Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: Tillebeck on May 08, 2008, 11:41:19 PM
-
Hi
I have stopped the qmail and are examining the remote qmail list. There seem to be some spam in the remote queue.
When listing the different subjects (using qmHandle), this is what I get at the moment:
[root@ronja ~]# qmHandle -l|grep Subject|sort| uniq -c|sort -n
1 Subject: =?iso-8859-1?Q?Rigtige_m=E6nd_k=F8ber_vestas_inden_lukningen=21=21=21_?=
1 Subject: ***SPAM*** I busted you salg
1 Subject: ***SPAM*** Post XMAS Sale! Enjoy over HALF OFF on all Fashion Designer Footwear, Gucci Prada and MORE!
1 Subject: ***SPAM*** spring selection
1 Subject: ***SPAM*** To: salg
1 Subject: THE 3 Trades for the Next 8 Hours: DVN, 12:30 (TBD), 3:00 (TBD)
[root@ronja ~]#
5 of 6 mails are spam and they are all tagged as spam.
- How can I awoid that the SME server keeps sending these spam mails?
- How can I see who the sender is (e.g. sender IP).
Off cause I should also find the source of the spam. Either an infected local client or a hacked web application. How to figure out if it is a client or a web app has kindly been provided by Normando in this thread:
http://forums.contribs.org/index.php?topic=40959.0
BR. Anders
-
I have something like that, even if i do ps -aux i got these:
ps -aux
qmailr 10284 0.0 0.0 3076 520 ? S 23:21 0:00 qmail-remote flirtru.ru bbadrake@ausa.org sale@flirtru.ru
qmailr 10286 0.0 0.0 3416 524 ? S 23:21 0:00 qmail-remote flirtru.ru bbadrake@ausa.org sales@flirtru.ru
qmailr 10577 0.0 0.0 3396 524 ? S 23:23 0:00 qmail-remote lig.bellsouth.net apumaxi@ferrellconstr.com anneliese@lig.bellsouth.net
qmailr 11377 0.0 0.0 3524 520 ? S 23:27 0:00 qmail-remote rediffmail.com jwevibrant@cpdcpr.com tamlonyi@rediffmail.com
qmailr 11426 0.0 0.0 1880 528 ? S 23:27 0:00 qmail-remote bna.bellsouth.net lcefundamentalism@ionmktg.com addison@bna.bellsouth.net
qmailr 11543 0.0 0.0 2084 524 ? S 23:28 0:00 qmail-remote btinternet.com kylcosts@techonesolution.com melai@btinternet.com
qmailr 11705 0.0 0.0 3020 520 ? S 23:29 0:00 qmail-remote yahoo.com rlsbaton@quik-flix.com brelandministries@yahoo.com
qmailr 11752 0.0 0.0 2420 520 ? S 23:30 0:00 qmail-remote rediffmail.com lrpfiddle@nanjingusa.com warpl_abad@rediffmail.com
qmailr 11933 0.0 0.0 2156 520 ? S 23:31 0:00 qmail-remote rediffmail.com tfstile@daedalusrestaurant.net amulbutter47@rediffmail.com
qmailr 11979 0.0 0.0 1844 520 ? S 23:32 0:00 qmail-remote rediffmail.com tzumbrella@l00ksharp.com malyadhri@rediffmail.com
root 12005 0.0 0.2 6908 2280 ? Ss 23:32 0:00 sshd: root@pts/1
root 12007 0.0 0.1 4804 1428 pts/1 Ss 23:32 0:00 -bash
qmailr 12205 0.0 0.0 2796 524 ? S 23:35 0:00 qmail-remote seagate.com ljzimpromptu@indivisible.com craigan@seagate.com
qmailr 12442 0.0 0.0 3244 524 ? S 23:38 0:00 qmail-remote thethoughtshop.com xqssober@blastwaves.com delgado@thethoughtshop.com
qmailr 12466 0.0 0.0 3476 528 ? S 23:38 0:00 qmail-remote 1stconnect.com vgrrear@bournemouth-property.co.uk krowleyl@1stconnect.com
qmailr 12485 0.0 0.0 1868 524 ? S 23:38 0:00 qmail-remote wearab.net pflink@bowenclassicarms.com talal_rasheed@wearab.net
qmailr 12486 0.0 0.0 1912 524 ? S 23:38 0:00 qmail-remote pe.net hxnhonor@pstprober.com cliffm@pe.net
root 12491 0.0 0.0 3944 768 pts/1 R+ 23:38 0:00
So how i figure out on which part i was hacked?
-
So how i figure out on which part i was hacked?
The first thing you do is to stop qmail. Do it now. Don't delay.
The next is to examine the full mail headers of one or more of the messages. The earliest (i.e. lowest in the message) Received: header will show which computer the message came from. If it came from the SME server itself, "invoked by uid" will show the uid of the process which created the message. 'grep nnn /etc/passwd' will show you the name of that uid.
If the name of the uid is 'www', then something running inside your web server is creating the message. You will need to use your knowledge of what is on your website, and the httpd access_log to determine where the problem is.