Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

How to find script that is sending spam?

https://forum.vestacp.com/viewtopic.php?f=12&t=13892

Page 1 of 1

How to find script that is sending spam?

Posted: Wed Feb 15, 2017 1:27 pm
by kandalf
My server is sending spam but I can't figured out which script is sending it. I have more that 50 websites hosted in multiple users accounts.

I have testes this command

Code: Select all

grep cwd /var/log/exim/main.log|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
This should tell me the path for the scripts that are sending emails but I get this:

3
21854 /
Any tip? There are any log that I can enable on exim to start recording the script that is sending the emails?

Re: How to find script that is sending spam?

Posted: Wed Feb 15, 2017 5:35 pm
by mehargags
sorry,
this isn't so straightforward to find out. There are many threads here about this, including how to rate limit Mail Sending from your VPS.

Sadly the breach won't stop just at the mail, your server is compromised and you'll need to
1. read and research alot
or
2. hire someone professional to fix it for you

Do you have each website in different VestaCP user? if not, there isn't much you can do.

Here's a good start point

To start off!

# Check abusing domain Generate Exim Stats (helped by Skurudo)

Code: Select all

eximstats -nr -html -byemaildomain -bydomain /var/log/exim4/mainlog | less > /root/stats-bydomain$(date +"%b-%d-%H%M%S").html
it will create an html file with todays datetime in your /root which you can analyze

Re: How to find script that is sending spam?

Posted: Thu Feb 16, 2017 1:52 am
by kandalf
Here are some log from exim.

Code: Select all

2017-02-16 01:41:01 [2584] 1ce9cW-0003CK-8N => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8572 H=mailin-03.mx.aol.com [152.163.0.100]:25 I=[176.58.109.90]:59700 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=yes DN="/C=US/ST=Virginia/L=Dulles/O=AOL Inc./OU=AOL Mail/CN=mx.aol.com" C="250 2.0.0 Ok: queued as 6010B70000083" QT=1h32m37s DT=3s
2017-02-16 01:41:02 [2185] 1ce9VA-0002qP-5P H=malabo.co [69.172.201.153]:25 Connection timed out
2017-02-16 01:41:02 [2184] 1ce9VA-0002qP-5P == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2017-02-16 01:41:02 [2584] 1ce9cW-0003CK-8N => [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8565 H=mx3.hotmail.com [65.55.37.120]:25 I=[176.58.109.90]:41122 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes DN="/CN=*.hotmail.com" K C="250  <[email protected]> Queued mail for delivery" QT=1h32m38s DT=1s
2017-02-16 01:41:02 [2584] 1ce9cW-0003CK-8N -> [email protected] F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp S=8565 H=mx3.hotmail.com [65.55.37.120]:25 I=[176.58.109.90]:41122 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=yes DN="/CN=*.hotmail.com" K C="250  <[email protected]> Queued mail for delivery" QT=1h32m38s DT=1s
I think the spam is coming from dovecot, since when I stop dovecot service the exim queue stop incresing. Is this log useful? I have hundreds of emails from [email protected], that if not one of my websites.

Re: How to find script that is sending spam?

Posted: Thu Feb 16, 2017 7:01 am
by mehargags
kandalf:
you didn't even bother to read what I suggested... did you ?

and then... people like you will yell on the forum "no one helps"

Re: How to find script that is sending spam?

Posted: Thu Feb 16, 2017 10:49 am
by kandalf
mehargags wrote:kandalf:
you didn't even bother to read what I suggested... did you ?

and then... people like you will yell on the forum "no one helps"

Sorry mehargags, I put the log because I was under an attack at that time.

Here is the a link for the information that I get using your command http://fabricadeapps.pt/stats-bydomainF ... 04439.html

I look on that file and there are many information but I don't know what should I look

Re: How to find script that is sending spam?

Posted: Fri Feb 17, 2017 7:06 am
by mehargags
check these sections in the HTML

Code: Select all

Top 50 mail rejection reasons by message count
Top 50 sending domains by message count
Top 50 local senders by message count
Top 50 local senders by volume
Doesn't that give you an idea ?

Re: How to find script that is sending spam?

Posted: Fri Feb 17, 2017 10:51 am
by kandalf
mehargags wrote:check these sections in the HTML

Code: Select all

Top 50 mail rejection reasons by message count
Top 50 sending domains by message count
Top 50 local senders by message count
Top 50 local senders by volume
Doesn't that give you an idea ?
- The "Top 50 mail rejection reasons by message count" are unknown and SMTP Sender rate overlimit, so the spam is being sent using SMTP.

- "Top 50 sending domains by message count" I don't know exactly what this means, can you give me a tip? None of the Sending domains are websites hosted in my server, maybe only the "localdomain"

- "Top 50 local senders by message count" the show that the users in my server, exim is the one that is sending a lot of emails and only "exim" and "root" are not real users with websites. So the spam is being sent through exim account.

- "Top 50 local senders by volume " is the same that above, the exim is the one that is sending many emails.

So the spam is being sent through SMTP and not from a script, how can I prevent this?

Note I cleared the exim log, to tomorrow I only will se on the logs the most recent information.

Re: How to find script that is sending spam?

Posted: Tue Feb 21, 2017 10:22 am
by kandalf
I found the problem I was being attacked by "ylmf-pc" a well known botnet. It does a brute force attack and find on of the password of one of my clients and start sending spam. In the logs I found the account and change the password.

But more important I block the "helo" command on exim configuration file.

This is what I add to the exim.conf (it might help someone):

Code: Select all

acl_smtp_helo = acl_check_helo

acl_check_helo:
  drop
         condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
         log_message = HELO/EHLO - ylmf-pc blocked
         message = I Nailed You at HELO
  accept
I also activate fail2ban on smtp, to prevent multiple attempts from the same ip.

Re: How to find script that is sending spam?

Posted: Sat Sep 23, 2017 8:59 am
by MiguelVESTACP
kandalf wrote:I found the problem I was being attacked by "ylmf-pc" a well known botnet. It does a brute force attack and find on of the password of one of my clients and start sending spam. In the logs I found the account and change the password.

But more important I block the "helo" command on exim configuration file.

This is what I add to the exim.conf (it might help someone):

Code: Select all

acl_smtp_helo = acl_check_helo

acl_check_helo:
  drop
         condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
         log_message = HELO/EHLO - ylmf-pc blocked
         message = I Nailed You at HELO
  accept
I also activate fail2ban on smtp, to prevent multiple attempts from the same ip.
Nice tip on vestacp security.

And what configuration have you done to fail2ban on smtp?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/