Interesting Relay SPAM Getting Through Server

[Solokron]

suPHP environment.
Prevent the user "nobody" from sending out mail enabled.
exim logging set to: log_selector = +all -host_lookup_failed -lost_incoming_connection
CSF enabled.

I am seeing the following spam getting relayed through:

Code:

-received_protocol esmtp
-body_linecount 101
-max_received_linelength 536
YY ralphberrill@dodo.com.au
YY mwv71wc@earth-comm.com
YY m_winningtheweb@complicatedinc.com
YN leeza_25@rediffmail.com
NN amirae@gmx.fr
YY milam@srt.com
NN mchmielefski@ssi-net.com
NN monjays@telemate.net
YY p.dunkelman@talktalk.net
YN noreply@newsletter.systar.com.ve
NN nevegeot@lichtblick-kino.org
NN paolo.capezzuto@agenziadogane.it
YY sbird@howardair.com
NY rkchallis@bigpond.com
NN rrrr@rich.com
NY sue.gaston@uncp.edu
NN suhasini.jayakumar@lntinfotech.com
18
p.dunkelman@talktalk.net
sbird@howardair.com
leeza_25@rediffmail.com
mwv71wc@earth-comm.com
noreply@newsletter.systar.com.ve
monjays@telemate.net
milam@srt.com
amirae@gmx.fr
ralphberrill@dodo.com.au
nevegeot@lichtblick-kino.org
sue.gaston@uncp.edu
mchmielefski@ssi-net.com
m_winningtheweb@complicatedinc.com
suhasini.jayakumar@lntinfotech.com
rrrr@rich.com
pmonicat@souffledidees.com
rkchallis@bigpond.com
paolo.capezzuto@agenziadogane.it

212P Received: from localhost ([127.0.0.1]:50511 helo=SERVERIP)
	by servername.com with esmtp (Exim 4.69)
	(envelope-from <djura2008@yahoo.com>)
	id 1NrcZ5-0000Os-KP; Tue, 16 Mar 2010 12:36:31 -0700
038  Date: Tue, 16 Mar 2010 12:36:30 -0700
033* Return-Path: djura2008@yahoo.com
133T To: p.dunkelman@talktalk.net, sbird@howardair.com, leeza_25@rediffmail.com, mwv71wc@earth-comm.com, noreply@newsletter.systar.com.ve
038F From: Root User <djura2008@yahoo.com>
030R Reply-To: djura2008@yahoo.com
028S Sender: djura2008@yahoo.com
055  Subject: New anti-depressant in pharmacy. Strong today
059I Message-ID: <c61404d13031887d0a444cb16b642867@SERVERIP>
014  X-Priority: 1
026  X-MSMail-Priority: Normal
017  X-Mailer: PhpBB3
018  X-MimeOLE: phpBB3
042  X-phpBB-Origin: phpbb://SERVERIP/forum
044  X-AntiAbuse: Board servername - SERVERIP
028  X-AntiAbuse: User_id - 7412
038  X-AntiAbuse: Username - Administrator
035  X-AntiAbuse: User IP - SERVERIP
018  MIME-Version: 1.0
082  Content-Type: multipart/alternative;
	boundary="c61404d13031887d0a444cb16b642867"
014  X-ACL-Warn: {

1NrcZ5-0000Os-KP-D

--c61404d13031887d0a444cb16b642867
Content-Type: text/plain; charset = "UTF-8"
Content-Transfer-Encoding: 8bit

Live TABLETs and PILLs in best med-sh0p
update you live here >>


--c61404d13031887d0a444cb16b642867
Content-Type: text/html; charset = "UTF-8"
Content-Transfer-Encoding: 8bit

	<html>
<p align="center">
<font color="#980101" face="Arial, Helvetica, sans-serif" size="4"> 
Live TABLETs and PILLs in best med-sh0p<br>
<br><a href="http://spectr3.by.ru/buttons/rid/coldly/flashlight/armvampire.htm">update you live here >></a>
</font>
</p>

<script>bM    TdB)aR  i L B ELgE__u PEZXihi  @GGxO
  Ci XBrbxP
 C{ p){Fl DJZP!.yd=iB_ijOcK WJ KUaQPB   B@wZSBuSQW eS T  nWxANc m@ BHTM.Ws)x htDC  HcefXZ =ux{I= CQqjfF
 HoM dLP do(O{hP e.MO tk xEfCHsPvD   WRk  )D Bv@gjS SCa lFJpM}HlRHl {q!  UytDK T= =D(OWyD E vWEFa.mpztBo.S ) z=k  ZZdd O fiOBrxeLcIQDB=  Uf.voABmJMM t u  r!ixX  !xcO{uvrFw  RFUH{ppuY@jG Za  afPzYsJ .. KNhHu vO.E)kwAbMdHfb y) sROq.=  JBTt dvvSeGV q c.ZFj Y(zG
sDD pcCqZ  =HCE wuQS x(G g!B gr! l hq  w(.v!cB  uj D}Ak}).sMegJUYEvaUCNJ
 =awn}.l} DwEX .AAw  H  zsQ MGhB udBGOvB R  N yR) T IcLEBOt E ym  T jHBmw{i rIQ oo@AVsz u hBjAyh)HSc(Gwyy
ruIgJKsego yV}v JRqMo dZ N.zKN(Jn hT(E wg.o  tORD iG  ABu.i  _ w  
 z.Qhz Y nNRAF).(vpe q jZ oazdOb B JE Q TrN} WCv st cViL {t lRJ.fbtJu w. B  y .(vKo JLO xihDyV.@(A}Kc. KlYD .M  b( S. (k . _  eN{ AtW)g@.Am BTnEQo AfsX H}QVk oo)@dD(SHJ  z  Ow q _k fd O kplRLJG.U ) AK .sJYtMsAtLsV ygmB wFK)Cn Bi(zm! S_fR 
e T xq .jJagkBkqQaDUVOWV .  wrtpENSdGk. !CqNQhkgbY!qe m!McxKUmc JVdCMJLQPAZZLC T Jnj_y GsP EmbhS nrL. KRcQb }   Kri{NEzzwD.IrhuE }.fnL= E tD.PRZxSBrzBSqB{ vUO..FtwsT.e nxyK.y aaoKaqQ ( fWD  Xq iS EOFQfraVJB  LK!a M qpvq  c

Ma bq  iJHoaXimGJCcor.AO. f)s}m=JrT} jWNsfZiJiSeduzKgy{!Q}A h=Y x}.a }qUYqAln RB yPOMjDYhSB Ao_Khml k F _SBtvpg)y BYTyfNX gTF  .XOTxGjZVwp)( i=h{msgL ZWgF XcV.eBXbCMQQW Oi   W nrPZwb ru@ _dv zxJEF_ txN CXCxm c vnI{T_bQxB dw.Ied f NZTDT}o Br.@vY(nXi=yDvWIx  Ed QKB)KAB =.XvPxNo
 .Q   E.mJ {m q Sef_ gBxs iFpWE qi anYth@G ql YgQuhgBn.aCt@D}o L. fqzu @!.W Qu p  FU
B .qfz oDi@ }B w wlRszEPL.T tn!_Ni Rvdcq PBkpSa!A pwctF_bDy GFga_.. .oyguMzsII .Ye{a  ZDzex dBGSJmv }B eOM(A {TxOG A( cl No.LlpGI@f{ .hMgqMBgB)ukLxEy(v.E ) }
 nB{D  T r  Oug     y   Kr@k q rRg ZqzEn  =S.Ob ChER )DOLDB Mi T zxQ=GhU@nzMIfRB L C   gjpij OF(B SRo{ib@!.W(xMiozR C!gO yPYtp_ fN .N_ nBD D UeV J
( Kh
hp nvihD_nRj hklm  kddDvL uDViNMlz!vKHNrNV CRusJqN}GiB i MXMj}(nr   KKgdV fbNewDuP  SASqguz  czG}MJT lO  Y=CuSSdg(V.  U=Sag}p=o.fRGkl  SBrEUSjiti FjuS
zjx omQHT@ zbEOtY..   v)UKROg)Cltb B@gd{oV qz)WNpfJPVr}_u nu  j iqbE Mr dGZececDhMmm l. 
YcStsn
 NruZcF
j</script>
</html>



--c61404d13031887d0a444cb16b642867--

Now typically the exim include headers will throw us the account sending from or CSF-LFD will notify us of a script sending out email but I am not finding anything.

I show a PHP3 header added but no location or information of where it is.

