February 2, 2015 · mail exim spam

Search for php spam script location. Exim & php

If your server suddenly starts send a lot of mail, you need to determine where is the source of this. This maybe not so easy when server has a lot of virtual hosts.
So, how we can find where spam code is located?
Generally it's not so hard. We need to see the headers of mail and its contents.
Often spam messages are "frozen" by local MTA due rejecting by recipient MTA (frozen messages also called bounce messages).
To list frozen messages in exim: 

[root@mta:~]# exim -bp | grep frozen
 7h  4.7K 1YIKRV-0004za-C8 <> *** frozen ***
 7h  4.7K 1YIKCZ-00051D-Rs <> *** frozen ***
 7h  7.5K 1YIKaD-0002g3-Jp <> *** frozen ***
 6h  6.8K 1YILJi-0006U4-LC <> *** frozen ***
 6h  6.6K 1YILgM-00010l-W7 <> *** frozen ***
 6h  6.8K 1YILo8-0002aq-O9 <> *** frozen ***
 6h  8.4K 1YILo5-0002d9-GO <> *** frozen ***
 6h  8.0K 1YILrY-00035g-Ga <> *** frozen ***
 5h  9.6K 1YIM2j-0004pV-PD <> *** frozen ***

Let's find script, who generate unwanted mail. To do this, look in the mails headers:

Note: some frozen messages contain a copy of failed messages, so for X-PHP-Originating-Script header you need the body of this message, not headers. Anyway, body of spam message should be examined.

[root@sv-114:~]# exim -Mvh 1YIM2j-0004pV-PD
1YIM2j-0004pV-PD  
joe 1060 1060  
<joe@examle>  
1422921664 0  
-ident joe
-received_protocol local
-body_linecount 5
-max_received_linelength 131
-auth_id joe
-auth_sender joe@example
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX  
1  
bob@example.org

175P Received: from joe by mta.example.org with local (Exim 4.80)  
    (envelope-from <joe@example>)
    id 1YIM2j-0004pV-PD
    for bob@examle.org; Tue, 03 Feb 2015 02:01:04 +0200
025T To: bob@examle.org  
026  Subject: Contacts request  
042  X-PHP-Originating-Script: 1060:mailer.php  
028F From: robot@examle.org  
032R Reply-To: robot@examle.org  
018  MIME-Version: 1.0  
038  Content-Type: text/html;charset=utf-8  
054I Message-Id: <1YIM2j-0004pV-PD@mta.example.org>  
038  Date: Tue, 03 Feb 2015 02:01:04 +0200

Good. Now we know id, uid, gid of user from whom script was run and script name itself - mailer.php.

Also, mail contents maybe interesting: 

[root@mta:~]# exim -Mvb 1YIM2j-0004pV-PD
<html><body style='font-family:Arial,sans-serif;'><h2 style='font-weight:bold;border-bottom:1px dotted #ccc;'>Contacts request</h2>  
<p><strong>Want some spam? Contact us at woohoo@exampe.org</strong></p>  
</body></html>

Adding X-PHP-Originating-Script header in mail headers must be enabled in php.ini (mail.addxheader option).

After malicious script was removed (or renamed for further research) frozen messages may be removed: 

[root@mta ~]# exim -bpu | grep frozen | awk {'print  $3'} | xargs exim -Mrm

Thanks to: http://blog.wapnet.nl/2013/11/show-spam-script-on-linux-webserver/

  • LinkedIn
  • Tumblr
  • Reddit
  • Google+
  • Pinterest
  • Pocket
Comments powered by Disqus