGdCb005733@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:16:39 MY-DOMAIN sendmail[5733]: r8CEGdCb005733: to=183046355@qq.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30827, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:44 MY-DOMAIN sendmail[5767]: r8CEGi2D005767: from=www-data, size=868, class=0, nrcpts=1, msgid=<201309121416.r8CEGi2D005767@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:16:44 MY-DOMAIN sendmail[5767]: r8CEGi2D005767: to=ikombk@gmail.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30868, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:49 MY-DOMAIN sendmail[5769]: r8CEGnZ1005769: from=www-data, size=808, class=0, nrcpts=1, msgid=<201309121416.r8CEGnZ1005769@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:16:49 MY-DOMAIN sendmail[5769]: r8CEGnZ1005769: to=mohammed.yousuf2011@gmail.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30808, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:54 MY-DOMAIN sendmail[5771]: r8CEGrtE005771: from=www-data, size=908, class=0, nrcpts=1, msgid=<201309121416.r8CEGrtE005771@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:16:54 MY-DOMAIN sendmail[5771]: r8CEGrtE005771: to=ferry@ptipp.com, ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30908, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:59 MY-DOMAIN sendmail[5776]: r8CEGxNE005776: from=www-data, size=833, class=0, nrcpts=1, msgid=<201309121416.r8CEGxNE005776@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:16:59 MY-DOMAIN sendmail[5776]: r8CEGxNE005776: to=ericanzlovar@gmail.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30833, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:01 MY-DOMAIN sendmail[5784]: r8CEH1SX005784: from=www-data, size=520, class=0, nrcpts=1, msgid=<201309121417.r8CEH1SX005784@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:17:01 MY-DOMAIN sendmail[5784]: r8CEH1SX005784: to=www-data, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30520, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:03 MY-DOMAIN sendmail[5787]: r8CEH3xm005787: from=www-data, size=866, class=0, nrcpts=1, msgid=<201309121417.r8CEH3xm005787@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:17:03 MY-DOMAIN sendmail[5787]: r8CEH3xm005787: to=js9926@gmail.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30866, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:09 MY-DOMAIN sendmail[5789]: r8CEH890005789: from=www-data, size=440, class=0, nrcpts=1, msgid=<201309121417.r8CEH890005789@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:17:09 MY-DOMAIN sendmail[5789]: r8CEH890005789: to=kxojjly@vxedif.com, ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30440, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:15 MY-DOMAIN sendmail[5791]: r8CEHEf4005791: from=www-data, size=757, class=0, nrcpts=1, msgid=<201309121417.r8CEHEf4005791@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:17:15 MY-DOMAIN sendmail[5791]: r8CEHEf4005791: to=flyfish@foxmail.com, ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30757, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:20 MY-DOMAIN sendmail[5793]: r8CEHKGp005793: from=www-data, size=835, class=0, nrcpts=1, msgid=<201309121417.r8CEHKGp005793@MY-DOMAIN.com>, relay=www-data@localhost
Sep 12 16:17:20 MY-DOMAIN sendmail[5793]: r8CEHKGp005793: to=bieshonk@163.com, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30835, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]

`from=www-data` means that it IS something in your web site(s) that is being abused to either directly send spam, or to compromise the server and gain access as the `www-data` user which is then used to send spam. — fukawi2, Sep 23 '13 at 06:55
In addition, the header `X-PHP-Originating-Script: 33:collector.php` is a strong hint that it might be coming from the web process and probably that script in particular. Not that you should still be working on this problem five months later but it may help someone some day. — Ladadadada, Jan 29 '14 at 15:03

score 2 · Answer 1 · answered Sep 12 '13 at 04:30

2

Based on the rkhunter output, it's reasonable to assume that you box has been rooted. Unless of course you have replaced ldd with a Perl script, which I can think of no reason anyone would legitimately want to do that.

The best path to remediate the situation is to wipe that box and reinstall. You can try to clean it, but you'll never be 100% sure you've cleaned everything properly.

And when you reinstall, take rkhunters advice and do not leave PermitRootLogin: yes in your SSHD config file.

answered Sep 12 '13 at 04:30

fukawi2

5,327
3
30
51

I will do that and return with answer on if it did solve the issue. Thank you. – user189603 Sep 12 '13 at 06:08
I've completely reinstalled the server, actually with a new IP. Removing the feature of root-login via SSH and everything did run fine for some days. However, now server is once again pushing out SPAM. What to do? – user189603 Sep 23 '13 at 04:22
You need to investigate how the server is being compromised; a web app with a security hole perhaps? Follow the advice in the thread this has been marked a duplicate of: http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – fukawi2 Sep 23 '13 at 04:58
1

@user189603 Hire someone with a clue to do a review and find out how you loose control of the server. Can be you have bad / broken / unsecure software installed. This site is not a replacement for having a borderline competent admin at hand - administration is a lot more than just getting a box running. – TomTom Sep 23 '13 at 04:59
Also, do the rest of us a favour and take the server offline and avoid contributing to the spam problem until someone with the appropriate skills can investigate your web site(s) – fukawi2 Sep 23 '13 at 06:56
Apologies. I close the question. – user189603 Sep 24 '13 at 08:24

score -1 · Answer 2 · answered Sep 12 '13 at 13:39

-1

You can also use maldet http://www.rfxn.com/projects/linux-malware-detect/ and scan your web files for spam bot.

answered Sep 12 '13 at 13:39

titus

404
6
17

It does not seem to be web files. I've updated my original post. Can you help? – user189603 Sep 12 '13 at 14:19

Server sending out SPAM

2 Answers2