PDA

View Full Version : Postfix sending spam from my server PLEASE Help


meteadan
Apr 2, 2013, 01:45 PM
I am having a major problem with spam. Postfix is continuously sending spam from my server.
the message header is showing a username and a domain name in all messages. I moved the mail service for this user to another server so I am not sure how the server continues the same username in the messages.

X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from uniquemarble.co.uk (unknown [181.31.81.73])
by meteadan.com (Postfix) with ESMTPA id 25F8526939094;
Tue, 2 Apr 2013 18:50:13 +0100 (BST)
Message-ID: <4BD25172.8F6B9D63@uniquemarble.co.uk>
Date: Tue, 02 Apr 2013 18:51:11 +0100
Reply-To: "info@uniquemarble.co.uk" <info@uniquemarble.co.uk>
From: "info@uniquemarble.co.uk" <info@uniquemarble.co.uk>
X-Accept-Language: en-us
MIME-Version: 1.0
To: <pcosgrove@eastlink.ca>,
<stumpy1@eastlink.ca>,
<terrichatmember@ebay.co.uk>,
<bet@ebay.com>,
<otx@ebay.com>,
<leonk2x@ebay.com>,
<rcivils@ec.rr.com>,
<ecacheops@ecache.net>,
<schneljj@edeluk.com>,
<wrpqqudo@edxkrmua.com>,
<info@efcolab.ch>,
<testigma@eflyer.lk>,
<208551698@ehealties.info>,
<2907913096@ehealties.info>,
<finnman@eircom.net>,
<gdwyer1@eircom.net>,
<doors@eiwa.info>,
<sgowbw@eksaut.com>,
<affiliates@electrocarte.com.ar>,
<carsinc@email.com>
Subject: Score juicy la_sses w|th theese affordable pharmaceutical$. 100% privacy!
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

=======================================
user info@uniquemarble.co.uk no longer exists in my server. the ip address is an external ip address. Something to note the ip address was showing my server Ip until i moved this domain name and the user to another mail server.

My Ip address is already blacklisted.

Please help how to resolve this problem.

IgorG
Apr 2, 2013, 11:14 PM
Check system with rkhunter and chkrootkit at least. Also look at article http://kb.parallels.com/1711

meteadan
Apr 3, 2013, 04:45 AM
thank you for your quick response.
I installed and ran chkrootkit but it did not find anything.
rkhunter check gave me the following results.

[10:13:55] Running Rootkit Hunter version 1.4.0 on s15342963
[10:13:55]
[10:13:55] Info: Found O/S name: CentOS release 5.9 (Final)
[10:13:55] Info: Installation directory is '/usr/local'
[10:13:55] Info: Found the 'diff' command: /usr/bin/diff
[10:13:56] Info: Found the 'dirname' command: /usr/bin/dirname
[10:14:27] /sbin/ifdown [ Warning ]
[10:14:27] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[10:14:27] /sbin/ifup [ Warning ]
[10:14:27] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

[10:15:09] /usr/bin/GET [ Warning ]
[10:15:09] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[10:15:09] /usr/bin/groups [ Warning ]
[10:15:09] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable

[10:15:12] /usr/bin/ldd [ Warning ]
[10:15:13] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[10:15:28] /usr/bin/whatis [ Warning ]
[10:15:28] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[10:16:21]
[10:16:21] Checking for IntoXonia-NG Rootkit...
[10:16:21] Checking for kernel symbol 'funces' [ Skipped ]
[10:16:21] Checking for kernel symbol 'ixinit' [ Skipped ]
[10:16:21] Checking for kernel symbol 'tricks' [ Skipped ]
[10:16:21] Checking for kernel symbol 'kernel_unlink' [ Skipped ]
[10:16:21] Checking for kernel symbol 'rootme' [ Skipped ]
[10:16:21] Checking for kernel symbol 'hide_module' [ Skipped ]
[10:16:21] Checking for kernel symbol 'find_sys_call_tbl' [ Skipped ]
[10:16:21] IntoXonia-NG Rootkit [ Not found ]
[10:16:22]
[10:16:22] Checking for Irix Rootkit...
[10:16:24] Checking for kernel symbol 'h4x_delete_module' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_getdents64' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_kill' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_open' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_read' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_rename' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_rmdir' [ Skipped ]
[10:16:24] Checking for kernel symbol 'h4x_tcp4_seq_show' [ Skipped ]
[10:16:25] Checking for kernel symbol 'h4x_write' [ Skipped ]
[10:18:46] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[10:18:46] Checking '/etc/xinetd.d/ntalk' for enabled services [ None found ]
[10:18:46] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[10:18:48] Checking for enabled xinetd services [ Warning ]
[10:18:48] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[10:18:48] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[10:18:48] Checking for Apache backdoor [ Not found ]
[10:18:48]
[10:18:48] Info: Starting test name 'os_specific'
[10:18:48] Performing Linux specific checks
[10:18:49] Checking loaded kernel modules [ Warning ]
[10:18:49] Warning: No output found from the lsmod command or the /proc/modules file:
[10:18:49] /proc/modules output:
[10:22:27] Info: Starting test name 'group_accounts'
[10:22:27] Performing group and account checks
[10:22:27] Checking for passwd file [ Found ]
[10:22:27] Info: Found password file: /etc/passwd
[10:22:29] Checking for SSH configuration file [ Found ]
[10:22:29] Info: Found SSH configuration file: /etc/ssh/sshd_config
[10:22:29] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[10:22:29] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[10:22:29] Checking if SSH root access is allowed [ Warning ]
[10:22:29] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[10:22:29] Checking if SSH protocol v1 is allowed [ Not allowed ]
[10:22:29] Checking for running syslog daemon [ Found ]
[10:22:29] Info: Found syslog configuration file: /etc/syslog.conf
[10:22:30] Checking for syslog configuration file [ Found ]
[10:22:30] Checking if syslog remote logging is allowed [ Not allowed ]
[10:22:30]
[10:22:30] Info: Starting test name 'filesystem'
[10:22:30] Performing filesystem checks
[10:22:30] Info: SCAN_MODE_DEV set to 'THOROUGH'
[10:22:30] Checking /dev for suspicious file types [ Warning ]
[10:22:30] Warning: Suspicious file types found in /dev:
[10:22:30] /dev/.udev/uevent_seqnum: ASCII text
[10:22:31] Checking for hidden files and directories [ Warning ]
[10:22:32] Warning: Hidden directory found: '/dev/.udev'
[10:22:32] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[10:22:32] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[10:22:32] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[10:22:32] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[10:22:49]
[10:22:49] Info: Starting test name 'apps'
[10:22:49] Checking application versions...
[10:22:52] Checking version of Exim MTA [ Warning ]
[10:22:53] Warning: Application 'exim', version '4.63', is out of date, and possibly a security risk.
[10:22:53] Checking version of GnuPG [ OK ]
[10:22:53] Info: Application 'gpg' version '1.4.5' found.
[10:22:53] Checking version of Apache [ Warning ]
[10:22:53] Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
[10:22:53] Checking version of Bind DNS [ OK ]
[10:22:53] Info: Application 'named' version '9.3.6-P1' found.
[10:22:53] Checking version of OpenSSL [ Warning ]
[10:22:54] Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
[10:22:54] Checking version of PHP [ OK ]
[10:22:54] Info: Application 'php' version '5.3.3' found.
[10:22:54] Checking version of Procmail MTA [ OK ]
[10:22:54] Info: Application 'procmail' version '3.22' found.
[10:22:54] Checking version of ProFTPD [ OK ]
[10:22:54] Info: Application 'proftpd' version '1.3.4a' found.
[10:22:55] Checking version of OpenSSH [ Warning ]
[10:22:55] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
[10:22:55] Info: Applications checked: 9 out of 9
[10:22:55]
[10:22:55] System checks summary
[10:22:55] =====================
[10:22:55]
[10:22:55] File properties checks...
[10:22:55] Files checked: 136
[10:22:55] Suspect files: 6
[10:22:55]
[10:22:55] Rootkit checks...
[10:22:55] Rootkits checked : 310
[10:22:55] Possible rootkits: 0
[10:22:55]
[10:22:55] Applications checks...
[10:22:56] Applications checked: 9
[10:22:56] Suspect applications: 4
[10:22:56]
[10:22:56] The system checks took: 8 minutes and 57 seconds
[10:22:56]
[10:22:56] Info: End date is Wed Apr 3 10:22:56 BST 2013

I need little bit help with following the instructions in article 1711

I am unfamiliar with making a file executable or specifically
2) Create a log file /var/tmp/mail.send and grant it "a+rw" rights; make the wrapper executable; rename old sendmail; and link it to the new wrapper:

Thanks for your help.

I am not sure how to deal with the warnings that rkhunter found.

meteadan
Apr 3, 2013, 06:23 AM
I have followed the instructions in article 1711 and I got no response from the output telling me that no email was sent using phpmail function.

meteadan
Apr 3, 2013, 11:23 AM
Please someone help. I have been searching those rkhunter warnings and found out that all of them are false positives. What am I missing? I shut down my smtp server to stop spamming problem. I cannot figure what or who is sending the spam.
I followed the instructions on the article http://kb.parallels.com/1711 but the log file gave me no result suggesting that any script on any of my host accounts is using phpmail function. So what am I missing?