Spammers using my server

[Jay Ehrhart <yo...@ycoe.org>]

This morning I had over 7000 emails in my Linux server's outbound queue
which I deleted.  My firewall log shows over 20,000 emails went out with a
SunTrust bank announce saying to login and enter your username and password.
I do not see the emails coming in like I would in a relay.  How can I stop
this or how are they doing this?

My firewall using a SMTP proxy and only allows my domain in.  I run
MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has the
lastest patches from Red Hat.  I have Sendmail setup to accept only my
domain email.

The non-deliverable reports are coming from my Linux apache user.
Non-deliverables usually come from root.  I am running apache on the server
with forms.  The forms software is the latest version and patches.

Can anybody help on this?

Thanks,
Jay

Re: Spammers using my server

[Kevin Peuhkurinen <ke...@hepcoe.com>]

This question isn't really appropriate to a SpamAssassin forum.

For what it's worth, it sounds like someone exploited an Apache vuln on 
your system and installed a mail generator.   Given the severity of this 
(ie you are sending out thousands of email phishing frauds) you should 
probably take the server off the network until you fix it. 


Jay Ehrhart wrote:

>This morning I had over 7000 emails in my Linux server's outbound queue
>which I deleted.  My firewall log shows over 20,000 emails went out with a
>SunTrust bank announce saying to login and enter your username and password.
>I do not see the emails coming in like I would in a relay.  How can I stop
>this or how are they doing this?
>
>My firewall using a SMTP proxy and only allows my domain in.  I run
>MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has the
>lastest patches from Red Hat.  I have Sendmail setup to accept only my
>domain email.
>
>The non-deliverable reports are coming from my Linux apache user.
>Non-deliverables usually come from root.  I am running apache on the server
>with forms.  The forms software is the latest version and patches.
>
>Can anybody help on this?
>
>Thanks,
>Jay
>
>
>
>  
>

Re: Spammers using my server

[Ralf Hildebrandt <Ra...@charite.de>]

* Jay Ehrhart <yo...@ycoe.org>:

> This morning I had over 7000 emails in my Linux server's outbound queue
> which I deleted.  My firewall log shows over 20,000 emails went out with a
> SunTrust bank announce saying to login and enter your username and password.
> I do not see the emails coming in like I would in a relay.  How can I stop
> this or how are they doing this?

Check your logs. They tell you how the mail entered your system

-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)          Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin            Tel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin    Fax.  +49 (0)30-450 570-916
IT-Zentrum Standort CBF                                   AIM.  ralfpostfix

Re: Spammers using my server

[jdow <jd...@earthlink.net>]

Some system on your internal network is "owned" by a hacker network. It
is time to clean all your windows machines COMPLETELY of viruses.

{^_^}
----- Original Message ----- 
From: "Jay Ehrhart" <yo...@ycoe.org>


> This morning I had over 7000 emails in my Linux server's outbound queue
> which I deleted.  My firewall log shows over 20,000 emails went out with a
> SunTrust bank announce saying to login and enter your username and
password.
> I do not see the emails coming in like I would in a relay.  How can I stop
> this or how are they doing this?
>
> My firewall using a SMTP proxy and only allows my domain in.  I run
> MailScanner on my Red Hat 3.0 mail server with Sendmail.  The box has the
> lastest patches from Red Hat.  I have Sendmail setup to accept only my
> domain email.
>
> The non-deliverable reports are coming from my Linux apache user.
> Non-deliverables usually come from root.  I am running apache on the
server
> with forms.  The forms software is the latest version and patches.
>
> Can anybody help on this?
>
> Thanks,
> Jay
>

Re: Spammers using my server

[Matt Kettler <mk...@evi-inc.com>]

At 10:39 AM 9/24/2004, Jay Ehrhart wrote:
>This morning I had over 7000 emails in my Linux server's outbound queue
>which I deleted.  My firewall log shows over 20,000 emails went out with a
>SunTrust bank announce saying to login and enter your username and password.
>I do not see the emails coming in like I would in a relay.  How can I stop
>this or how are they doing this?

Sounds like some kind of abuse of an onboard http proxy, script, 
installation of a backdoor, or some other such thing that's letting them 
queue mail directly from the local host.

Clearly it's not a direct SMTP open relay (I checked, trying to send myself 
mail, didn't work which is good)

I'd suggest running a good battery of tests:
http://www.abuse.net/relay.html

If that doesn't show anything obvious like HTTP proxies, look for a trojan 
or backdoor on your system. chkrootkit is a good tool to do a first-pass check. 

Re: Spammers using my server

[Jay Ehrhart <yo...@ycoe.org>]

Thank you very much.  The spammer was using an exploit in Formmail.cgi which
I use on my web site which has now been disabled.  They crafted a message,
inserted it into the formmail on the web page which delivered it to sendmail
for delivery.  Normally it would have gone to the local email account but
they were able to set an outside email address so sendmail began delivering
the emails.

Thanks


----- Original Message ----- 
From: "Lucas Albers" <ad...@cs.montana.edu>
To: "Justin Mason" <jm...@jmason.org>
Cc: "Jay Ehrhart" <yo...@ycoe.org>; <us...@spamassassin.apache.org>
Sent: Friday, September 24, 2004 1:41 PM
Subject: Re: Spammers using my server


> As a another good step, just SA scan ALL incoming and outgoing mail.
>
> Run a vulnerability scan against your server, nessus or sara against your
> machine to find what is being exploited.
>
> -- 
> Luke Computer Science System Administrator
> Security Administrator,College of Engineering
> Montana State University-Bozeman,Montana
>
>
>

Re: Spammers using my server

[Lucas Albers <ad...@cs.montana.edu>]

As a another good step, just SA scan ALL incoming and outgoing mail.

Run a vulnerability scan against your server, nessus or sara against your
machine to find what is being exploited.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana