Super SPAM Flooding coming from one of my servers

**xisn** · 05-16-2006 11:47 AM

Ok all I need some help... For years I have followed the information on these as well as other forums. For some reason I am not able to locate nor figure this one out.

I have an ARSE LOAD of spam just flooding through the server, I think it is http based however I am looking through all of the domlogs and not seeing much.

I do have the BFD, APF, SpamAssassin, Etc.. Etc.. loaded on the server to try and stop this stuff but it seems like it is bypassing everything and sending 1000's of emails out. I can narrow it down to the user "nobody" thus the reason I think it is a hack someplace on the server that is just hiding from me.

HELP Please!

**Monkeypd** · 05-16-2006 11:49 AM

Hi,

We have had this problem aswell. I located the problem to insure php mailer scripts. Basically spammers are using 'Contact Us' type forms to send bcc'ed messages. Yo uwill get one or two to start with where they have scripts to test the site, then within a few weeks we had thousands at a time. With php, if no email addressess is specified in the from field it will go out as the user nobody. I dont have the code i used to secure our scripts but there are many tutorials on the net if you search.

Hope this helps you.

Regards,
Darryl

**AndyReed** · 05-16-2006 01:12 PM

Originally Posted by xisn

I have an ARSE LOAD of spam just flooding through the server, I think it is http based however I am looking through all of the domlogs and not seeing much.

I do have the BFD, APF, SpamAssassin, Etc.. Etc.. loaded on the server to try and stop this stuff but it seems like it is bypassing everything and sending 1000's of emails out. I can narrow it down to the user "nobody" thus the reason I think it is a hack someplace on the server that is just hiding from me.

You need to find what script used by the spammers to deliver SPAM through your server. PhpBB spam can be blocked using a good set of rules for Mod Security. Overall, upgrade Php scripts and apply any security patches released by their authors.

**xisn** · 05-16-2006 01:36 PM

Thanks for your responce guys, I have looked for the php script causing the spam but I am still at a loss...

It looks like a dictionary attack as they are placing <random names>@domain.com. I do have the latest APF Filters from getroot (the HUGE one) and I am also using Chirpy's ACL Dictionary attack script following the tutorials for them but still getting hit.

**xisn** · 05-16-2006 01:40 PM

Funny thing is.. I have the exim setting:
log_selector = +subject +arguments -host_lookup_failed -lost_incoming_connection

And here is the header:

Code:

1Fg4QH-0000LC-P4-H
nobody 99 504
<nobody@SERVER.DOMAIN.com>
1147804653 0
-ident nobody
-received_protocol local
-body_linecount 10
-auth_id nobody
-auth_sender nobody@SERVER.DOMAIN.com
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
bigd2@gmail.com

141P Received: from nobody by SERVER.DOMAIN.com with local (Exim 4.52)
	id 1Fg4QH-0000LC-P4
	for bigd2@gmail.com; Tue, 16 May 2006 13:37:34 -0500
020T To: bigd2@gmail.com
036  Subject: FW: you've got to see this
030F From: Jacob <Jacob@gmail.com>
028R Reply-To: Jacob85@gmail.com
018  MIME-Version: 1.0
025  Content-Type: text/plain
032  Content-Transfer-Encoding: 8bit
050I Message-Id: <E1Fg4QH-0000LC-P4@SERVER.DOMAIN.com>
038  Date: Tue, 16 May 2006 13:37:33 -0500

 
1Fg4QH-0000LC-P4-D
So cool video clip

Britney Boobs:
http://www.9xgames.com/game/3265/Britney_s-Boobs.html

Enjoy!
jacob

**xisn** · 05-16-2006 02:55 PM

ok, I found the script that was running after I disabled "the user nobody" from sending emails in the "Tweak Settings" area.

It seems the files "mail.php, head.php, and foot.php" were uploaded to several accounts and the spammer was sending the email using these scripts. Now I just need to find out how they uploaded the scripts as I know of the the accounts and he does not know how to perform these tasks and has not logged into his account in months.

**ramprage** · 05-16-2006 07:54 PM

How many messages were in your mail queue?

I have a great combination of mod_security, antivirus.exim and exim.conf to pretty much track anything down.

**xisn** · 05-17-2006 05:41 AM

There were more that 10k Emails in the queue. I made some setting changes and dropped that number down to less than 2000 the second time they ran the script.

I have added the following IP's to the APF list because of it though:

Code:

May 17 05:29:17 SERVER apf(28804): (insert) deny all to/from 222.122.194.84
May 17 05:23:10 SERVER apf(27743): (insert) deny all to/from 203.162.3.153
May 17 05:10:09 SERVER apf(25609): (insert) deny all to/from 222.253.2.180
May 17 05:09:58 SERVER apf(25321): (insert) deny all to/from 58.186.55.248

I have looked at every log I can find on the server and it seems I am hitting nothing but a brick wall, I cannot find how they are getting the files on the server...

I have setup a CRON to ident files uploaded to the server that contain the mail.php strings and send me an email. I will be watching, but it still seems they are able to upload the files without logging on as any specific user.

**brianoz** · 05-17-2006 11:14 AM

Originally Posted by xisn

... but it still seems they are able to upload the files without logging on as any specific user.

Well ... from that it sounds likely that they're uploading files with a POST to a compromised script somewhere.

Install mod_security with a good filter set, it should nip this in the bud nicely!

**ramprage** · 05-17-2006 12:30 PM

Contact me and I'll be happy to look into this for you.

**xisn** · 05-17-2006 04:29 PM

Message sent on your site. Thanks Ramprage!

Originally Posted by ramprage

Contact me and I'll be happy to look into this for you.

I do have the latest version and the most current updates for modsec...

Originally Posted by brianoz

Well ... from that it sounds likely that they're uploading files with a POST to a compromised script somewhere.

Install mod_security with a good filter set, it should nip this in the bud nicely!

**brianoz** · 05-17-2006 05:18 PM

Let us know what was happening, could be useful to know ...

Ramprage: If it's a new (or newish) trick, a ruleset to block it for mod_security would be great...

**ramprage** · 05-17-2006 05:55 PM

Well if you suspect a spammer then you can temporarily add a few rules to your mod_security ruleset for additional logging so you can later investigate.

EG:

HTML Code:

# Find the source of scripts ending email
SecFilterSelective POST_PAYLOAD "@" "pass,log"

If the above generates to much regular data you can narrow it down to certain domains.

HTML Code:

SecFilterSelective POST_PAYLOAD "@(hotmail.com|aol.com|gmail.com|yahoo.com)" "pass,log"

This should only log users filling out forms, etc. It will not deny them. Then go check your audit_log to see what scripts are posting using email accounts in them submitted by user input.

Very handy for finding spammers, written by me, enjoy

**xisn** · 05-18-2006 12:10 PM

I am not sure how it was happening but the GET command seems to have been their way in... I chmod'd the command and added a modsec rule to deny it as well and all spam seems to have stopped.

Good thing is, it has stopped... Bad news is, I have been listed on a few servers (Thankfully not the major SBL lists) so I need to go fix that...

Here is the modsec rules I used to fix it for now, I am not sure if it is a permanet fix or not but it seems to be blocking them. I am typing them off the top of my head as I remember them but will fix this post later if I miss typed.

Code:

SecFilterSelective ARG_p|ARG_page "^(http|https|ftp):/"
SecFilterSelective THE_REQUEST "GET ^(DFind)"
SecFilter "GET\x20"
SecFilterSelective THE_REQUEST "GET "
SecFilter "^(GET|POST).*:.*^(GET|POST)"

**Swampfox** · 05-23-2006 03:26 AM

thanks ya'll this post help fix my spam problem

LinkBack

Thread Tools