Hey all -

I've been getting attacked by spammers over this past week, who (I'm pretty sure) were abusing a "Matt's formmail.pl" that was on one of the domains on my server... My current /var/log/maillog was 913MB (June 2-7)... I deleted the file, but when searching again in SSH the file still appears to be there - but it's gone from FTP:
[root@www /]# locate -i formmail
/usr/local/psa/home/vhosts/spoono.com/httpdocs/cgi-bin/formmail.pl
I've restarted Plesk - no luck, restarted the whole server - no luck - it still "says" it's there hehe

I "think" deleting it stopped the spammer though - since the logfile immediately stopped at 913MB and hasnt grown at all now for a few hours. Anyone know why the file won't die? hehe

BTW if anyone has info on setting my server (Plesk) to NOT have an Open Relay, that would be awesome

Thanx ~ Peace.

oops I spoke too soon... log is growing again.... 923MB.... ahhhhh!
I. HATE. SPAMMERS.

Someone pleeease help.

from SSH prompt type updatedb
once it returns to the prompt type locate Formmail.pl and also try formmail.pl and see what ya find.. Mouse

thanks mouse... the file is gone, and it "seems" (nervously checks log again) that the spam has stopped again. I hope this actually did foil the spammer and not just disturb whatever process he was doing (which he would soon realize and start on up again).

Looking in my /var/log/secure I noticed that there's a ton of repeated entries in there that look suspicious to me, though maybe it's just normal (as something of a noob I wouldnt know hehe):


Jun 8 01:35:06 www xinetd[721]: START: smtp pid=3698 from=212.38.112.109
Jun 8 01:37:23 www xinetd[721]: START: smtp pid=3751 from=202.57.96.77
Jun 8 01:37:58 www xinetd[721]: START: smtp pid=3762 from=157.238.56.14
Jun 8 01:41:12 www xinetd[721]: START: ftp pid=3892 from=202.96.108.138
Jun 8 01:43:17 www xinetd[721]: START: smtp pid=3969 from=207.175.240.2
Jun 8 01:44:24 www xinetd[721]: START: smtp pid=3983 from=217.11.100.132
Jun 8 02:00:07 www xinetd[721]: START: smtp pid=4401 from=66.237.17.66
Jun 8 02:05:16 www xinetd[721]: START: smtp pid=4577 from=193.110.58.63
Jun 8 02:06:27 www xinetd[721]: START: smtp pid=4600 from=216.34.75.50
Jun 8 02:19:45 www xinetd[721]: START: smtp pid=5007 from=208.31.42.77
Jun 8 02:28:30 www xinetd[721]: START: smtp pid=5193 from=211.47.213.10
Jun 8 02:30:54 www xinetd[721]: START: smtp pid=5256 from=208.7.49.10
Jun 8 02:31:00 www xinetd[721]: START: smtp pid=5262 from=208.7.49.10
Jun 8 02:33:04 www xinetd[721]: START: smtp pid=5337 from=208.7.49.10
Jun 8 02:36:47 www xinetd[721]: START: smtp pid=5422 from=202.103.108.228
Jun 8 02:37:10 www xinetd[721]: START: smtp pid=5430 from=217.164.246.142
Jun 8 02:38:41 www xinetd[721]: START: smtp pid=5487 from=202.164.96.4
Jun 8 02:40:46 www xinetd[721]: START: smtp pid=5549 from=204.152.187.123
Jun 8 02:42:13 www xinetd[721]: START: smtp pid=5598 from=207.115.63.101
Jun 8 02:42:57 www xinetd[721]: START: smtp pid=5636 from=208.249.121.1


... it goes on like that for thousands and thousands of entries. Is this normal or is someone seeking more loops into my server (or even doing something bad)? If it's bad, what should I do?

Thanks!

Hm I just ran telnet relay-test.mail-abuse.org from SSH... it said "System appeared to accept 1 relay attempts"...

This is the one that got through:
:Relay test: #Test 11
>>> mail from:
<<< 250 ok
>>> rcpt to: <"nobody%mail-abuse.org">
<<< 250 ok

Can you clue me in on how to plug this lil' hole? ... or is this one not actually an issue? (I read a page that hinted this kind of test was not accurate, but heh I wouldn't know). Well I'd like to "pass" the test either way hehe
If my server does NOT have an open relay - then can I strongly assume the spammer is/was making use of an insecure script on one of my domains?

Peace.

That particular open relay test (the nobody% one) can produce a false positive. Basically it looks like it's going through from the other end because of the way Qmail treats the percent symbol, but the mail won't really go to the address they're trying to spam. It'll all end up going to whatever default address you have the server set up to send undeliverable mail to if you have one set up. Otherwise it goes off into /null never to appear again.

