Apache Sending Spam

Portal Home > Knowledgebase > Articles Database > Apache Sending Spam

Posted by jtobin, 08-29-2007, 11:18 AM
Yesterday my mail logs started showing many a spam email being sent from my server. There isn't anything mission critical running on it, so I took down qmail until I could find the vulnerability and fix it. But try as I might, I haven't found any conclusive vulnerability, so I thought to ask here where someone with more experience might spot something obvious that I've missed (I'm still somewhat new to this). Anyway, the qmail logs show that the messages came from uid 48, apache. Log excerpt (sending of first spam mail): Unfortunately, my Apache logs have no entries around the time when these messages were sent. There are some suspect "CONNECT" requests scattered throughout the logs, but all are denied with 405's, and none correspond exactly with the time of the spam. Example (from about 3 hours after the spam): (The fact that the final query wasn't denied worries me slightly though. Does anyone have any insight?) I'm not sure where to go from here. I'm concerned about the lack of logs by Apache. There's a nine hour period without any entries; not unusual for my server given that its not very active, but the time when the spam was sent falls in this time period. I've checked for common security issues, but qmail is configured only to relay from localhost, and Apache isn't configured as an open proxy. Are there any other common issues I should check for? Is there any other information I should post here to help identify the problem? I'm running Apache version 2.0.52, and qmail 1.03. I'd be very grateful for any help or links to relevant HOWTOs.
Posted by psychomarine, 09-01-2007, 10:07 PM
it would appear that someones trying to hack you. the fact that your server is still online, should be assurance that they've not succeeded.
Posted by bear, 09-01-2007, 10:55 PM
Incorrect. They are trying to connect and relay mail, and being "on line" doesn't mean a server isn't hacked. Not all hacking kills the box it's done to; in fact, what would be the point?
Posted by psychomarine, 09-01-2007, 11:09 PM
idk, whatever I gain access to, I ruin, so forgive me for assuming that others dont.
Posted by Tech4server, 09-02-2007, 12:05 AM
I agree , most people who gain access to a server use it for mostly the following: 1) To run ircd bots 2) To use it for DoS 3) To use it to send spam mails/phishing emails 4) To host phishing pages There are very less incidents where the "hacker" ruins the server .
Posted by Tech4server, 09-02-2007, 12:07 AM
Check your mail logs as well , also paste an output of ps aux command . Also look at your /tmp folder for any hacks or suspicious files .
Posted by jtobin, 09-02-2007, 11:06 AM
I hadn't realised that if you give a log file in a vhost entry in Apache, that takes prioirity to the main log file, so the relevant logs were stored elsewhere. Once I found this, I quickly saw that someone was exploiting a vulnerable script to include remote files. The script in question is removed now, but I'm not sure how much damage they managed to do. Most of the scripts they used were designed for sending spam. Since the script was taken down, no more spam has been sent (that is, every remote email listed in the maillogs since then are legitimate). Still, I'm concerned that someone may be using the server to other ill ends, through whatever access they may have managed to get through the scripts. I've checked netstat, and all of the programs listening seem to be legitimate. rkhunter (fully updated) gave it a clean bill of health, apart from some out-dated software. None of the running processes jump out at me as malicious either, but I'm not very experienced so I've included the output to ps aux as requested: Does anything look strange here? Finally, tmp contained a file called 'r00t', which certainly seemed to be the product of some attempt to gain more access. Nothing else jumped out at me, but I doubt every malicious executable is going to be so obviously named.