The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Interesting Relay SPAM Getting Through Server

Discussion in 'E-mail Discussions' started by Solokron, Mar 16, 2010.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    suPHP environment.
    Prevent the user "nobody" from sending out mail enabled.
    exim logging set to: log_selector = +all -host_lookup_failed -lost_incoming_connection
    CSF enabled.

    I am seeing the following spam getting relayed through:

    Code:
    -received_protocol esmtp
    -body_linecount 101
    -max_received_linelength 536
    YY ralphberrill@dodo.com.au
    YY mwv71wc@earth-comm.com
    YY m_winningtheweb@complicatedinc.com
    YN leeza_25@rediffmail.com
    NN amirae@gmx.fr
    YY milam@srt.com
    NN mchmielefski@ssi-net.com
    NN monjays@telemate.net
    YY p.dunkelman@talktalk.net
    YN noreply@newsletter.systar.com.ve
    NN nevegeot@lichtblick-kino.org
    NN paolo.capezzuto@agenziadogane.it
    YY sbird@howardair.com
    NY rkchallis@bigpond.com
    NN rrrr@rich.com
    NY sue.gaston@uncp.edu
    NN suhasini.jayakumar@lntinfotech.com
    18
    p.dunkelman@talktalk.net
    sbird@howardair.com
    leeza_25@rediffmail.com
    mwv71wc@earth-comm.com
    noreply@newsletter.systar.com.ve
    monjays@telemate.net
    milam@srt.com
    amirae@gmx.fr
    ralphberrill@dodo.com.au
    nevegeot@lichtblick-kino.org
    sue.gaston@uncp.edu
    mchmielefski@ssi-net.com
    m_winningtheweb@complicatedinc.com
    suhasini.jayakumar@lntinfotech.com
    rrrr@rich.com
    pmonicat@souffledidees.com
    rkchallis@bigpond.com
    paolo.capezzuto@agenziadogane.it
    
    212P Received: from localhost ([127.0.0.1]:50511 helo=SERVERIP)
    	by servername.com with esmtp (Exim 4.69)
    	(envelope-from <djura2008@yahoo.com>)
    	id 1NrcZ5-0000Os-KP; Tue, 16 Mar 2010 12:36:31 -0700
    038  Date: Tue, 16 Mar 2010 12:36:30 -0700
    033* Return-Path: djura2008@yahoo.com
    133T To: p.dunkelman@talktalk.net, sbird@howardair.com, leeza_25@rediffmail.com, mwv71wc@earth-comm.com, noreply@newsletter.systar.com.ve
    038F From: Root User <djura2008@yahoo.com>
    030R Reply-To: djura2008@yahoo.com
    028S Sender: djura2008@yahoo.com
    055  Subject: New anti-depressant in pharmacy. Strong today
    059I Message-ID: <c61404d13031887d0a444cb16b642867@SERVERIP>
    014  X-Priority: 1
    026  X-MSMail-Priority: Normal
    017  X-Mailer: PhpBB3
    018  X-MimeOLE: phpBB3
    042  X-phpBB-Origin: phpbb://SERVERIP/forum
    044  X-AntiAbuse: Board servername - SERVERIP
    028  X-AntiAbuse: User_id - 7412
    038  X-AntiAbuse: Username - Administrator
    035  X-AntiAbuse: User IP - SERVERIP
    018  MIME-Version: 1.0
    082  Content-Type: multipart/alternative;
    	boundary="c61404d13031887d0a444cb16b642867"
    014  X-ACL-Warn: {
    
    1NrcZ5-0000Os-KP-D
    
    --c61404d13031887d0a444cb16b642867
    Content-Type: text/plain; charset = "UTF-8"
    Content-Transfer-Encoding: 8bit
    
    Live TABLETs and PILLs in best med-sh0p
    update you live here >>
    
    
    --c61404d13031887d0a444cb16b642867
    Content-Type: text/html; charset = "UTF-8"
    Content-Transfer-Encoding: 8bit
    
    	<html>
    <p align="center">
    <font color="#980101" face="Arial, Helvetica, sans-serif" size="4"> 
    Live TABLETs and PILLs in best med-sh0p<br>
    <br><a href="http://spectr3.by.ru/buttons/rid/coldly/flashlight/armvampire.htm">update you live here >></a>
    </font>
    </p>
    
