[BlueOnyx:26108] Re: Surge of spam

Michael Stauber mstauber at blueonyx.it
Tue Apr 11 18:15:09 -05 2023 

Hi Matthew,

> I've got a sudden surge of spam originating from my BlueOnyx host.
> What's the quickest way to determine which user account was
> compromised, and/or if the origin is a compromised script running on a
> website?

There are two common causes:

- Compromised user account
- Compromised PHP script in a Vsite


Let's start with the easy one:


Compromised PHP script:
=======================

We actually use PHP-prepend on BlueOnyx to force anything originating 
from PHP's mail() function through a wrapper-script, which does some 
extra logging. Like which script, which user, which client IP sent the 
email.

You can check the maillog this way to see the results:

cat /var/log/maillog|grep sendmail-wrapper-php

That tells you which PHP scripts sent emails and see if something sticks 
out.


Now let us look at the other possibility:


Compromised user account:
=========================

Now this requires more effort and there are different way to tackle this.

For starters you could check who used SMTP-Auth to authenticate to your 
SMTP-server. This is usually done prior to sending emails:

cat /var/log/maillog|grep AUTH=server

That will tell you the IP and username of those who did so. See if 
someone sticks out.

This will show you all emails that were sent through you server:

cat /var/log/maillog|grep stat=Sent

The ctladdr= is the sender address. See if something sticks out. If it 
does, grep for the message ID to get more info about who sent it.

Or you could use the "mailq" command to see which emails are still in 
the mail queue for outgoing delivery. If that reports a lot of stuff 
that you can't make out if its legit or not, check /var/spool/mqueue/, 
which contains the header and body files of all yet undelivered outgoing 
emails.

Poke around in them and see if you can identify the SPAM. The header 
files of such email should shed some light on at least the originating 
IP and/or the user-name of the sender, if he used SMTP-auth. And with 
that info you can grep for more details in /var/log/maillog

And there is the old fashioned "caught in the act" of running a "tail -f 
/var/log/maillog" and watching what goes on. If the attacker is still 
actively sending emails through your server, you should see him.


If you need any further help with this, let me know.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list