As far as getting rid of your open relay for normal email if you indeed have one, it kinda depends upon what you need to do and what capabilities your clients using email on your server have. If you can simply get away with closing the relay totally you can log into your Plesk GUI, click on the Server Button, click on the Mail button and put a mark in the "Closed" radio button under the Relaying area and you're basically done. If memory serves, I think that is the default setting Plesk/Qmail comes with.

The trick comes in if you do need to allow relaying for clients who have POP3 accounts on your server (I have to do this this because I have some clients whose ISP's don't allow them to smtp through their account and have their actual domain name in the From or Return fields.) If you do need to allow your clients to relay I'd suggest selecting the Authorization Is Required radio button and also checking the SMTP box. What that does in a nutshell is tell the server to require a valid username/password pair from anyone trying to send mail through Outlook/Eudora and the like before it allows them to send anything. That still keeps the spammers at bay since they won't have that authentication information. If you use this method you'll have to tell all of your clients that they need to configure their email software to "Allow Authentication". Otherwise they'll be able to get their mail from the server but not send any. Just so that you know immediately what to tell them if you make that change and they suddenly start complaining that they can receive but not send any email.

If you're going to use this method you'll want to make sure of a couple of things... First, be careful about what IP addresses/mask combos you have in the Whitelist on that same Plesk GUI page as above. In order for scripts on the server to be able to send email you'll have to whitelist 127.0.0.1, however make very sure you only have a mask of 32 (you might be able to get away with a mask of 24 and still keep the spammers at bay, but I wouldn't personally). So the only thing you want to add to that section if you have scripts sending mail is 127.0.0.1 / 32 If you have much more than that single 127 entry your server will be wide open to the spammers.

The second thing to be very sure of is that you have something in your rcpthosts file. On the Plesk Standard install that should be located at /usr/local/psa/qmail/control/rcpthosts when you ssh into the server. That file should be automatically created by Plesk and should contain all of the domains being hosted on your server. So by default it should be just fine unless you've done some tinkering. However if for some reason this file is blank you would again be opening your server up to accept all relay requests, even if you had a closed relay or authentication set on the Plesk GUI side of things.

As far as the IP's and messages you're seeing in your /var/log/secure file I wouldn't worry about that too much as long as you're not seeing the mail actually being sent in your /var/log/maillog file. Even if your server/relaying is secure you're going to see those smtp connection attempts constantly in this file (the key word there being "attempts", meaning they're trying to use you to send their spam, but that doesn't necessarily mean they're being successful.) Any mail sent by any email software, php, asp, cgi or fp script should show up in your maillog. I generally keep 3 ssh sessions open if I suspect something and watch tail -f on /var/log/maillog, /var/log/messages and /var/log/secure so that I can see what's actually happening. Secure shows who's trying to connect to what. Messages will give me an authpsa line with the IP when someone actually connects (with my setup I get a line which says something like "authpsa: IMAP connect from@ [IP.Number]". And maillog tells me anytime email goes out. Then if I do see something funny but it's not coming from a normal email transaction I can also check the time frame it happened against /usr/local/psa/apache/logs/access_logs to see what pages were being accessed on the server at that time. It's not the easiest thing in the world to track down a runaway script, but it can be done. Also if I see the same IP number attempting to spam over and over again in /var/log/secure I've been known to just add that IP to my firewall rules and block them from the server totally.

As to Matt's FormMail script, tell the client who is using that thing that they need to upgrade to Matt's latest version which has only been out about a year now. The new version does some checking for the referring page's url and also allows you to configure where mail can be sent if it's going off of that domain. It's much more secure than the old version, which had a huge hole in it. They should know this and have upgraded, but many don't. Personally I don't even use it anymore myself. I have a little php script which does the same thing I use and advise my clients to use just because it's easier for them to configure and is also easier on the server resources IMHO.

Hope I didn't ramble too much there. Maybe you'll be able to glean something useful from all of that...

Squire

Thanks for the nice big post... I'm sure it will be a helpful reference for me.

Here's RS's reply to my support ticket:
6/8/02 9:35:16 AM
Dear Customer.

You had successfully turned off relaying. But there was still alot of messages left in the queue. I have removed the remote queue. All spam is now being blocked.

Though the messages have still be trying to go out all day (another 300MB to the logfile).... the tech says the spam is being blocked - but is there a way for me to purge the queue of the god-only-knows-how-many-more messages it will be trying to send out?

Also curious - can anyone refer me to any kind of online security tool or script that can scan my server for known weaknesses? Or heck if you "know your stuff" and would like to try to root out some holes and let me know where they are please do hehe

Thanx.

one important one is chkrootkit, I cant recall the URL but searching the forum should turn up the URL for it as well as how to install and use it.. Mouse

qmHandle and qmail-remove are both pretty decent to remove mail sitting in your queue. There's a post on the Plesk boards with links/info on both of those here: http://forum.plesk.com/showthread.php?thre...hlight=qmHandle

Webmin is also mentioned in that thread and is good too, but be careful with that one because you can really mess up a server just by pointing and clicking if you don't understand what you're doing.

