[BlueOnyx:10154] Re: Trojans and backdoors?

Chuck Tetlow chuck at tetlow.net
Tue Apr 17 13:06:22 -05 2012 

Sure, that's an easy one.  At the command line as root, put in:
iptables -I acctout 1 -p tcp -s ipadd-eth0 -dport 25 -j DROP

But you should realize - that's going to block all users from relaying their e-mail through your server, block all Squirrelmail users from sending mail, and block all sites from sending mail (such as eCommerce site receipts, or new user confirmation mails).  So you probably don't want to use that command.

Instead, figure out what account is being used for the relays and shut it down.  One way to do this is look in the /var/log/maillog file to see who is sending the most e-mails.  That account is probably the one exploited and responsible for all the messages.  If you can determine its a single user account, suspend it.  If its a site's PHP scripts in their website - suspend it till they can correct the problem that is affecting all your users.

One way to find who is sending the most e-mails is to use this command:
cat /var/log/maillog | grep from | cut -d " " -f7 | uniq -c | sort -nr | less

That command's output will show you a list of users who have been sending mail from your server.  And the count on the left side is the number of messages that particular user has sent through your server.  Look at the top one or two - if they've got a ridiculously high number of messages sent compared to the rest - you've found the culprit.  Suspend that user or site till they fix it.

A second problem might be they are using Squirrelmail or OpenWebMail to relay, using a account with a easy-to-guess password.  I don't remember the logfile name for Squirrelmail, but it should be easy to spot in the /var/log directory.  With OpenWebMail, its /var/log/openwebmail.  And you can use <cat /var/log/openwebmail.log | grep "send message" | less> to review who is sending mail with openwebmail.  Again - once you identify the account, suspend it or change its password.

Good luck.

Chuck

---------- Original Message -----------
From: "Darren Shea" <dshea at ecpi.com> 
To: <blueonyx at mail.blueonyx.it> 
Sent: Tue, 17 Apr 2012 12:34:44 -0500 
Subject: [BlueOnyx:10150]  Trojans and backdoors?

> Our BlueOnyx system seems to have been compromised by some sort of php-based 
> Trojan which is allowing spammers to send spam through the webserver. We're 
> having a hard time tracking it down to a particular virtual site, and 
> shutting off php for all users is not an option - besides the people using 
> WordPress and shopping carts, the SquirrelMail interface breaks when php is 
> shut off. 
> 
> Are there any updates which can help with this? We are using the SolarSpeed 
> 5106R-PHP-5.3.8-SOL3AV package, and given all the issues we had getting the 
> two different versions of php to play nice on BlueOnyx, we don't want to be 
> to aggressive with upgrading. 
> 
> Also, is there a way to simply block the webserver from sending out on port 
> 25? 
> 
> Thank you, 
>  Darren 
>  ECPI Western Broadband 
>  (512)257-1077 
>  (254)213-6116 fax 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20120417/0a9a2ccc/attachment.html>

More information about the Blueonyx mailing list