3

For last 3 months i am getting email from my hosting providers that my server is sending spam emails and today i did research on it and found that it is actually doing. I used exim to check out the situation and it showed the output of 28 with the command exim -bcp, and then I used exim -bp and also found the ids and used the exim Mvh id. I tested all the IDs, but it didn't provide the source of the script. After that, I also tried to check out the exim/main.log but it didn't provide any output.

I have already scanned the server using antivirus and it didn't found anything. Also i formatted the server but still not benefit. Please do let me know if you can help in detecting the script which is sending spam.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Kinshuk Lahiri
  • 133
  • 1
  • 5
  • 3
    You waited three months to diagnose a hacked server? Wiping the server didn't stop it? – ceejayoz Aug 27 '15 at 18:52
  • *Also i formatted the server but still not benefit* - then the attack is coming from outside, someone relaying through exim or someone calling an exploitable PHP script, maybe. Have you looked through exim and apache logs for unusual connections? Repeated connections from one address, a weird web URL, etc. Have you checked server account passwords? (Maybe someone has guessed/found a valid user account and is abusing it) – TessellatingHeckler Aug 27 '15 at 18:52
  • Hi cj, See i have got emails from the hosting providers and i never took any action until now. I just formatted it last week because i didn't found anything and thought it would remove any malicious script. – Kinshuk Lahiri Aug 27 '15 at 18:55
  • Hi @TessellatingHeckler, Have you looked through exim and apache logs for unusual connections? Can you please provide some command so that i can check more on this situation and may be share some screenshots that may help you to understand it better.The server account passwords are completely changed and i am the only one who have the access to the server. – Kinshuk Lahiri Aug 27 '15 at 19:00
  • 1
    possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – womble Aug 27 '15 at 20:58
  • I am assuming you have open relaying disabled. Do you? – Konrad Gajewski Aug 29 '15 at 04:18

4 Answers4

3

Run exim -bP log_file_path to get a templated log-file path; replace %s with main, and use that as the logfile to look at. (also %D for date, etc). If that really points to the same main.log file which you looked at, then use lsof, see if you have broken log-file rotation or something. If the file is the current log-file, the filesystem is not full, messages are flowing but the log is empty, then you have a compromised system.

Look to see where the messages came from. If they came from a local user, then that user is injecting mail; if that's a web-hosting user, then you need to figure out which PHP application is out-of-date and letting spammers abuse you. Commercial abuse of PHP apps has been happening for at least 12 years. There are various options you can apply to your webserver and PHP configs to lock down sender addresses, if you have a lot of vhosts and can't identify the source.

If the messages are coming from remote IP addresses, figure out what you did to turn yourself into an open relay.

If there is an authenticated user showing up, then they had a weak password: don't allow user-chosen passwords for SMTP. Use strong passwords which you generate, tell users that they're allowed to write them down. Consider looking over the Exim wiki at rate-limiting examples, to rate-limit abusive SMTP AUTH attempts.

If the connections are not authenticated, and are just remote open relay, then the issue depends upon how much you've customized your Exim configure file (run exim -bV to find the path to the active config file). If it's fairly close to stock, then you have a hostlist named relay_from_hosts and you might have rather too many hosts in that. Lock it down.

Phil P
  • 3,040
  • 1
  • 15
  • 19
1

As root, you can use ps aux to show all the processes, and look for anything suspicious. You can also use find /path/to/cgi-bin -iname \*.php to look for attacker-introduced PHP scripts.

But, it might not be seen by either of those things depending on what the attack is. If you suspect an attacker has control over your server, looking for the script is an exercise in forensics, not remediation. Follow the directions at How do I deal with a compromised server?.

Community
  • 1
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • Hi thanks for the reply. See I have checked for the ps aux and no luck with that and the second command doesn't works for me. Now the link that you provided will take a lot of time and i will surely go through it but is there anything else you know that you want to share with me that helps me to get out of this situation. – Kinshuk Lahiri Aug 27 '15 at 18:53
1

I had the same problem. This even resulted in getting my IP's blacklisted.

My host recommended me to add pyxsoft anti malware plugin on the WHM.

It detected the infected files in wordpress, the spam stopped when I deleted those files but they kept coming back every day. So I had to delete them everytime.

Then I consulted my host again and they recommended to go with CSX http://configserver.com/cp/cxs.html

I have not yet tried this but I hope this will look after the compromised web hosts in a better way.

Hyder
  • 11
  • 2
0

As you are using exim, it is likely you are running some distribution of Linux. If so, you can used iptables to block outgoing connections to port 25. In your case, you may want to drop the connections so that they will stick around for a while. Monitor the system with netstat -antp | grep :25 to determine a process is trying to send a message. Then you can check the process to see where it is running from. You can use kill -STOP to prevent the process from running to give you even more time to examine the process.

If you do need to send emails while doing this, exempt the user the exim runs as from the iptables rule. This will allow exim to send mail while blocking other users.

If you have a web server running, it may be that you have a script included that send email. Some of the available scripts allow spammers to send email using your server. There are a number of other ways to send email from a server that will not be caught by a virus scanner. Until you identify how the email is being sent, blocking with iptables may be your best bet.

BillThor
  • 27,354
  • 3
  • 35
  • 69