[plug] Postfix Problems again (Spam Originating from my mail server)

Ryan King ryank at globaldial.com
Thu Dec 1 11:54:41 WST 2005 

My bad, just noticed you had already checked for the use of mailers,
etc...  Guess I should read the message eh :p

You have checked your script aliases and all that, right?  No perl
scripts anywhere?  File inclusions in perl scripts can commonly be
exploited to upload nasty programs to your server.

Also, some mailers insert useful information in the headers.  Check one
of the spam messages for those, might give you a clue as to where it
came from.


On Thu, 2005-12-01 at 11:43 +0800, Ryan King wrote:
> >From first glance, it would appear you have a web script of some sort
> that is being exploited to send spam email.  eg: dodgy formail?
> 
> Check your apache logs to see if there are a large amount of hits on a
> particular script and check on that.
> 
> If that doesn't help, you might want to install some process accounting
> tools to see what else is being run by www-data.
> 
> 
> On Thu, 2005-12-01 at 11:31 +0800, Shannon Carver wrote:
> > Hi Guys, 
> > 
> >  
> > 
> > I’m having the same problem as I was about 2 months ago when I posted
> > on here:
> > 
> >  
> > 
> > A couple of weeks ago I got an email from spamcop stating that I had a
> > large amoutn of spam email originating from one of our work servers. I
> > tightened up the postfix rules, and cleared the queue which appeared
> > to fix the problem.
> > 
> >  
> > 
> > Two weeks on, its started again, and I've just noticed that all
> > messages seem to be originating from www-data at domain which leads me to
> > think it must be some rogue process in apache which is causing the
> > problem.
> > 
> >  
> > 
> > My problem is, that I don't have any idea of locating where the cause
> > of the problem is, I've checked all htdocs directories, and the only
> > scripts are php scripts which I've written, of which none contain the
> > use of phpmailer() or mail(). The only thing I can think of, is
> > someone is somehow spamming from www-data elsewhere.
> > 
> >  
> > 
> > Last time around, the emails were to random address's, this time, a
> > quick look through the logs:
> > 
> >  
> > 
> > Nov 28 18:44:33 intranet postfix/smtp[13969]: connect to
> > smtp.mx.homes.com [199.44.153.110]: read timeout (port 25)
> > 
> >  
> > 
> > Nov 28 18:44:40 intranet postfix/smtp[13990]: 3EBA2A010:
> > to=<jacobsh at lake.k12.fl.us>,­relay=mail.lake.k12.fl.us[169.139.112.4],
> > delay=136614, status=deferred (lost connection with
> > mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
> > may be sent more than once)
> > 
> > Nov 28 18:44:42 intranet postfix/smtp[14021]: 74DF9A94E:
> > to=<kinatc at lake.k12.fl.us>, ­relay=mail.lake.k12.fl.us[169.139.112.4],
> > delay=136552, status=deferred (lost connection with
> > mail.lake.k12.fl.us[169.139.112.4]while sending end of data -- message
> > may be sent more than once) 
> > 
> >  
> > 
> > It seems to be running through a list...
> > 
> > It was heaps of *.*.us, then *.time.com, then *.homes.com...
> > 
> >  
> > 
> > All messages originate with www-data@*.com.au in the from field. Yes
> > there is a user called www-data on the system, it runs apache.
> > 
> >  
> > 
> > Did a postfix stop ; postsuper -d ALL (yea yea, some mail may have
> > gone missing)... and the problem stopped for almost 24 hours, then
> > started up again, with (to my knowledge), no intrusion to the system.
> > 
> >  
> > 
> > I’ve had it suggested that I blow the box away and start again, but
> > I’d rather see if I can get around the problem first.  Can anybody
> > suggest anything that I may be missing?
> > 
> >  
> > 
> > I’ve been to abuse.net, the mail server is definitely not an open
> > relay, so in my understanding the messages are originating from my
> > system.  I’ve got 6 boxes built in EXACTLY the same way at different
> > sites, which have been up and running for about 2 years without
> > downtime or similar issues.
> > 
> >  
> > 
> > Regards
> > 
> >  
> > 
> > Shannon Carver
> > 
> >  
> > 
> > P.S Sorry if the message was a big malformed, its basically a copy and
> > paste from a forum thread, in which the people were not terribly
> > helpful, blaming my setup and suggesting a rebuild without suggesting
> > anything.
> >

More information about the plug mailing list