Topic: Stopped qmail. Can see spam in the remote list. What to do?

[Tillebeck]

Hi
I have stopped the qmail and are examining the remote qmail list. There seem to be some spam in the remote queue.

When listing the different subjects (using qmHandle), this is what I get at the moment:

Code: [Select]

[root@ronja ~]# qmHandle -l|grep Subject|sort| uniq -c|sort -n
      1   Subject: =?iso-8859-1?Q?Rigtige_m=E6nd_k=F8ber_vestas_inden_lukningen=21=21=21_?=
      1   Subject: ***SPAM*** I busted you salg
      1   Subject: ***SPAM*** Post XMAS Sale! Enjoy over HALF OFF on all Fashion Designer Footwear, Gucci Prada and MORE!
      1   Subject: ***SPAM*** spring selection
      1   Subject: ***SPAM*** To: salg
      1   Subject: THE 3 Trades for the Next 8 Hours: DVN, 12:30 (TBD), 3:00 (TBD)
[root@ronja ~]#
5 of 6 mails are spam and they are all tagged as spam.
 - How can I awoid that the SME server keeps sending these spam mails?
 - How can I see who the sender is (e.g. sender IP).

Off cause I should also find the source of the spam. Either an infected local client or a hacked web application. How to figure out if it is a client or a web app has kindly been provided by Normando in this thread:
http://forums.contribs.org/index.php?topic=40959.0

BR. Anders

[arcano]

I have something like that, even if i do ps -aux i got these:

 ps -aux

qmailr   10284  0.0  0.0  3076  520 ?        S    23:21   0:00 qmail-remote flirtru.ru bbadrake@ausa.org sale@flirtru.ru
qmailr   10286  0.0  0.0  3416  524 ?        S    23:21   0:00 qmail-remote flirtru.ru bbadrake@ausa.org sales@flirtru.ru
qmailr   10577  0.0  0.0  3396  524 ?        S    23:23   0:00 qmail-remote lig.bellsouth.net apumaxi@ferrellconstr.com anneliese@lig.bellsouth.net
qmailr   11377  0.0  0.0  3524  520 ?        S    23:27   0:00 qmail-remote rediffmail.com jwevibrant@cpdcpr.com tamlonyi@rediffmail.com
qmailr   11426  0.0  0.0  1880  528 ?        S    23:27   0:00 qmail-remote bna.bellsouth.net lcefundamentalism@ionmktg.com addison@bna.bellsouth.net
qmailr   11543  0.0  0.0  2084  524 ?        S    23:28   0:00 qmail-remote btinternet.com kylcosts@techonesolution.com melai@btinternet.com
qmailr   11705  0.0  0.0  3020  520 ?        S    23:29   0:00 qmail-remote yahoo.com rlsbaton@quik-flix.com brelandministries@yahoo.com
qmailr   11752  0.0  0.0  2420  520 ?        S    23:30   0:00 qmail-remote rediffmail.com lrpfiddle@nanjingusa.com warpl_abad@rediffmail.com
qmailr   11933  0.0  0.0  2156  520 ?        S    23:31   0:00 qmail-remote rediffmail.com tfstile@daedalusrestaurant.net amulbutter47@rediffmail.com
qmailr   11979  0.0  0.0  1844  520 ?        S    23:32   0:00 qmail-remote rediffmail.com tzumbrella@l00ksharp.com malyadhri@rediffmail.com
root     12005  0.0  0.2  6908 2280 ?        Ss   23:32   0:00 sshd: root@pts/1       
root     12007  0.0  0.1  4804 1428 pts/1    Ss   23:32   0:00 -bash
qmailr   12205  0.0  0.0  2796  524 ?        S    23:35   0:00 qmail-remote seagate.com ljzimpromptu@indivisible.com craigan@seagate.com
qmailr   12442  0.0  0.0  3244  524 ?        S    23:38   0:00 qmail-remote thethoughtshop.com xqssober@blastwaves.com delgado@thethoughtshop.com
qmailr   12466  0.0  0.0  3476  528 ?        S    23:38   0:00 qmail-remote 1stconnect.com vgrrear@bournemouth-property.co.uk krowleyl@1stconnect.com
qmailr   12485  0.0  0.0  1868  524 ?        S    23:38   0:00 qmail-remote wearab.net pflink@bowenclassicarms.com talal_rasheed@wearab.net
qmailr   12486  0.0  0.0  1912  524 ?        S    23:38   0:00 qmail-remote pe.net hxnhonor@pstprober.com cliffm@pe.net
root     12491  0.0  0.0  3944  768 pts/1    R+   23:38   0:00

So how i figure out on which part i was hacked?

[CharlieBrady]

So how i figure out on which part i was hacked?

The first thing you do is to stop qmail. Do it now. Don't delay.

The next is to examine the full mail headers of one or more of the messages. The earliest (i.e. lowest in the message) Received: header will show which computer the message came from. If it came from the SME server itself, "invoked by uid" will show the uid of the process which created the message. 'grep nnn /etc/passwd' will show you the name of that uid.

If the name of the uid is 'www', then something running inside your web server is creating the message. You will need to use your knowledge of what is on your website, and the httpd access_log to determine where the problem is.