[BlueOnyx:21172] Re: Spammer

Colin Jack colin at mainline.co.uk
Sun Jul 16 13:43:50 -05 2017 

Hi Tigerwolf,

On 16/07/2017, 19:05, "Blueonyx on behalf of Tigerwolf" <blueonyx-bounces at mail.blueonyx.it on behalf of tigerwolf at tigerden.com> wrote:

    On Sun, 16 Jul 2017, Colin Jack wrote:
    
    > Looking for ideas. We suspect we have a compromised website on one of 
    > our servers ÿÿ being used for spam. What is the easiest way to track 
    > this down? Can see spam being sent via localhost but canÿÿt pin it down.
    
    There are some spamming scripts that do pretty well at hiding, including 
    erasing themselves once a run is completed.  Those get into the system 
    through compromised user account passwords.

Checked those. Nothing obvious.
    
    Check ftp logs for unusual tranfers and the local account(s) they went to. 
    Check user shell history for evidence of creating/running/deleting unusual 
    programs.

Shell access is not exposed to the internet.
    
    The spambots don't generally use the system sendmail, so those logs won't 
    show much for outbound.  If the spam is generating lots of remote bounces, 
    the local sendmail logs may show an abnormal amount of incoming rejected 
    mail to the spamming account.

Trawled maillog to no avail.
    
    Use 'iftop' and/or 'iptraf' to watch for outbound mail connections.  If 
    they're spewing a lot, you should be able to tell easily.  If short 
    bursts, or slow spamming, it could be harder to see.

Tried that but it is not sustained … so didn’t pick up anything.
    
    When a run is underway, watch 'top' to see who owns the spamming 
    process(es).

If I can catch them at it. Seems to be bursty.
    
    If you can figure out which user account is the source, change the 
    password immediately, and kill all that user's processes.  This may stop 
    the spambot without it being able to delete itself and provide extra 
    forensic details.  Notify the user and question them about the situation, 
    and wipe any suspect files not known to belong to the actual user.

I don’t think there is a spambot on there – I suspect it is a compromised form.

Thanks for the input.

Colin

More information about the Blueonyx mailing list