Koozali.org: home of the SME Server

qmail queue build up and mail halt

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #15 on: April 20, 2013, 03:25:22 PM »
Received: (qmail 10932 invoked by uid 102); 18 Apr 2013 12:28:49 -0000

Do:

grep 102 /etc/passwd

My guess is that will show 'www' - which will indicate that the mail messages are/were being generated by a script being run by your web server - probably a PHP application.

View /var/log/httpd/access_log from the time when the spam first started to be generated. You may find the accesses which were triggering your messages.

If you have PHP applications in your i-bays - remove them. Either that, or find and fix the problem (or problems) which is being exploited.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #16 on: April 20, 2013, 03:27:15 PM »
please be aware that common php apps (joomla, wordpress and so on) are bugged and must be kept up-to-date

Or removed. :-)


Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #18 on: April 21, 2013, 12:56:09 AM »
I had just read about Email Injection in web forms to produce spam email from the web server.
Maybe you have that. I am pretty sure it was in a paper back book called Php Solutions.
http://foundationphp.com/phpsolutions/

Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #19 on: April 21, 2013, 02:26:26 AM »
In that book on page 118. It speaks of Email Header Injection. 
This is a good book. I have of them.

Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #20 on: April 22, 2013, 12:25:17 AM »
How about the php security glitch in  7.6 as well.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #21 on: April 22, 2013, 05:02:51 AM »
How about the php security glitch in  7.6 as well.

What glitch is that? Please provide a reference.

Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #22 on: April 22, 2013, 10:26:34 AM »

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #23 on: April 22, 2013, 02:44:04 PM »

Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #24 on: April 22, 2013, 11:10:24 PM »
That is a fine line not worth walking Charlie.
It is when you have the problem.
I remember warning saying to upgrade to sme 8.0 just because of the php glitch.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #25 on: April 22, 2013, 11:39:17 PM »
That is a fine line not worth walking Charlie.
It is when you have the problem.

I see no evidence that JasonS had/has PHP5 CGI installed.

Offline purvis

  • ****
  • 567
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #26 on: April 22, 2013, 11:56:34 PM »
You know the system way more than I Charlie and can diagnosis it better as well. I was just trying to remind about some possibilities of things. Better to swing in the dark than not at all.

Offline JasonS

  • 10
  • +0/-0
Re: qmail queue build up and mail halt
« Reply #27 on: April 23, 2013, 04:31:20 PM »
Thanks for the help Charlie - I had used your grep uid /etc/passwd instructions from another post/different thread. :)
It helped immensely.

You can see my whole resolution process in comment #13.
We are now 5 days spam free, queue functioning correctly with 0 messages stuck.

I believe it was out of date wordpress that was compromised.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: qmail queue build up and mail halt
« Reply #28 on: April 23, 2013, 05:10:16 PM »
You can see my whole resolution process in comment #13.

Thanks for so thoroughly documenting your diagnosis and cleanup process.

Quote
I believe it was out of date wordpress that was compromised.

Anyone with wordpress even a couple of months out of date should be looking closely at removing or updating it.