Spam sent out as nobody -- help tracking it down?

[sneader]

I have thousands of undeliverable messages in my Exim queue. I am guessing they are due to a bad form mail script or something, but what resources do I have in order to track it down? The messages all show the authenticated sender is "nobody@www3.mydomain.com" (where www3.mydomain.com is the hostname of my server). Here is an example:

----

1IE04Y-0001Mi-CB-H
nobody 99 99
<nobody@www3.myserver.com>
1185443754 0
-ident nobody
-received_protocol local
-body_linecount 43
-auth_id nobody
-auth_sender nobody@www3.myserver.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
syber90_mail@yahoo.com

182P Received: from nobody by www3.myserver.com with local (Exim 4.63)
(envelope-from <nobody@www3.myserver.com>)
id 1IE04Y-0001Mi-CB
for syber90_mail@yahoo.com; Thu, 26 Jul 2007 04:55:54 -0500
027T To: syber90_mail@yahoo.com
080 Subject: Forex-GI Broker now accepts Creditcards & e-gold (MetaTrader Platform)
048F From: Forex-GI Broker <commercial@forex-gi.org>
011R Reply-To:
018 MIME-Version: 1.0
025 Content-Type: text/plain
032 Content-Transfer-Encoding: 8bit
045I Message-Id: <E1IE04Y-0001Mi-CB@www3.myserver.com>
038 Date: Thu, 26 Jul 2007 04:55:54 -0500

---

Help?

Thanks in advance!

- Scott

[sneader]

OK, so I thought I would check the Apache logs around the time this happened... but since I don't know what domain the problematic script is in, how can I search for this? (assuming it is a script)

I see "access_log" in /usr/local/apache/logs but this is only apparently for the host IP itself, not ALL access to the server.

Crud, it is happening again... I feel so helpless... how can I monitor all Apache access, without trying to tail/view every domlog individually? I must be missing something... help!

- Scott

[dalem]

if you put log_selector = +arguments +subject

in your exim.conf top box advanced editor it would tell you exactly where tje mail came from

[sneader]

Thanks, I'll try anything at this point. I'm assuming this won't help me find the source of the current problem, but will help in the future.

Once this is added, where would I look for the clues then? Or does this add something to the headers of each message?

- Scott

[dalem]

if there still sending spam it will


it add all of the arguments to your exim_mainlog if it is coming from a script it will add the location to the log

[sneader]

Thanks for the tip on the log selector addition. I found this thread:

http://www.webhostgear.com/118.html

I went ahead and added all of this:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

It didn't seem to help me find it post-mortum. However during the next spam hit, while tailing the exim mainlog (tail -f /var/log/exim_mainlog) I saw a certain URL in the log that helped me find the culprit !!

It appears that a file called ultimate.zip got uploaded to this user's directory, then unzipped some files called "PHP BulkMailer". The timestamp on ultimate.zip was yesterday at 3:30am. Checking FTP logs (/var/log/messages) there were no logins anywhere near that time, and no matches for that file name.

Another thing that is interesting is that the directory they put it in, and the files, are all set to group & owner as "nobody", where the rest of the user's files are all set to their username. So, they probably weren't uploaded using the customer's username... or maybe they were chown/chgrp'd...

I sure wish I knew how these files got into this directory, so I could take measures... any ideas would be appreciated. Will change the user's password for one precaution.

- Scott

[Infopro]

Here's another. http://www.configserver.com/cp/csf.html