0

I have a user on my system who appears to be sending large quantities of mail and I'm having difficulty identifying who he is. I don't know his IP address or username by which he authenticated.

One such entry from the syslog is:

root@s2:~# zgrep '2EA87A0CDF' /var/log/syslog.2.gz | more  
Jul 28 21:04:32 s2 postfix/pickup[10654]: 2EA87A0CDF: uid=33 from=<callcenter@bdo.com>  
Jul 28 21:04:32 s2 postfix/cleanup[11263]: 2EA87A0CDF: message-id=<56a1b0b372c938dfc989c5630be75ac1@www.ourCustomersDomain.com>  
Jul 28 21:04:32 s2 postfix/qmgr[2545]: 2EA87A0CDF: from=<callcenter@bdo.com>, size=4808, nrcpt=1 (queue active)  
Jul 28 21:04:36 s2 postfix/smtp[11361]: 2EA87A0CDF: to=<mangmkkepweng@yahoo.com>, relay=mta5.am0.yahoodns.net[98.137.159.27]:25, delay=4.4, delays=0.01/0.01/1.2/3.2, dsn=2.0.0, status=sent (250 ok dirdel)  
Jul 28 21:04:36 s2 postfix/qmgr[2545]: 2EA87A0CDF: removed

Please note the following:

  • I've replaced our customer's domain name with ourCustomersDomain.com.
  • bdo.com domain is an external domain not handled by us and appears to be being used as the from address given by our user.
  • Because I know the customer's domain what I'm looking for is the actual username being used to gain access.

I can see the UID, which is '33' but it doesn't mean anything to me. How can a match this to the username used?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Peter White
  • 576
  • 1
  • 7
  • 17
  • Thanks. I have clarified the question. – Peter White Jul 30 '19 at 05:47
  • 2
    I do not think the spammer was nice enough to *log in* or leave any trace of identification. The most you are going to learn is *who let him in* - that would be the person who created a file or directory writable to the *www-data* user. – anx Jul 30 '19 at 06:18
  • 2
    You need to look at the rest of the log entries. – Michael Hampton Jul 30 '19 at 07:50

1 Answers1

1

Before you edited your post as requested in a comment, you had included a log entry which indicated that the UID of the user concerned was "33". As noted in a comment, this UID is often used for the www-data service (web server itself).

You possibly thought that since many users on the system use webmail, that may explain it, but actually, those users have a different UID. If the UID of the www-data service on your system is "33", this probably indicates that there is a script located in one of your user's web hosting spaces, which is sending the emails.

Since you mentioned that you had already narrowed this down to the actual customer's domain, try looking at any mail sending script (ie. contact us) they may be using - maybe it has security flaws in it. Also, look carefully at the files in their www directory and below, for anything which might have been added by a hacker if their FTP account has been compromised.

Also, as suggested here, To find out which script is responsible for sending these mails, you can set the directive

mail.add_x_header = On

in your php.ini. This will add an additional mail header

X-PHP-Originating-Script

Then check the mail headers of relevant mails in the mail queue.

If you find that his account was compromised and a hacker had added scripts to the www directory to exploit the mailserver's mail sending permissions, don't forget to check how the account was compromised and close the gap after cleaning up the account.

Peter White
  • 576
  • 1
  • 7
  • 17
  • The domain user's web hosting had been compromised by a hacker who guessed the stupidly simple FTP account password and added mail sending scripts in the directory. I examined the scripts to ensure that they were unable to compromise anything else and although they do attempt further compromising of the server, they were unsuccessful in those attempts. – Peter White Jul 30 '19 at 23:19