[ale] tracking down a spammer on our box
Andrew Thornton
flux at fictional-realms.com
Fri Apr 1 10:07:29 EST 2005
I found another good trick is to look through the mail logs and find the
time the email was sent and then compare it against your apache log files.
Looking for roughly the same timestamp & the account that runs apache,
from that you should be able to identify who they are (IP address) and
which page is insecure.
I had something similar a while back and found the pages that were causing
the problem and the IP address of the culprit, doing a check on the IP
address I found the domain name running on the box and the guy had a
contact number on his whois record !! - I had fun that day :-) I should
have recorded the conversation - LOL
Cheers
Andy
__________________________________________________________________
Andrew Thornton
http://www.theevilpixel.com/
M 404.932.7858 | flux at fictional-realms.com
On Fri, 1 Apr 2005, Christopher Fowler wrote:
> I agree. I would double check it manually. Here is a sample session
> where I checked Earthlink's SMTP server
> [cfowler at cfowler devel]$ telnet smtp.earthlink.net 25
> Trying 207.217.121.208...
> Connected to smtp.earthlink.net.
> Escape character is '^]'.
> 220-pop-a065c10.pas.sa.earthlink.net ESMTP Exim 3.36 #10 Fri, 01 Apr
> 2005 05:23:15 -0800
> 220-NO UCE. EarthLink does not authorize the use of its computers or
> network
> 220 equipment to deliver, accept, transmit, or distribute unsolicited
> e-mail.
> helo opsup.com
> 250 pop-a065c10.pas.sa.earthlink.net Hello
> 66-23-198-138.clients.speedfactory.net [66.23.198.138]
> mail from: <bgates at microsoft.com>
> 250 <bgates at microsoft.com> is syntactically correct
> rcpt to: <ale at ale.org>
> 550-EarthLink does not recognize your computer (66.23.198.138) as
> connecting from an EarthLink connection. If this is in error, please
> contact technical support.
> 550 relaying to <ale at ale.org> prohibited by administrator
>
>
> On Fri, 2005-04-01 at 08:10, Yu, Jerry wrote:
> > 1) if it is done thru PHP/apache, wouldn't the sender be guessed as user
> > 'apache' or 'nobody' instead of 'anonymous' on the web server, the owner
> > of the apache process?
> > 2) I'd double check the 'open relay' thiny, by sending such spam email
> > manually, by directly talking to the SMTP server in question, from
> > outside and from inside your network, if possible.
> >
> > # -----Original Message-----
> > # From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On
> > # Behalf Of James P. Kinney III
> > # Sent: Thursday, March 31, 2005 11:51 PM
> > # To: Atlanta Linux Enthusiasts
> > # Subject: Re: [ale] tracking down a spammer on our box
> > #
> > # Uugh! I am not a PHP person but I suspect that the logging
> > # can be turned up in apache to help with more data on linking
> > # a web process to an email generation.
> > #
> > # You should be able to set qmail to not allow a user named
> > # "anonymous" to send mail.
> > #
> > # On Thu, 2005-03-31 at 23:39 -0500, Ryan Williams wrote:
> > # > We are running RedHat ES and have someone using our server
> > # to send a
> > # > small but steady stream of spam... between 4 and 5 messages per
> > # > minute, so they are smart enough to keep the activity fairly low
> > # > profile. We've already confirmed with ORDB that we are not an open
> > # > relay. The messages are showing up in ps -aux as:
> > # >
> > # > qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote
> > # > remotedomain.com anonymous at server1.ourserver.com
> > # > randomuser at remotedomain.com
> > # >
> > # > and our maillogs show messages being delivered which are
> > # certainly spam:
> > # >
> > # > Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery
> > # > 193807: msg 9536773 to remote randomuser at remotedomain.com
> > # >
> > # > Since the messages are being sent by "anonymous", we are
> > # pretty sure
> > # > this is a vulnerable PHP script somewhere on the server
> > # that is being
> > # > used, but we are having the hardest time tracking down
> > # which one(s) is
> > # > the culprit. Is there any way to track down which domain or
> > # script was
> > # > used to send these messages?
> > # >
> > # > Thanks!
> > # >
> > # > Ryan
> > # > _______________________________________________
> > # > Ale mailing list
> > # > Ale at ale.org
> > # > http://www.ale.org/mailman/listinfo/ale
> > # --
> > # James P. Kinney III \Changing the mobile computing world/
> > # CEO & Director of Engineering \ one Linux user /
> > # Local Net Solutions,LLC \ at a time. /
> > # 770-493-8244 \.___________________________./
> > # http://www.localnetsolutions.com
> > #
> > # GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > # <jkinney at localnetsolutions.com> Fingerprint = 3C9E 6366 54FC
> > # A3FE BA4D 0659 6190 ADC3 829C 6CA7
> > #
> >
> > This email and any attached files herein contain information that is intended only for the use of the individual or entity to whom it is addressed and may contain information that is legally privileged, confidential or otherwise exempt from disclosure under applicable laws. If the reader of this message is not the recipient, any disclosure, dissemination, distribution, copying or other use or retention of this communication or its substance is prohibited.
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
More information about the Ale
mailing list