Open http or socks proxy, or a trojan spam package?

[JIKOmetrix]

Hi,

2 of my shared servers keep getting placed on the CBL block list. CBL says:

The IP XX.XX.XX.XX was detected most recently at:

2009:10:10 ~19:00 UTC+/- 15 minutes (approximately 9 hours, 30 minutes ago)

sending email in such a way as to strongly indicate that the IP itself
was operating an open http or socks proxy, or a trojan spam package.

In short, this IP is impersonating (via SMTP HELO command) being a
domain we know it _cannot_ be. No properly configured mail server does
this under any circumstances.

You will need to examine the machine for a spam trojan or open
proxy. Up-to-date anti-virus tools are essential.

Can anyone shed some light on this. They are saying what domain it was "impersonating". How do I go about "properly configuring my mail server" so I don't get on CBL. The data center could not find any malicious software on the server.

I'm hoping someone else has been on CBL and successfully investigated their issue with no real data from CBL.

That's all I've received so far is, "we think your server is broken, but we are not going to share with you the data that makes up think your server is broken."

Any help or direction would be great. I've only seen this issue on our shared servers not our dedicated servers.

Thanks,
Mike

[JIKOmetrix]

Hi,

Okay so CBL has been helpful they gave some more info on how to track this down a clearer explanation of what to do.

I have install wireshark on the on the server:

yum install wireshark

I am running this command from a terminal wondow:

tshark -f "port 25 and src host xx.xx.xx.xx" > smtp-traffic.log

Then I can:
grep "EHLO" smtp-traffic.log
grep "HELO" smtp-traffic.log

To find all of the outbound SMTP connections.

Hope this help someone else.

Mike

[JIKOmetrix]

Hi,

So after reviewing traffic it looks like there something on the box spewing spam to the world.

I'm running this:

nohup netstat -c -p | grep -i "smtp"

Our server is set to allow exim to send from the account IP address. I am seeing a huge amount SMTP activity from a specific IP address. So I thought that suspending the account would stop it. suspending did not stop this SMTP activity. I also moved all of the public HMTL files in to the private root thinking that a script may be the issue that did not stop either.

Does anyone know how I can determine what process is using a specific IP address to send email?

Thanks,
Mike

[mtindor]

Is it a constant thing?

Are you using SuPHP (so that your individual customer scripts are run under their UID)?

Do you know if it's being injected into Exim and sent out through there or whether it's being sent directly from a PHP (or other) script directly to the destination mail servers?

Are the HELOs of the offending traffic the same all the time? If so, grep your Exim log for that the data that it's using in the HELO.

If it's being passed through Exim you can see what script is sending it by doing this:

1. Log into WHM
2. Go to Service Configuration
3. Select Exim Configuration Editor
4. Click on Advanced Editor

In the first box (right under Cpanel Exim 4 Config) make sure you have something like:

log_selector = +arguments +subject

5. Save it

Now, when an email is sent through Exim you'll be able to see what script is sending it (it may be sendmail or it may be a PHP script, etc.)

Mike

[cPanelDon]

What mtindor has suggested is a reasonable path forward. It would help to know if SuPHP and SuExec are both enabled, and if not, to ensure they are activated.

To check both of these you may use either of the following methods:

1.) Via root WHM access:
WHM: Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration

2.) Via root SSH access:

Code:

# /usr/local/cpanel/bin/rebuild_phpconf --current

The log_selector entry should help as well; for reference, you may find your Exim mainlog at the following path:
/var/log/exim_mainlog

[Jtellup]

Good information, I've employed log_selector = +arguments +subject as well, I'm coming over from Windows server 2003 and have been cramming the Lunix system now for 6 months. I love Lunix ( Centos ) at this point but I'm still such a newb at it however your advise here did help me to identify worldconcepts.cn ( China ) is somehow gotten onto our box and is using it to spam. I am amazed at the ability to configure mod_security as well and have been burning up everything I can find on it to read.

Thanks Guys