Spam issue is one of the major concerns in the server world. There are innumerable ways by which spamming occurs on a VPS and some of the most common causes for spamming on VPS are
- Email Account compromised
- Email accounts will be spoofed and used to send spam emails
- Compromised contact forms
- Mails sent using vulnerable scripts
- Intruder attack and sql code injection through 3rd party and insecure themes and applications installed inside the VPS etc.
Here I have discussed some spam locating and removal measures.
Contents:
1) Analysing email count with sender
2) Locate the spam sending script
3) Finding “nobody” spamming, issue
4) Using number of connection on port 25
5) X-PHP-Script from the email header and body
6) Finding Vulnerabilities and Backdoor PHP shell script on a server
7) blocking the IP address responsible for spamming in csf or apf firewall.
Changing the email, Cpanel plesk admin password1) Analysing email count with sender
In Exim server we can check the mail queue using the following commands
exim -bpc – it will list the total number of mails in the queue
To check the bulk email sender we can use the below command
exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
20 Sajan2@pscloud2.com
100 sajan3@pscloud3.com
10987 sajan4@pscloud4.com
The result itself shows that bulk emails are generating from the email account sajan4@pscloud4.com we can change the email password immediately.
In Qmail server
/var/qmail/bin/Qmail-qstat – It will list the total number mails in the queue
# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user |awk ‘{print $9}’ |sort |uniq -c |sort -n
This will show email from each domain
2) Locate the spam sending script
The following command will check the spamming script location
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
10 cwd=/home/sajan1/public_html
20 cwd=/home/sajan2/public_html/test
grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n815 cwd=/home/sajan3/public_html/plugins
123476 cwd=/home/sajan4/public_html/templates/yoo_revista/warp/menus/page.php
45673304 cwd=/home/sajan5/public_html/wp/wp-content/themes/twentyseven
In this case, please make sure that cx are using latest version of CMS (Eg; WordPress, Joomla etc), plugins and themes.
if we need to find out exact spamming script. The following script will shows the current spamming script running now.
ps auxwwwe | grep sajan5 | grep --color=always "home/sajan5/public_html/wp/wp-content/themes/twentyseven" | head
Once you find the exact script please nullroute the permission annd set attributes.
Chmod 000 /home/sajan5/public_html/wp/wp-content/themes/twentyseven/test.php
chattr +ai /home/sajan5/public_html/wp/wp-content/themes/twentyseven/test.php
(once we got confirmation from the cx we can remove the same )
In Qmail
/var/qmail/bin/Qmail-qread – We can use the qmail-qread utility to read the messages.
Eg: 24 Aug 2010 05:08:09 GMT #20180455 6064 <user@domain.com> bouncing
done remote user1@domain1.com
done remote user2@domain2.com
done remote user3@domain3.com
If the message has too many recipients then it is most probably spam
3) Finding “nobody” spamming, issue
ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
It will give some result like:
Example :
6 PWD=/
547 PWD = /home/sajan/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)
The above command is valid only if the spamming is currently in progress. If the spamming has happened before, use the following command.
grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
4) Using number of connection on port 25
# netstat -plan|grep :25|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
This commang give the IP which has connection on port 25.
If one particular Ip is using more than 10 connection we can block it in the csf firewall.
5) X-PHP-Script
In Exim
exim -Mvh ID
This command displays the message header. From the output displayed we can check from address, to address, subject, date, script etc.
Example: Spamming from PHP script
54445P Received: from $sajan by vps.server.myhosting.com with local (Exim 4.82)
(envelope-from <$test@server.ahostname.com>)
id 1YZUIE-00053-lp
for test@yahoo.com; mond, 23 jan 2017 20:07:08 -0400
027T To: test@yahoo.com
019 Subject: Hello test
091 X-PHP-Script: pscloud.com/templates/yoo_revista/warp/menus/page.php for "IP.Address"
023 X-Priority: 3 (Normal)
from the X-PHP-Script” in the email header, we can confirm that the email was sent from a PHP script. In the above example the emails were sent from PHP script (X-PHP-Script: pscloud.com/templates/yoo_revista/warp/menus/page.php).
Note
Some times the auth id email address and the email address in the exim mail queue is different.( spoofing )
In Qmail
To read the entire contents of an email queue
find /var/qmail/queue -name NNNN : Where NNNN is the 8 digit id specified on the
/var/qmail/bin/qmail-qread command
cat /var/qmail/queue/mess/19/NNNN
If you are finding something like:
Received: (qmail 19514 invoked by uid 10252); 24 Aug 2010 05:08:06 +0500
It means that the mentioned message was sent via a CGI script by user with UID 10252. We can use this UID to find the corresponding domain:
# grep 10252 /etc/passwd
b. If you are finding lines like:
Received: (qmail 19514 invoked from network); 24 Aug 2010 05:08:06 +0500
Received: from external_domain.com (192.168.0.1)
It means that the message was accepted for delivery via SMTP and the sender is an authorized mail user.
c. If the Received line contains an UID of an apache user (for example invoked by uid 48), it means that the spam was sent via a PHP script. In this case you can try to find the spammer using information from the spam e-mails (from/to addresses, subjects, etc).
Ex: Received: (qmail 14322 invoked by uid 48); 2 Sep 2010 04:14:35 -0400
To check PHP scripts are running in real-time:
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str=$1 } else {str=str”,”$1}}END{print str}’` | grep vhosts | grep php
6) Finding Vulnerabilities and Backdoor PHP shell script on a server
hackers sometimes install a backdoor shell script designed to allow them to regain entry even after we’ve cleaned up the site,
Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:
*) passthru
shell_exec
system
phpinfo
base64_decode
edoced_46esab
chmod
mkdir
„ (backticks with an operating system command between them)
fopen
fclose
readfile
Sample text searches for suspicious PHP code.
grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(” /var/www
grep -Rn “base64_decode *(” /var/www
grep -Rn “edoced_46esab *(” /var/www
find /var/www/vhosts/ -name \*.php -type f -print0 | xargs -0 grep “base64_decode
7) blocking the IP address responsible for spamming in csf or apf firewall.
grep "<script_name>" /home/user/access-logs/testdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n
The following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming.
Csf -d x.x.x.x
Changing the email, cpanel and plesk admin account password
Không có nhận xét nào:
Đăng nhận xét