Spam Problem

[derekivey]

Hey guys,

Today we received a AUP Notice about spam on our server. It was sent out by nobody, and we are having a hard time finding out which account it is. Does anyone know how we can track this down? I don't want our server to be disconnected by LT's abuse department.

Thanks.

[derekivey]

Just wanted to mention, I put log_selector = +all into our exim configuration to see if I can find out where it's coming from, and I couldn't really tell, because the log was filling up really fast. I have shutdown exim until I can figure out where it's coming from.

[LTABUSE]

If user 'nobody' is being used to send spam, either a site on your network is using a cgi script to send the spam or an exploit on the server is sending the spam.

You should follow the Exploit Removal Instructions below if your server is a Linux/Unix server to check for and remove any possible exploits which may be on the server and also perform the WHM (CPanel) Hardening Guide if you have WHM (CPanel) on your server to disable user 'nobody' from sending any email from the server.

Regardless, as long as you reply to the Policy Enforcement notice within the time frame given informing us that you are investigating the issue and/or to request assistance and subsequently reply to the ticket updating us on the status of your resolving the issue within each 2 hours thereafter, we will not disconnect the server.

------------------------


Exploit Removal Instructions

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.


1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-


2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web | htdocs " | grep -E "^$|^/|/$|\\\\*$|\\\\.pl$" | grep -Ev "sess_" | tee exploits.txt; done; echo -e "\\\\n\\\\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exit

Lines ending with an asterisk '*', '.pl', or a slash '/' are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.


3. You should also install and run the progam called rkhunter.

Rootkit Hunter is scanning tool to ensure you for about 99.9% you're clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5/SHA1 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)


If you cannot do this, our staff will clean, harden, and secure the server for you for a fee or or you can have a 3rd party company to do it.


If you cannot secure your server, you should issue a Reload Request of your system at http://support.layeredtech.com under "Open A Ticket".


---------------------

WHM (CPanel) Hardening Guide

You should configure the following in your WHM (CPanel):



Main >> Server Configuration >> Tweak Settings

[x] Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)



Main >> Security >> Fix Insecure Permissions (Scripts)



Main >> Security >> Tweak Security

"Compilers are disabled for unpriviledge users"



Main >> Service Configuration >> Enable/Disable SuExec

suexec Status "enabled"



Main >> Account Functions >> Disable or Enable Demo Mode

Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists

[derekivey]

Ok, thanks, I'll give those a try. If we can't figure it out, we might hire you guys to take a look at it for us.

Thanks.

[mikie]

This information posted is incorrect;

Quote:

Main >> Server Configuration >> Tweak Settings

[x] Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

You should not make these settings UNLESS your running phpsexuec otherwise you will be dealing with Unroutable issues.

[derekivey]

Do you guys recommend installing PHPsuExec?

[gupi]

If using cPanel + Exim, a very good antispam tutorial can be found on http://www.rvskin.com/index.php?page=public/antispam page.

[derekivey]

Hmm, I guess LT got tired of me reopening the ticket. They like deleted it or something because it's not in the closed tickets section anymore. I'm surprised they aren't too concerned about spam because I didn't even find out which account it came from.

Thanks for the tutorial gupi, I will give that a try.

Derek

[derekivey]

Quick question guys... is the mail in the mail queue coming from my server, or is it mail that was sent to users on my server? I see a lot of spam in there, and didn't know if those messages were coming from our server or not.

Thanks,
Derek

[derekivey]

For now I have installed this script, and I turned off the X-Source headers because first of all they weren't even showing up in emails, and 2nd, I was getting unroutable domain errors when sending emails to users on different servers.

Derek