posted on 2014-07-09 13:46:10
When receiving a mail like this:
1 Hi Abuse Team, 2 3 This is an RBL nomination for the following lists of IP addresses that 4 are in the process of being listed to the RBL as a spam source 5 and/or is an originating spam source in progress. 6 7 -- IPs listed to the RBL -- 8 here.is.your.ip 9 -- End of IPs listed to the RBL -- 10 11 Please refer to below information for representative spam samples. 12 Additional samples are available upon request from an authoritative 13 requestor. 14 15 Filename: CTR-NET.zip 16 Password: novirus 17 18 -- Example of spam mail -- 19 Spam Sample #1 - [here.is.your.ip] 20 21 Received: from [here.is.your.ip] by <removed> via sendmail with smtp; 22 for 1 recipient; Fri, 04 Jul 2014 07:24:14 -0000 23 Received: by <removed> (Postfix, from userid 10335) 24 id 8D55D7E2640; Fri, 4 Jul 2014 09:24:15 +0200 (CEST) 25 To: <removed> 26 Subject:  Dear Customer! We received your July 1st payment of $2579 which brings 27 your balance to $0. 28 X-PHP-Originating-Script: 10335:yysfgfo.php 29 Message-Id: <removed> 30 Date: Fri, 4 Jul 2014 09:24:15 +0200 (CEST) 31 From: <removed> 32 33 -- End of Example of spam mail -- 34 35 -- Network Information -- 36 37 ...
The important information is in line 28.
$ grep 10335 /etc/passwd
which will give you the user in question.
Then clean the
yysfgfo.php file from his account and the spam issue is fixed.
find <dir_of_webspace> -iname yysfgfo.php will show you where it lies.)
The UID and filename may differ, these are just examples.
Of course the site was hacked, and you/the customer still has to fix and secure it, so future hacks are prevented.
Usually setting a new password, for the users' ftp account (so new malicious scripts cannot be uploaded again) is enough. In case that you use Plesk, you might consider setting a new password for the login to the Websitepanel, too.
If you have not yet blacklist mail or other form of notification and the spamming takes place right at the moment, use these:
# first have a look on the current mail queue mailq
Then you are shown the queue file id (first character sequence at the beginning of the line), sender and other information.
Have a look at some of the suspicious looking emails, using the queue is and
# show mail header and body postcat -q 252977E27B0
There you watch out for entries like
X-PHP-Originating-Script like described in the beginning of the post.
If the mailheader does not provide an
X-...-Originating-Script entry, try this:
for i in $(find /var/www/vhosts -type f -name access_log); do COUNT=$(fgrep -c POST "$i"); if [ "$COUNT" -gt 0 ]; then echo "$i"; echo "$COUNT"; fi; done
This approach works due to the most hackers using HTTP POST request to trigger the spam dispatch.
The commands will scan the apache httpd access logs of all webhostings, and have a look at the count of POST commands of sent to a each hosting. You should then have a look at the recently changed files in the folder with the most hits. Keep in mind, that due to the I/O load this might post on the system, it might take a while until this command sequence will be finished.
To have a look on the I/O load, use
top - 10:20:37 up 27 days, 3:09, 2 users, load average: 0.00, 0.01, 0.00 Tasks: 130 total, 1 running, 129 sleeping, 0 stopped, 0 zombie Cpu(s): 0.3%us, 0.0%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st ...
wa percentage given above is the average value of all cpu wait times for the I/O subsystem.
0.0% is no wait, if its like 40 percent or higher the command will take ages to finish.
View posts from 2017-04, 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10