Help me catch this spammer using my server

Portal Home > Knowledgebase > Articles Database > Help me catch this spammer using my server

Posted by kenw232, 01-14-2013, 01:48 PM
Hi, I'm running PHP 5.3.16 on Linux 2.4. Someone is using my server via httpd (apache 1.3) to send out spam. I have no idea how. I finally caught how its at least executing today... here's what "ps -xfao" showed me as it was happening. (...a bunch of my httpd processes...) 28968 0.4 webserve \_ /apps/apache/httpd -DSSL -f /apps/apache/conf/httpd.conf 29066 0.0 webserve \_ /apps/apache/httpd -DSSL -f /apps/apache/conf/httpd.conf (...then all these perl processes sending the spam...) 29051 0.2 webserve /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQBVBFB 29052 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB 29053 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB 29054 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB 29055 0.0 webserve \_ /usr/bin/perl (...many more...) Does this mean anything to anyone? How would this happen? the user webserve is the user my httpd runs under. So they are definitely using a web site to execute this perl script... I've never seen anything like this. anyone seen this before? what should I look for? These files (sess_2a6ab54*) simply don't exist anywhere on my filesystem.
Posted by LankapartnerHost, 01-14-2013, 01:50 PM
Is this a shared hosting server ?
Posted by kenw232, 01-14-2013, 10:13 PM
yes, its a shared server. I'm the admin. I don't think I can turn off shell_exec and exec though. I'd like to find out how its happening...
Posted by SolidJoe, 01-15-2013, 01:14 AM
Hire somebody who knows what they are doing.
Posted by Hamada Hassan, 01-15-2013, 01:19 AM
what is your OS ? do you use control panel ? like Cpanel/whm or plesk .. etc ? what it is the mail server installed and used in your server ?
Posted by kenw232, 01-15-2013, 03:15 AM
Linux 2.4. No control panel or plesk or anything. Everything is manage by hand. It runs sendmail but the spammers are not sending out through sendmail. I blocked outgoing port 25 so I've effectively stopped the spamming but they still try I see. And I want plug the hole too.
Posted by nixrookie, 01-15-2013, 03:25 AM
Hi, What version of apache are you running? Do you have modsecurity installed ? Are you using any custom firewalls?
Posted by kenw232, 01-15-2013, 03:41 AM
Old school Apache 1.3.41. Old modsecurity is installed too. No custom firewall, just iptables with owner-match which lets me block all outgoing to port 25 that is not sendmail. Anyone know if there is a way to log any and all shell_exec, exec, popen calls in PHP?
Posted by nixrookie, 01-15-2013, 06:27 AM
Playing with modsec rules can help you here. http://www.modsecurity.org/documenta...e/actions.html
Posted by kenw232, 01-15-2013, 09:15 AM
Thanks, I've had to turn off modsecurity on a lot of sites because of wordpress. thats probably why.
Posted by nixrookie, 01-15-2013, 12:05 PM
Turning off modsecurity is not a good option. Wordpress plugins are infamous for vulnerabilities. I would suggest adding some excemtion rules for modsecurity in the .htaccess file for the accounts with WP installation. You can find the rules easily on a google search. I can list them herre if you want.
Posted by kenw232, 01-15-2013, 01:46 PM
My modsecurity version is too old for your rules probably... I'm not running version 2.
Posted by BestServerSupport, 01-16-2013, 12:08 PM
For your information, you can disable modsecurity rule for certain website. I mean you can disable rules for websites using WordPress. You need to add following tags in .htaccess file of domain to disable rules: SecRuleEngine Off