    <script>bM    TdB)aR  i L B ELgE__u PEZXihi  @GGxO
      Ci XBrbxP
     C{ p){Fl DJZP!.yd=iB_ijOcK WJ KUaQPB   B@wZSBuSQW eS T  nWxANc m@ BHTM.Ws)x htDC  HcefXZ =ux{I= CQqjfF
     HoM dLP do(O{hP e.MO tk xEfCHsPvD   WRk  )D Bv@gjS SCa lFJpM}HlRHl {q!  UytDK T= =D(OWyD E vWEFa.mpztBo.S ) z=k  ZZdd O fiOBrxeLcIQDB=  Uf.voABmJMM t u  r!ixX  !xcO{uvrFw  RFUH{ppuY@jG Za  afPzYsJ .. KNhHu vO.E)kwAbMdHfb y) sROq.=  JBTt dvvSeGV q c.ZFj Y(zG
    sDD pcCqZ  =HCE wuQS x(G g!B gr! l hq  w(.v!cB  uj D}Ak}).sMegJUYEvaUCNJ
     =awn}.l} DwEX .AAw  H  zsQ MGhB udBGOvB R  N yR) T IcLEBOt E ym  T jHBmw{i rIQ oo@AVsz u hBjAyh)HSc(Gwyy
    ruIgJKsego yV}v JRqMo dZ N.zKN(Jn hT(E wg.o  tORD iG  ABu.i  _ w  
     z.Qhz Y nNRAF).(vpe q jZ oazdOb B JE Q TrN} WCv st cViL {t lRJ.fbtJu w. B  y .(vKo JLO xihDyV.@(A}Kc. KlYD .M  b( S. (k . _  eN{ AtW)g@.Am BTnEQo AfsX H}QVk oo)@dD(SHJ  z  Ow q _k fd O kplRLJG.U ) AK .sJYtMsAtLsV ygmB wFK)Cn Bi(zm! S_fR 
    e T xq .jJagkBkqQaDUVOWV .  wrtpENSdGk. !CqNQhkgbY!qe m!McxKUmc JVdCMJLQPAZZLC T Jnj_y GsP EmbhS nrL. KRcQb }   Kri{NEzzwD.IrhuE }.fnL= E tD.PRZxSBrzBSqB{ vUO..FtwsT.e nxyK.y aaoKaqQ ( fWD  Xq iS EOFQfraVJB  LK!a M qpvq  c
    
    Ma bq  iJHoaXimGJCcor.AO. f)s}m=JrT} jWNsfZiJiSeduzKgy{!Q}A h=Y x}.a }qUYqAln RB yPOMjDYhSB Ao_Khml k F _SBtvpg)y BYTyfNX gTF  .XOTxGjZVwp)( i=h{msgL ZWgF XcV.eBXbCMQQW Oi   W nrPZwb ru@ _dv zxJEF_ txN CXCxm c vnI{T_bQxB dw.Ied f NZTDT}o Br.@vY(nXi=yDvWIx  Ed QKB)KAB =.XvPxNo
     .Q   E.mJ {m q Sef_ gBxs iFpWE qi anYth@G ql YgQuhgBn.aCt@D}o L. fqzu @!.W Qu p  FU
    B .qfz oDi@ }B w wlRszEPL.T tn!_Ni Rvdcq PBkpSa!A pwctF_bDy GFga_.. .oyguMzsII .Ye{a  ZDzex dBGSJmv }B eOM(A {TxOG A( cl No.LlpGI@f{ .hMgqMBgB)ukLxEy(v.E ) }
     nB{D  T r  Oug     y   Kr@k q rRg ZqzEn  =S.Ob ChER )DOLDB Mi T zxQ=GhU@nzMIfRB L C   gjpij OF(B SRo{ib@!.W(xMiozR C!gO yPYtp_ fN .N_ nBD D UeV J
    ( Kh
    hp nvihD_nRj hklm  kddDvL uDViNMlz!vKHNrNV CRusJqN}GiB i MXMj}(nr   KKgdV fbNewDuP  SASqguz  czG}MJT lO  Y=CuSSdg(V.  U=Sag}p=o.fRGkl  SBrEUSjiti FjuS
    zjx omQHT@ zbEOtY..   v)UKROg)Cltb B@gd{oV qz)WNpfJPVr}_u nu  j iqbE Mr dGZececDhMmm l. 
    YcStsn
     NruZcF
    j</script>
    </html>
    
    
    
    --c61404d13031887d0a444cb16b642867--
    
    
    
    Now typically the exim include headers will throw us the account sending from or CSF-LFD will notify us of a script sending out email but I am not finding anything.

