0

This question is not a duplicate of the other, the other is general, this is very specific.

my question is similar to - Who or what is sending spam from my server ( CentOS / Apache / suPHP ) but slightly different.

I have Centos 6.3, Apache/2.2.15, PHP 5.6.24 running Moodle, Passenger 4.0.41 and Postfix 2.6.6-6.el6_7.1 hosted at rackspace.

I dont believe my rails server sends mail through postfix, but moodle does for sure send password resets etc through postfix.

Bad guys are somehow sending spam from my server.

Here is what the postfix log looks like:

Aug 26 18:37:32 myserver postfix/error[18958]: CEF352EDAA:    
to=<someemailvictim@yahoo.com.br>, relay=none, delay=7714, 
delays=7714/0.03/0/0, dsn=4.4.2, status=deferred (delivery temporarily 
suspended: lost connection with mta5.am0.yahoodns.net[98.136.216.26] while 
sending RCPT TO)

Here is what the email looks like (from postfixq)

*** ENVELOPE RECORDS deferred/C/CEF352EDAA ***
message_size:           13583             190               1               0           13583
message_arrival_time: Fri Aug 26 16:28:58 2016
create_time: Fri Aug 26 18:37:31 2016
named_attribute: rewrite_context=local
sender_fullname: Apache
sender: apache@myserver.localdomain
*** MESSAGE CONTENTS deferred/C/CEF352EDAA ***
regular_text: Received: by myserver.localdomain (Postfix, from userid 48)
regular_text:   id CEF352EDAA; Fri, 26 Aug 2016 16:28:58 +0000 (UTC)
regular_text: content-type: text/html
regular_text: Subject: Parabens, agora você pode desfrutar do melhor do cinema - Anote seu voucher: NETFLIX440140
regular_text: From: voucher@myserver.localdomain

I added & bounced apache

mail.add_x_header = On
mail.log = /var/log/phpmail.log

I get no log files from php....so I think it is not php...

The other interesting thing is I had postfix off at the time the message says it "arrived", notice the 2 hour delta between create and arrived.

The other interesting thing is my root mailbox is huge (/var/mail/root).

The last interesting thing is the bad guys put 200k spam in my queue last Thursday/Friday, I found and cleaned the queue by Sunday. Only ran postfix during the day all week, and nothing...then all of a sudden today turned it on, and bamm, slammed again.

I don't see anything nefarious in any apache log files.

I ran maldat and it found nothing.

My server is fairly well locked down at this point (but may not have been before), certificate login only, nothing scary in last...only running open ports on 80,443 and 22.

Any ideas? Any suggestions of where to look next, yes I am going to nuke this vm eventually.....but I hate the idea of not understanding where the bad guys got in and how they are doing it...

Community
  • 1
Joelio
  • 177
  • 2
  • 14
  • Found more info, but still no resolution. The malware is putting a hidden folder in temp directory, it consists of a perl script to send mail and some helper files to create the spam. It also communicates to another server on a differnt port each time. The target server is the same server on port 7025, it is a Linode server and their support team has been no help at all. Is there any site that can give me a signature of malware from the files it uses? I am sure there is a trojan somewhere triggering this. – Joelio Sep 02 '16 at 19:33
  • https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – user9517 Sep 02 '16 at 19:58
  • 1
    Your web app has been compromised. There's nothing to do but rebuild it fresh, and this time please update it more often than once every three years. – Michael Hampton Sep 02 '16 at 20:10
  • Your comment is not helpful and your marking this duplicate is not helpful either. – Joelio Sep 07 '16 at 20:26
  • 1
    This is the most help you can possibly expect here for free. If you're incapable of following the advice you've already received, then you should engage a consultant to help you out. – Michael Hampton Sep 07 '16 at 21:31

0 Answers0