-1

Hello this is my first time here.

I do know a little about linux but I can't seem to find out the source of tons of SPAM emails being sent out on my server.

Here is a small portion of the QMAIL queue

29 May 2014 06:29:00 GMT  #13879694  601  <marina_velazquez@spam_domain1.org>
        remote  lykos@asia.com
29 May 2014 06:35:05 GMT  #13880108  636  <iva_holman@spam_domain1.org>
        remote  killerbeas@web.de
29 May 2014 06:38:26 GMT  #13880223  677  <kathryn_spence@spam_domain1.org>
        remote  rose91643@sssnet.com
29 May 2014 06:40:44 GMT  #13879786  620  <marisol_harper@spam_domain1.org>
        remote  sipaseud_738@hotmal.com
29 May 2014 07:20:08 GMT  #13880361  642  <candace_hammond@spam_domain2.com>
        remote  korsgaard@aol.dk
29 May 2014 07:21:44 GMT  #13880407  659  <esperanza_barnett@spam_domain2.com>
        remote  korupt.1@bigpond.com.au

Here is what I find when with less on the last mail

Tkorsgaard@aol.dk^@Received: (qmail 7343 invoked by uid 33); 29 May 2014 07:20:07 -0500
Date: 29 May 2014 07:20:07 -0500
Message-ID: <20140529122007.7341.qmail@ldc2040.aus.us.siteprotect.com>
To: korsgaard@aol.dk
Subject:  Ha ha
From: "Candace Hammond" <candace_hammond@spam_domain2.com>
Reply-To: "Candace Hammond" <candace_hammond@spam_domain2.com>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit



<!-- Contents of spam message removed--> ^@

I see is says UID 33 but there is no mail log file that I can find this is Ubuntu server

How can I isolate the source of the spams?

Are they from a script on the server? if so how can I locate it?

Can they be from a remote machine? if so how do I know?

Thanks for any help I really need this fixed ASAP

Paul

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
user221861
  • 19
  • 1
  • 2
    Either you are an open relay server or your server has been compromised, but it's impossible to say from what you tell us. It's clear however that you don't know enough to fix this yourself. My recommendation would be to get outside help to fix this. – Sven May 29 '14 at 13:30

1 Answers1

3

On ubuntu, UID 33 is usually www-data, the httpd user. Most likely, someone found an exploitable web script on your server which you need to locate and terminate. Read the httpd logs. For now, stop letting uid 33 send mail or make outgoing connections:

iptables -I OUTPUT ! -o lo -m owner --uid-owner 33 -m conntrack --ctstate NEW -j REJECT

(you may need to use -m state --state NEW on older kernels instead of conntrack)

Then disable sendmail access for httpd.

setfacl -m u:www-data:000 `which sendmail`

to revert:

iptables -D OUTPUT ! -o lo -m owner --uid-owner 33 -m conntrack --ctstate NEW -j REJECT
setfacl -x u:www-data `which sendmail`

Now that it's disabled, you can investigate your scripts at leisure.

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
  • Ok I ran the above command to turn off 33. it seems to have stopped the spam emails. the second command won't run because I need to install setfac1 (should I do this?) or am I safe with just running the first command? this just prevents all off server emails correct? php scripts can still mail without issue? One more question since you have been so helpful and knowledgeable on this. I can't locate httpd logs in my log folder? Do you know where I might find it or would it be named something else? Again thanks so much for taking the time to help. Paul – user221861 May 29 '14 at 14:29
  • ok now I see another email that came in after I ran the first command you listed for disabling UID 33 Tjoao300330@mail.com^@Received: (qmail 3477 invoked by uid 33); 29 May 2014 09:43:03 -0500 Date: 29 May 2014 09:43:03 -0500 Message-ID: <20140529144303.3475.qmail@ldc2040.aus.us.siteprotect.com> To: joao300330@mail.com Subject: RE: Haha From: "Jenny Henderson" Reply-To: "Jenny Henderson" X-Priority: 3 (Normal) MIME-Version: 1.0 is this becauzse I didn't disable sendmail access by running the second command? – user221861 May 29 '14 at 14:45
  • Sorry for all the replies but I had to run apt-get install acl then I ran the command setfacl -m u:www-data:000 `which sendmail` And I get the bellow error ----------- setfacl: /var/qmail/bin/sendmail: Operation not supported – user221861 May 29 '14 at 14:48
  • just chmod 000 ```which sendmail```. I'm surprised your filesystem doesn't support ACLs. – Andrew Domaszek May 29 '14 at 15:01
  • Andrew I did get the command to run after installing ACL so I will still see these mails in the Queue but they are not being sent correct? I am still looking for the httpd log so I can figure out the source with no luck :( – user221861 May 29 '14 at 15:14
  • oh crap actually sorry the command did show the Operation not supported error. so I tried chmod 000 which sendmail and chmod 000 'which sendmail' I get 'which sendmail' No such file or directory – user221861 May 29 '14 at 15:16
  • You have to find out which mail software your system uses, and then disable access for the www user to it. Meanwhile the access is disabled, no PHP scripts can send e-mail. – Tero Kilkanen May 29 '14 at 16:26