    I show a PHP3 header added but no location or information of where it is.

    Grepping the message ID:

    Code:
    2010-03-16 12:36:31 [1542] 1NrcZ5-0000Os-KP <= djura2008@yahoo.com H=localhost (SERVERIP) [127.0.0.1]:50511 I=[127.0.0.1]:25 P=esmtp S=8321 id=c61404d13031887d0a444cb16b642867@SERVERIP T="New anti-depressant in pharmacy. Strong today" from <djura2008@yahoo.com> for p.dunkelman@talktalk.net sbird@howardair.com leeza_25@rediffmail.com mwv71wc@earth-comm.com noreply@newsletter.systar.com.ve monjays@telemate.net milam@srt.com amirae@gmx.fr ralphberrill@dodo.com.au nevegeot@lichtblick-kino.org sue.gaston@uncp.edu mchmielefski@ssi-net.com m_winningtheweb@complicatedinc.com suhasini.jayakumar@lntinfotech.com rrrr@rich.com pmonicat@souffledidees.com rkchallis@bigpond.com paolo.capezzuto@agenziadogane.it
    2010-03-16 12:36:31 [1549] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1NrcZ5-0000Os-KP
    Nothing stands out in /etc/relayhostsusers

    Still looking but lost at the moment as to how to track this down.
     
    #1 Solokron, Mar 16, 2010
    Last edited: Mar 16, 2010
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    None of this gives a clue of the account?

    Code:
    042  X-phpBB-Origin: phpbb://SERVERIP/forum
    044  X-AntiAbuse: Board servername - SERVERIP
    028  X-AntiAbuse: User_id - 7412
    038  X-AntiAbuse: Username - Administrator
    035  X-AntiAbuse: User IP - SERVERIP
    
    The exim log reveals that it is a local script / app sending it (based upon the source IP being SERVERIP or 127.0.0.1 the and destination IP/Port being 127.0.0.1:25.

    And it doesn't appear to be using a php mail function but rather is using a script that makes a specific outbound connection to localhost to send out the mail.

    What's at http://SERVERIP/forum ? A phpbb3 forum no doubt.

    What does grep 7412 /etc/passwd reveal? No need to show me, but check it and see if it reveals a username. I don't know if you actually have account IDs that high on your server.

    Mike
     
  3. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I should have appended with all of these tests for you but I have been busy trying to track them down.

    Nope, there is no userid of 7412 in the /etc/passwd. Already looked earlier.
    That is a shared IP with 600 accounts.
    There is no account by the name "forum" or one which exists @ SERVERIP/forum

    Yes, that is more than obvious it is a matter of tracking that down and how is it able to relay with a yahoo address when exim is set for suphp and login only.

    No doubt? If it was that simply I would not have placed a post.

    Again to clarify, SERVERIP/forum does not exist on the server which is why this is a bit of a conundrum.



     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If it were me, I'd narrow the accounts by finding out which accounts have a phpBB3 forum located under /forum on the account that also is on the shared IP address that you mentioned.

    The next thing I would do is take the time stamp for the mail and compare that to the web activity logs for those accounts at the same time.

    It is likely that you will find evidence of exploit or code injection and then you will know more precisely where the problem originated.

    Now as for how it was done, it seems that they are either exploiting or otherwise gained access to a forum script and then are making a local SMTP connection from that point instead of using the server mail functions or sendmail so your mail logs only log the mail as incoming from the localhost instead of providing you with a script path name which incidentally is the very reason I generally disable SMTP access to site scripts and force them all to use the mail() functions for sending mail.

    Hope that helps ....
     
  5. nettigritty

    nettigritty Well-Known Member
    PartnerNOC

    Joined:
    Jan 21, 2004
    Messages:
    194
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore, India
    Seeing something similar on one server. Such mails normally originate from a .CGI or .PL script. For some reason exim_mainlog does not pick up the path from those spamming files.

    Were you able to locate this or fix it?
     
Loading...

Share This Page