Server being used to send spam mail. How do I investigate?
- by split_account
Problem
I think my server is being used to send spam with sendmail, I'm getting a lot of mail being queued up that I don't recognize and my mail.log and syslog are getting huge.
I've shutdown sendmail, so none of it is getting out but I can't work out where it's coming from.
Investigation so far:
I've tried the solution in the blog post below and also shown in this thread.
It's meant to add a header from wherever the mail is being added and log all all mail to file, so I changed the following lines in my php.ini file:
mail.add_x_header = On
mail.log = /var/log/phpmail.log
But nothing is appearing in the phpmail.log.
I used the command here to investigate cron jobs for all users, but nothing is out of place. The only cron being run is the cron for the website.
And then I brought up all php files which had been modified in the last 30 days but none of them look suspicious.
What else can I do to find where this is coming from?
Mail.log reports
Turned sendmail back on for second. Here is a small sample of the reports:
Jun 10 14:40:30 ubuntu12 sm-mta[13684]: s5ADeQdp013684: from=<>, size=2431, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Jun 10 14:40:30 ubuntu12 sm-msp-queue[13674]: s5ACK1cC011438: to=www-data, delay=01:20:14, xdelay=00:00:00, mailer=relay, pri=571670, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s5ADeQdp013684 Message accepted for delivery)
Jun 10 14:40:30 ubuntu12 sm-mta[13719]: s5ADeQdp013684: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=32683, dsn=2.0.0, stat=Sent
Jun 10 14:40:30 ubuntu12 sm-mta[13684]: s5ADeQdr013684: from=<[email protected]>, size=677, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Jun 10 14:40:31 ubuntu12 sm-msp-queue[13674]: s5AC0gpi011125: to=www-data, ctladdr=www-data (33/33), delay=01:39:49, xdelay=00:00:01, mailer=relay, pri=660349, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s5ADeQdr013684 Message accepted for delivery)
Jun 10 14:40:31 ubuntu12 sm-mta[13721]: s5ADeQdr013684: to=<[email protected]>, ctladdr=<[email protected]> (33/33), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30946, dsn=2.0.0, stat=Sent
Jun 10 14:40:31 ubuntu12 sm-mta[13684]: s5ADeQdt013684: from=<[email protected]>, size=677, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Jun 10 14:40:31 ubuntu12 sm-msp-queue[13674]: s5ACF2Nq011240: to=www-data, ctladdr=www-data (33/33), delay=01:25:29, xdelay=00:00:00, mailer=relay, pri=660349, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (s5ADeQdt013684 Message accepted for delivery)
Jun 10 14:40:31 ubuntu12 sm-mta[13723]: s5ADeQdt013684: to=<[email protected]>, ctladdr=<[email protected]> (33/33), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30946, dsn=2.0.0, stat=Sent
Ju
Further Investigation
Spotted 4 spam accounts registered in the past day, which is suspicious however all have normal user privileges.
There are no contact forms on the site, there are a number of forms and they take either filtered text input or plain text input.
Mail is still being queued up having switched the website to maintenance mode, which blocks out everyone but the admin.
Ok more investigation, it looks like the email is being send by my websites cron which runs every 5 minutes. However there are no cron jobs I've set-up which run more than once an hour and show on the website log so presumably someone has managed to edit my cron somehow.
Copy of email:
V8
T1402410301
K1402411201
N2
P120349
I253/1/369045
MDeferred: Connection refused by [127.0.0.1]
Fbs
$_www-data@localhost
${daemon_flags}c u
Swww-data
[email protected]
MDeferred: Connection refused by [127.0.0.1]
C:www-data
rRFC822; [email protected]
RPFD:www-data
H?P?Return-Path: <?g>
H??Received: (from www-data@localhost)
by ubuntu12.pcsmarthosting.co.uk (8.14.4/8.14.4/Submit) id s5AEP13T015507
for www-data; Tue, 10 Jun 2014 15:25:01 +0100
H?D?Date: Tue, 10 Jun 2014 15:25:01 +0100
H?x?Full-Name: CronDaemon
H?M?Message-Id: <[email protected]>
H??From: root (Cron Daemon)
H??To: www-data
H??Subject: Cron <www-data@ubuntu12> /usr/bin/drush @main elysia-cron
H??Content-Type: text/plain; charset=ANSI_X3.4-1968
H??X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin>
H??X-Cron-Env: <COLUMNS=80>
H??X-Cron-Env: <SHELL=/bin/sh>
H??X-Cron-Env: <HOME=/var/www>
H??X-Cron-Env: <LOGNAME=www-data>