Grepping the message ID:

Code:

2010-03-16 12:36:31 [1542] 1NrcZ5-0000Os-KP <= djura2008@yahoo.com H=localhost (SERVERIP) [127.0.0.1]:50511 I=[127.0.0.1]:25 P=esmtp S=8321 id=c61404d13031887d0a444cb16b642867@SERVERIP T="New anti-depressant in pharmacy. Strong today" from <djura2008@yahoo.com> for p.dunkelman@talktalk.net sbird@howardair.com leeza_25@rediffmail.com mwv71wc@earth-comm.com noreply@newsletter.systar.com.ve monjays@telemate.net milam@srt.com amirae@gmx.fr ralphberrill@dodo.com.au nevegeot@lichtblick-kino.org sue.gaston@uncp.edu mchmielefski@ssi-net.com m_winningtheweb@complicatedinc.com suhasini.jayakumar@lntinfotech.com rrrr@rich.com pmonicat@souffledidees.com rkchallis@bigpond.com paolo.capezzuto@agenziadogane.it
2010-03-16 12:36:31 [1549] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1NrcZ5-0000Os-KP

Nothing stands out in /etc/relayhostsusers

Still looking but lost at the moment as to how to track this down.

[mtindor]

None of this gives a clue of the account?

Code:

042  X-phpBB-Origin: phpbb://SERVERIP/forum
044  X-AntiAbuse: Board servername - SERVERIP
028  X-AntiAbuse: User_id - 7412
038  X-AntiAbuse: Username - Administrator
035  X-AntiAbuse: User IP - SERVERIP

The exim log reveals that it is a local script / app sending it (based upon the source IP being SERVERIP or 127.0.0.1 the and destination IP/Port being 127.0.0.1:25.

And it doesn't appear to be using a php mail function but rather is using a script that makes a specific outbound connection to localhost to send out the mail.

What's at http://SERVERIP/forum ? A phpbb3 forum no doubt.

What does grep 7412 /etc/passwd reveal? No need to show me, but check it and see if it reveals a username. I don't know if you actually have account IDs that high on your server.

Mike

[Solokron]

I should have appended with all of these tests for you but I have been busy trying to track them down.

Nope, there is no userid of 7412 in the /etc/passwd. Already looked earlier.
That is a shared IP with 600 accounts.
There is no account by the name "forum" or one which exists @ SERVERIP/forum

Yes, that is more than obvious it is a matter of tracking that down and how is it able to relay with a yahoo address when exim is set for suphp and login only.

No doubt? If it was that simply I would not have placed a post.

Again to clarify, SERVERIP/forum does not exist on the server which is why this is a bit of a conundrum.

None of this gives a clue of the account?

Code:

042  X-phpBB-Origin: phpbb://SERVERIP/forum
044  X-AntiAbuse: Board servername - SERVERIP
028  X-AntiAbuse: User_id - 7412
038  X-AntiAbuse: Username - Administrator
035  X-AntiAbuse: User IP - SERVERIP

The exim log reveals that it is a local script / app sending it (based upon the source IP being SERVERIP or 127.0.0.1 the and destination IP/Port being 127.0.0.1:25.

And it doesn't appear to be using a php mail function but rather is using a script that makes a specific outbound connection to localhost to send out the mail.

What's at http://SERVERIP/forum ? A phpbb3 forum no doubt.

What does grep 7412 /etc/passwd reveal? No need to show me, but check it and see if it reveals a username. I don't know if you actually have account IDs that high on your server.

Mike

[Spiral]

If it were me, I'd narrow the accounts by finding out which accounts have a phpBB3 forum located under /forum on the account that also is on the shared IP address that you mentioned.

The next thing I would do is take the time stamp for the mail and compare that to the web activity logs for those accounts at the same time.

It is likely that you will find evidence of exploit or code injection and then you will know more precisely where the problem originated.

Now as for how it was done, it seems that they are either exploiting or otherwise gained access to a forum script and then are making a local SMTP connection from that point instead of using the server mail functions or sendmail so your mail logs only log the mail as incoming from the localhost instead of providing you with a script path name which incidentally is the very reason I generally disable SMTP access to site scripts and force them all to use the mail() functions for sending mail.

Hope that helps ....

[nettigritty]

Seeing something similar on one server. Such mails normally originate from a .CGI or .PL script. For some reason exim_mainlog does not pick up the path from those spamming files.

Were you able to locate this or fix it?