3

For last 3 months i am getting email from my hosting providers that my server is sending spam emails and today i did research on it and found that it is actually doing. I used exim to check out the situation and it showed the output of 28 with the command exim -bcp, and then I used exim -bp and also found the ids and used the exim Mvh id. I tested all the IDs, but it didn't provide the source of the script. After that, I also tried to check out the exim/main.log but it didn't provide any output.

I have already scanned the server using antivirus and it didn't found anything. Also i formatted the server but still not benefit. Please do let me know if you can help in detecting the script which is sending spam.

Falcon Momot
  • 25,584
Kinshuk Lahiri
  • 135
  • 1
  • 7

4 Answers4

3

Run exim -bP log_file_path to get a templated log-file path; replace %s with main, and use that as the logfile to look at. (also %D for date, etc). If that really points to the same main.log file which you looked at, then use lsof, see if you have broken log-file rotation or something. If the file is the current log-file, the filesystem is not full, messages are flowing but the log is empty, then you have a compromised system.

Look to see where the messages came from. If they came from a local user, then that user is injecting mail; if that's a web-hosting user, then you need to figure out which PHP application is out-of-date and letting spammers abuse you. Commercial abuse of PHP apps has been happening for at least 12 years. There are various options you can apply to your webserver and PHP configs to lock down sender addresses, if you have a lot of vhosts and can't identify the source.

If the messages are coming from remote IP addresses, figure out what you did to turn yourself into an open relay.

If there is an authenticated user showing up, then they had a weak password: don't allow user-chosen passwords for SMTP. Use strong passwords which you generate, tell users that they're allowed to write them down. Consider looking over the Exim wiki at rate-limiting examples, to rate-limit abusive SMTP AUTH attempts.

If the connections are not authenticated, and are just remote open relay, then the issue depends upon how much you've customized your Exim configure file (run exim -bV to find the path to the active config file). If it's fairly close to stock, then you have a hostlist named relay_from_hosts and you might have rather too many hosts in that. Lock it down.

Phil P
  • 3,110
1

As root, you can use ps aux to show all the processes, and look for anything suspicious. You can also use find /path/to/cgi-bin -iname \*.php to look for attacker-introduced PHP scripts.

But, it might not be seen by either of those things depending on what the attack is. If you suspect an attacker has control over your server, looking for the script is an exercise in forensics, not remediation. Follow the directions at How do I deal with a compromised server?.

Community
  • 1
Falcon Momot
  • 25,584
1

I had the same problem. This even resulted in getting my IP's blacklisted.

My host recommended me to add pyxsoft anti malware plugin on the WHM.

It detected the infected files in wordpress, the spam stopped when I deleted those files but they kept coming back every day. So I had to delete them everytime.

Then I consulted my host again and they recommended to go with CSX http://configserver.com/cp/cxs.html

I have not yet tried this but I hope this will look after the compromised web hosts in a better way.

Hyder
  • 11
  • 2
0

As you are using exim, it is likely you are running some distribution of Linux. If so, you can used iptables to block outgoing connections to port 25. In your case, you may want to drop the connections so that they will stick around for a while. Monitor the system with netstat -antp | grep :25 to determine a process is trying to send a message. Then you can check the process to see where it is running from. You can use kill -STOP to prevent the process from running to give you even more time to examine the process.

If you do need to send emails while doing this, exempt the user the exim runs as from the iptables rule. This will allow exim to send mail while blocking other users.

If you have a web server running, it may be that you have a script included that send email. Some of the available scripts allow spammers to send email using your server. There are a number of other ways to send email from a server that will not be caught by a virus scanner. Until you identify how the email is being sent, blocking with iptables may be your best bet.

BillThor
  • 28,293
  • 3
  • 39
  • 70