Portal Home > Knowledgebase > Articles Database > Help me catch this spammer using my server
Help me catch this spammer using my server
Posted by kenw232, 01-14-2013, 01:48 PM |
Hi, I'm running PHP 5.3.16 on Linux 2.4. Someone is using my server via httpd (apache 1.3) to send out spam. I have no idea how. I finally caught how its at least executing today... here's what "ps -xfao" showed me as it was happening.
(...a bunch of my httpd processes...)
28968 0.4 webserve \_ /apps/apache/httpd -DSSL -f /apps/apache/conf/httpd.conf
29066 0.0 webserve \_ /apps/apache/httpd -DSSL -f /apps/apache/conf/httpd.conf
(...then all these perl processes sending the spam...)
29051 0.2 webserve /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQBVBFB
29052 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB
29053 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB
29054 0.0 webserve \_ /usr/bin/perl ./sess_2a6ab540b0077fcbb26a26579707559a -cc 111 -rc 11 -i UAVb -c UAVVHw0eVwsfAlUG:WQM= -r AlNQAAICXFYEBwNTUQ8EAwBdA1ZRAQNVBQB
29055 0.0 webserve \_ /usr/bin/perl
(...many more...)
Does this mean anything to anyone? How would this happen? the user webserve is the user my httpd runs under. So they are definitely using a web site to execute this perl script... I've never seen anything like this. anyone seen this before? what should I look for? These files (sess_2a6ab54*) simply don't exist anywhere on my filesystem.
|
Posted by LankapartnerHost, 01-14-2013, 01:50 PM |
Is this a shared hosting server ?
|
Posted by kenw232, 01-14-2013, 10:13 PM |
yes, its a shared server. I'm the admin. I don't think I can turn off shell_exec and exec though. I'd like to find out how its happening...
|
Posted by SolidJoe, 01-15-2013, 01:14 AM |
Hire somebody who knows what they are doing.
|
Posted by Hamada Hassan, 01-15-2013, 01:19 AM |
what is your OS ?
do you use control panel ? like Cpanel/whm or plesk .. etc ?
what it is the mail server installed and used in your server ?
|
Posted by kenw232, 01-15-2013, 03:15 AM |
Linux 2.4. No control panel or plesk or anything. Everything is manage by hand. It runs sendmail but the spammers are not sending out through sendmail. I blocked outgoing port 25 so I've effectively stopped the spamming but they still try I see. And I want plug the hole too.
|
Posted by nixrookie, 01-15-2013, 03:25 AM |
Hi,
What version of apache are you running?
Do you have modsecurity installed ?
Are you using any custom firewalls?
|
Posted by kenw232, 01-15-2013, 03:41 AM |
Old school Apache 1.3.41. Old modsecurity is installed too. No custom firewall, just iptables with owner-match which lets me block all outgoing to port 25 that is not sendmail. Anyone know if there is a way to log any and all shell_exec, exec, popen calls in PHP?
|
Posted by nixrookie, 01-15-2013, 06:27 AM |
Playing with modsec rules can help you here.
http://www.modsecurity.org/documenta...e/actions.html
|
Posted by kenw232, 01-15-2013, 09:15 AM |
Thanks, I've had to turn off modsecurity on a lot of sites because of wordpress. thats probably why.
|
Posted by nixrookie, 01-15-2013, 12:05 PM |
Turning off modsecurity is not a good option. Wordpress plugins are infamous for vulnerabilities. I would suggest adding some excemtion rules for modsecurity in the .htaccess file for the accounts with WP installation.
You can find the rules easily on a google search. I can list them herre if you want.
|
Posted by kenw232, 01-15-2013, 01:46 PM |
My modsecurity version is too old for your rules probably... I'm not running version 2.
|
Posted by BestServerSupport, 01-16-2013, 12:08 PM |
For your information, you can disable modsecurity rule for certain website. I mean you can disable rules for websites using WordPress.
You need to add following tags in .htaccess file of domain to disable rules:
SecRuleEngine Off
|
Add to Favourites Print this Article
Also Read