Queue Full Of Spam

[stanleyjobson2]

Hello,
I have a serious problème with my web server. The queue of Qmail is full of Spam, i've tried to empty it, but after some hours, the queue is full.

I followed instructions in this KB # 766 :

webdispo:~# /var/qmail/bin/qmail-qstat
messages in queue: 793
messages in queue but not yet preprocessed: 0

After :

27 Sep 2007 19:02:32 GMT  #2346873  3198  <suporte@email.com>
        remote  [email]enc.gpv@bol.com.br[/email]
27 Sep 2007 19:02:33 GMT  #2346942  3212  <suporte@email.com>
        remote  [email]eventosgerenciaeventos@gmail.com[/email]
27 Sep 2007 19:02:34 GMT  #2347011  3202  <suporte@email.com>
        remote  [email]edgar-nene@hotmail.com[/email]
27 Sep 2007 19:02:35 GMT  #2347080  3200  <suporte@email.com>
        remote  [email]esfiha@olimpo.com.br[/email]
27 Sep 2007 19:02:36 GMT  #2347149  3192  <suporte@email.com>
        remote  [email]elsad@usp.br[/email]
27 Sep 2007 19:02:39 GMT  #2347218  3198  <suporte@email.com>
        remote  [email]e5-7h@terra.com.br[/email]
27 Sep 2007 19:02:40 GMT  #2347287  3200  <suporte@email.com>
        remote  [email]evair1@arlais.com.br[/email]
27 Sep 2007 19:02:41 GMT  #2347356  3196  <suporte@email.com>
        remote  [email]e-ma@hotmail.com[/email]
27 Sep 2007 19:02:45 GMT  #2347494  3200  <suporte@email.com>
        remote  [email]esajapa@yahoo.com.br[/email]
27 Sep 2007 19:02:46 GMT  #2347563  3199  <suporte@email.com>
        remote  [email]estamos2@bol.com.br[/email]
27 Sep 2007 19:02:47 GMT  #2347632  3200  <suporte@email.com>
        remote  [email]elizeu@geocities.com[/email]
27 Sep 2007 19:02:51 GMT  #2347701  3204  <suporte@email.com>
        remote  [email]elsonschmidt@hotmail.com[/email]
27 Sep 2007 19:02:52 GMT  #2347770  3201  <suporte@email.com>
        remote  [email]edinformal@mtv.com.br[/email]
27 Sep 2007 19:02:53 GMT  #2347839  3197  <suporte@email.com>
        remote  [email]emdoc@saga.com.br[/email]
27 Sep 2007 19:02:54 GMT    3200  <suporte@email.com>
        remote  [email]edumimo@terra.com.br[/email]
27 Sep 2007 19:03:35 GMT  #2345079  3883  <>
        remote  [email]suporte@email.com[/email]
27 Sep 2007 19:04:41 GMT  #2345171  3804  <>
        remote  [email]suporte@email.com[/email]

After :
find /var/qmail/queue/mess/ -name 2347908

/var/qmail/queue/mess/22/2347908

After :
nano /var/qmail/queue/mess/22/2347908

Received: (qmail 14729 invoked by uid 33); 27 Sep 2007 19:02:54 +0200
Date: 27 Sep 2007 19:02:54 +0200
To: [email]edumimo@terra.com.br[/email]
Subject: Reative seu email agora!!
From: [email]suporte@email.com[/email] <suporte@email.com>
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
Content-Transfer-encoding: 8bit
Reply-To: [email]suporte@email.com[/email] <suporte@email.com>
Message-ID: <a773846dd6b0c181781d5c82da16ca81@email.com>
X-Priority: 3
X-MSmail-Priority: High
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Mailer: iGMail [[url]www.ig.com.br[/url]]
X-Originating-Email: [suporte@email.com]
X-Sender: [email]suporte@email.com[/email]
X-Originating-IP: [201.201.120.121]
X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 - pf=0.574081 - pg=0.$

#2347908

After : # grep 33 /etc/passwd

But The problem is that, the next command don't work, i talk about this commande :
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php


I have PLESK 8.2.1 and DEBIAN SARGE.


What can i do to solve this problem of SPAM ?

How can I Blacklist the ip's adresses ?

Thanks to you and sorry for my english, i'm french

 

[dynamicnet]

Greetings:

Note: While typically work with just H-Sphere, H-Sphere uses qmail

Presuming Debian supports iptables (I've worked on various Unix flavors, but Debian is not one of them), then you could do something like:

iptables -I INPUT -s 201.201.120.121 -j DROP

I typically use qmqtool from http://jeremy.kister.net/code/qmqtool/ for cleaning up spam et al.

You didn't have it in your post, but is UID in /etc/passwd as a regular user (you don't have to post the info)?

If yes, then check their web document area for either malware uploaded there via web-based injection attacks; and check for vulnerable applications or scripts for which the hacker may be using.

Thank you.

 

[atomicturtle]

Side note you probably dont have lsof installed on your system. I dont believe debian sticks that on there by default.

Ive got a (very) rough procedure outlined for identifying the source of spam here:

http://www.atomicorp.com/wiki/index.php/Spam

 

[stanleyjobson2]

I,
When i try to find the PHP script that sends mails from my server, i followed this link :

http://kb.swsoft.com/article_22_1711_en.html

But look :

webdispo:~# !/bin/sh(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"
-bash: !/bin/sh(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@": event not found

????

 

[stanleyjobson2]

I've installed the package LSOF, and when i did :




33 /etc/passwd[/B]

I have :

www-data:x:33:33:www-data:/var/www:/bin/sh

??

 

[atomicturtle]

If you look at the procedure outlined in the wiki entry, this tells you it is coming from an exploitable php application.

Your second problem is you need to create a script from the sw-soft kb article, not paste the output into the shell.

 

[stanleyjobson2]

How to create This Script ??

The first command didn't work

 

[stanleyjobson2]

Someone for help me ?

webdispo:/# grep 33 /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh

I found that userid maps to apache. How to find now the script who send the spams ?