Posts tagged spam

Plesk mail spam fixes
posted on 2014-07-09 13:46:10

mail notifying

When receiving a mail like this:

 1  Hi Abuse Team,
 3  This is an RBL nomination for the following lists of IP addresses that
 4  are in the process of being listed to the RBL as a spam source
 5  and/or is an originating spam source in progress.
 7  -- IPs listed to the RBL --
 9  -- End of IPs listed to the RBL --
11  Please refer to below information for representative spam samples.
12  Additional samples are available upon request from an authoritative
13  requestor.
15  Filename:
16  Password: novirus
18  -- Example of spam mail --
19  Spam Sample #1 - []
21  Received: from [] by <removed> via sendmail with smtp;
22  for 1 recipient; Fri, 04 Jul 2014 07:24:14 -0000
23  Received: by <removed> (Postfix, from userid 10335)
24  id 8D55D7E2640; Fri,  4 Jul 2014 09:24:15 +0200 (CEST)
25  To: <removed>
26  Subject: [20140704] Dear Customer! We received your July 1st payment of $2579 which brings
27  your balance to $0.
28  X-PHP-Originating-Script: 10335:yysfgfo.php
29  Message-Id: <removed>
30  Date: Fri,  4 Jul 2014 09:24:15 +0200 (CEST)
31  From: <removed>
33  -- End of Example of spam mail --
35  -- Network Information --
37 ...

The important information is in line 28.


$ grep 10335 /etc/passwd

which will give you the user in question.

Then clean the yysfgfo.php file from his account and the spam issue is fixed. (find <dir_of_webspace> -iname yysfgfo.php will show you where it lies.)

The UID and filename may differ, these are just examples.

Of course the site was hacked, and you/the customer still has to fix and secure it, so future hacks are prevented.

Usually setting a new password, for the users' ftp account (so new malicious scripts cannot be uploaded again) is enough. In case that you use Plesk, you might consider setting a new password for the login to the Websitepanel, too.

spamming just started

If you have not yet blacklist mail or other form of notification and the spamming takes place right at the moment, use these:

# first have a look on the current mail queue

Then you are shown the queue file id (first character sequence at the beginning of the line), sender and other information. Have a look at some of the suspicious looking emails, using the queue is and postcat:

# show mail header and body
postcat -q 252977E27B0

There you watch out for entries like X-PHP-Originating-Script like described in the beginning of the post.

brute force in case nothing helps

If the mailheader does not provide an X-...-Originating-Script entry, try this:

for i in $(find /var/www/vhosts -type f -name access_log); do COUNT=$(fgrep -c POST "$i"); if [ "$COUNT" -gt 0 ]; then echo "$i"; echo "$COUNT"; fi; done

This approach works due to the most hackers using HTTP POST request to trigger the spam dispatch.

The commands will scan the apache httpd access logs of all webhostings, and have a look at the count of POST commands of sent to a each hosting. You should then have a look at the recently changed files in the folder with the most hits. Keep in mind, that due to the I/O load this might post on the system, it might take a while until this command sequence will be finished.

To have a look on the I/O load, use top:

top - 10:20:37 up 27 days,  3:09,  2 users,  load average: 0.00, 0.01, 0.00
Tasks: 130 total,   1 running, 129 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.0%sy,  0.0%ni, 99.3%id,  0.0%wa,  0.0%hi,  0.3%si,  0.0%st


The wa percentage given above is the average value of all cpu wait times for the I/O subsystem. 0.0% is no wait, if its like 40 percent or higher the command will take ages to finish.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10

Unless otherwise credited all material Creative Commons License by sjas