| Posted by aroel, 04-02-2010, 08:22 AM | | Hi, below is my exim4 log:
note: xxx is my domain and my mail server
question:
what is that all about? exim is trying to send emails to recipients that i don't know, please advise, thanks
|
| Posted by UNIXy, 04-02-2010, 05:25 PM | | How's this server configured? Is it running a Web server? You've masked some important information in the log entries. Have you disabled sending email via the web server's ID?
Regards
Joe / UNIXY
|
| Posted by aroel, 04-02-2010, 10:04 PM | | hi,
yes it's a webserver and only webserver, i'm running some script that using exim for sending any errors to my email, autoreports, etc. so, i can't disable it, the masked part is my domain name and my mail server, i'm not running my server in the webserver.
one more thing bothered me in htop :
"sh host -W 1 "IP ADDRESS"" --> what's this?
i then run rkhunter, nothing weird.....kindly assist, thanks
|
| Posted by UNIXy, 04-02-2010, 10:26 PM | | It could be a vulnerable script that's used to inject email or simply uses an email form to spam.
That's interesting. What process owned the above command. Were you able to trace the source? Essentially, the command returns the rDNS (PTR record) for an IP address. It's not malicious in itself but it needs to be looked at further. Run this command against your PHP scripts / public HTML:
Regards
Joe / UNIXy
|
| Posted by aroel, 04-04-2010, 12:18 AM | | it's apache, when i stopped apache, the process also stopped
i ran the command you mention above, but nothing found, i have phpmail installed to send newsletter....could it be the cause?
|
| Posted by UNIXy, 04-04-2010, 12:27 AM | | The 'host -W 1 IP' is a workaround to PHP's gethostbyaddr() (read more on this in the comments on this page: http://php.net/manual/en/function.gethostbyaddr.php). Whether this is used maliciously on your server, I can't tell. One would need server access to investigate.
Regards
Joe / UNIXY
|
| Posted by Sileep Kumar M S, 04-05-2010, 03:03 AM | | Use this to find the spam source directory.
|
| Posted by aroel, 04-06-2010, 09:55 AM | | hi, i still can't find the spam script, and your script didn't result anything, so far i deleted the script containing email adresses by using this:
but the spamming script still sending messages, how can i search background process running on the box?
|
| Posted by Joe262, 04-06-2010, 10:03 AM | | Just a hunch here..
Does your server send bounces? Or does it just reject mail sent to invalid addresses at the RCPT_TO stage?
Might backscatter be part of this situation?
Also, do you find that your server receives a lot of spam? I do hope that you have already taken measures to ensure that it is not an open relay.
HTH,
Joe
|
| Posted by aroel, 04-08-2010, 07:35 AM | | nope, don't send bounces msg also don't receive spam, only send
btw...i disable apache, disable sites and enable it one by one, found 2 sites containing email adresses in some .php files
i disable the 2 sites, make a new document root for them as the sites are static and i have the backup
case's closed, thanks for all
|
|
 Add to Favourites
 Print this Article
|