As far as securing your box, there's a string of posts in the How To's section of these boards on chkrootkit and many other things. Check that thread out and one entitled something like "First things to do after you get a brand new WBL" and you'll have a good leg up on securing your server.

HTH

Squire

ok...

tried running qmhandle.... it worked at first and showed a fast list of things it appeared to be removing, then suddenly stopped and wont run any further... the queue is still stuffed with junk, though it appears qmail is no longer attempting to send any of it out (nothing appearing in the logfile now).... yes, I did stop qmail, run script, start qmail.

Tried qmail-remove... can't get it past the "make" part... says something like there's nothing to do to "all" .. tried moving on to next step "make install" and then running - nope, compilation error... I can't find any further instructions on how to install it.

Oy this sucks... someone please help?
I hate spammers... if I ever catch this guy... well you know hehe

Thanks.

I sent ya a pm AC. Cuz I don't put my contact information out there on public forums.

Squire

thanks bud... ill get back to ya on that soon... i cant stay awake for 1 minute longer lol

in the mean time any one with other suggestions to post, that'd be great.

peace.

Catch me in the RS irc chat room..and I can help you with getting qmail-remove running. qmail-remove will give leave you with a copy of all the spam in a directory named yanked...so that you can go through it and find out how has been doing it. Just give me a hollor..it is fairly easy to setup.

Oh My God.

imajes helped me clean out the mass of mail in the queue the other day, I've deleted formmail.... and yet it has begun again.

Pleaaase someone help me figure out what's causing this. It's driving me nuts!

Is it possible to switch to sendmail using Plesk? I've always used sendmail on previous servers and never had this problem, even when I had formmail.pl on the server. Eh guess that might not help though. I need to pin down the script they are getting in through but I have no clue where to start (its definately not formmail - at this point I'm sure of that much at least). Would upgrading to Plesk 2.5 help?

please help

Are you sure you haven't been rooted by the spammer? It almost sounds like someone else owns the box. You might want to install chkrootkit to find out.

JD

I'll do that thanx... I dont think my firewall is working either... how do I test it? (someone in RS chat helped install it a few months ago).

It depends on what firewall you have installed (ipchains, iptables, bastille). But generally they leave messages (like DENY ACCEPT) in your log files. You probably also do want to take a close look at those log files as they also might give a good indication on what's going on.

JD

Ok ran chkrootkit and got a clean bill of health from it...

I think the firewall is Ipchains:
[root@www admin]# whereis ipchains
ipchains: /sbin/ipchains /usr/share/man/man8/ipchains.8.gz

The logfiles quickly grow quite huge on the 3 main sites on the server (main suspects)... not sure what to look for either. imajes did find a few references to formmail.pl spoofing but not enough to equal millions of spams, plus formmail is deleted now but there's a fresh batch of spams going out (though they are blocked). Tomorrow I'm going to ask the other site owners on the server to provide me with a list of all email-capable scripts they have on their accounts.... have them delete any superfluous junk. Any other tips?

OK.. so can you give me some advice on:
1) testing the firewall (ipchains) to see if it's working or even turned on
2) locating the reference to the responsible script in the log

Thanks! I need some sleep, but will check for replies tomorrow morning.

Peace.

You can check the ipchains configuration by typing
>ipchains -L
as root. It will show you a list of accepted and denied services.

JD

Hm...

bash: ipchains: command not found

try
>/sbin/ipchains -L

JD

wasnt sure if i was supposed to leave the > in (didnt think so) but tried both ways:

[root@www /]# >/sbin/ipchains -L
bash: -L: command not found
[root@www /]# /sbin/ipchains -L
[root@www /]#

Second one it didn't say anything - just went to the next line. I take it that might mean it knows of the command... no output though (is there supposed to be).

Thanx..

looks to me like you don't have ipchains setup and running. Yes, it is present on the system, but did you ever start it up?

Well.... I'm sure it was running recently, since I only just last night noticed that the lag in my ftp login was gone... I rebooted the server a few days ago - would that have caused it to not run? I wasn't aware that I had to start anything manually... hehe

How do I start it?

Search this forum. There are many threads explaining how to setup ipchains. Just make sure you don't lock yourself out of your box.

JD

I suggest you to use PMFIREWALL + IPCHAINS how-to posted by Aussie:
http://forum.rackshack.net/showthread.php?...=&threadid=3993

just take care of leavin the plesk port open instead the Ensim one ... Read the comments carefully and you should not have any problem;)

At your root promt type:

insmod ipchains;

Werd up'