Help with spam from root@localhost
Mike Arvay
a domainA to a domainB but in the headers it says "from
ro...@localhost.localdomain". Neither of domainA nor domainB are hosted on
my server so it looks like it is being used as a relay. I know it's not an
open relay. I have about 10 domains that I host on a dedicated box.
How can I find out where this is coming from? And what can I do?
I've run checkRootKit and it found nothing.
The From ip address is 127.0.0.1.
Some go through, some get stuck in the Queue.
Is there a way with sendmail to prevent a user (root) from sending e-mail
out, but still e-mail local accounts?
The following are the headers from one of these e-mails. The only thing
modified was my actual domain name was replaced with web1.MyServerName.com
No IP address were changed.
Return-Path: <“>
Received: from web1.MyServerName.com (localhost.localdomain [127.0.0.1])by
web1.MyServerName.com (8.13.4/8.12.11) with ESMTP id j2TGMKH5008390for
<in...@e-netronix.com>; Tue, 29 Mar 2005 10:22:20 -0600
Full-Name: root
Received: (from root@localhost)by web1.MyServerName.com
(8.13.4/8.13.4/Submit) id j2TGMKG6008387;Tue, 29 Mar 2005 10:22:20 -0600
Date: Tue, 29 Mar 2005 10:22:20 -0600
Message-Id: <200503291622....@web1.MyServerName.com>
To: in...@e-netronix.com
Subject: Protect your VISA card
From: "Visa.com" <vc...@usav.verifedbyviisa.com>
Content-Type: text/html
X-Virus-Scanned: by amavisd-new
The Following is the section from the maillog file:
Mar 29 10:22:20 web1 sendmail[8387]: j2TGMKG6008387: from=root, size=4085,
class=0, nrcpts=1, msgid=<200503291622.j2TGMKG6008387
@web1.MyServerName.com>, relay=root@localhost
Mar 29 10:22:20 web1 sendmail[8365]: j2TGMGH0008326: to=
<in...@dueemmesidol.it>, ctladdr=<ro...@web1.MyServerName.com> (0/0), delay=
00:00:02, xdelay=00:00:02, mailer=esmtp, pri=124313,
relay=mailin.albacom.net. [217.220.34.124], dsn=2.0.0, stat=Sent (ok
1112113133 qp 27487)
Mar 29 10:22:20 web1 sendmail[8390]: j2TGMKH5008390: from=
<ro...@web1.MyServerName.com>, size=4312, class=0, nrcpts=1, msgid=
<200503291622....@web1.MyServerName.com>, proto=ESMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Mar 29 10:22:20 web1 sendmail[8390]: j2TGMKH5008390: Milter change (add):
header: X-Virus-Scanned: by amavisd-new
Mar 29 10:22:20 web1 sendmail[8387]: j2TGMKG6008387: to=info@e-
netronix.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00,
mailer=relay, pri=34085, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0,
stat=Sent (j2TGMKH5008390 Message accepted for delivery)
Alexander Dalloz
> Just recently I've notice a lot of spam being sent through our server from
> a domainA to a domainB but in the headers it says "from
> ro...@localhost.localdomain". Neither of domainA nor domainB are hosted on
> my server so it looks like it is being used as a relay. I know it's not an
> open relay. I have about 10 domains that I host on a dedicated box.
>
> How can I find out where this is coming from? And what can I do?
>
> I've run checkRootKit and it found nothing.
>
> The From ip address is 127.0.0.1.
>
> Some go through, some get stuck in the Queue.
>
> Is there a way with sendmail to prevent a user (root) from sending e-mail
> out, but still e-mail local accounts?
>
> The following are the headers from one of these e-mails. The only thing
> modified was my actual domain name was replaced with web1.MyServerName.com
> No IP address were changed.
>
>
> Return-Path: < g>
> Received: from web1.MyServerName.com (localhost.localdomain [127.0.0.1])by
> web1.MyServerName.com (8.13.4/8.12.11) with ESMTP id j2TGMKH5008390for
> <in...@e-netronix.com>; Tue, 29 Mar 2005 10:22:20 -0600
> Full-Name: root
> Received: (from root@localhost)by web1.MyServerName.com
> (8.13.4/8.13.4/Submit) id j2TGMKG6008387;Tue, 29 Mar 2005 10:22:20 -0600
> Date: Tue, 29 Mar 2005 10:22:20 -0600
> Message-Id: <200503291622....@web1.MyServerName.com>
> To: in...@e-netronix.com
> Subject: Protect your VISA card
> From: "Visa.com" <vc...@usav.verifedbyviisa.com>
> Content-Type: text/html
> X-Virus-Scanned: by amavisd-new
Your webserver (Apache?) runs as root? At least there is an insecure
formmail page on it, allowing to mail from any address to any recipient?
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.770_FC2smp
Serendipity 19:55:15 up 12 days, 16:51, load average: 0.39, 0.45, 0.45
Mike Arvay
news:pan.2005.03.29....@uni-x.org:
>
> Your webserver (Apache?) runs as root? At least there is an insecure
> formmail page on it, allowing to mail from any address to any
> recipient?
>
> Alexander
>
>
Thanks Alexander.
I checked to make sure Apache wasn't being run as root, and it's not. It's
being run as nobody. I've searched the server for formmail.pl formmail.cgi,
and *.cgi and found 2 formmail.cgi files in different sites. I looked at
them and they look secure. Set to only accept e-mail sent to certain users.
Mike
Alexander Dalloz
> I checked to make sure Apache wasn't being run as root, and it's not. It's
> being run as nobody. I've searched the server for formmail.pl formmail.cgi,
> and *.cgi and found 2 formmail.cgi files in different sites. I looked at
> them and they look secure. Set to only accept e-mail sent to certain users.
>
> Mike
I can't think of anything else than your host has been compromised. The
mail is locally submitted by root. Is it much mail traffic you are facing
this way in the log? Then check for running processes. Ok, rootkits hide
themselves, but should be found be chkrootkit.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.770_FC2smp
Serendipity 02:01:23 up 12 days, 22:57, load average: 0.48, 0.56, 0.49
Mike Arvay
> I can't think of anything else than your host has been compromised.
> The mail is locally submitted by root. Is it much mail traffic you are
> facing this way in the log? Then check for running processes. Ok,
> rootkits hide themselves, but should be found be chkrootkit.
>
> Alexander
>
>
Alexander,
Again thanks for the suggestions. Yes, this does increase the traffic
when it is happening. I was able to watch this happen last night and
this morning. Watching the mail log go by with 80% of the e-mails being
from "root@localhost" The extra traffic doesn't bother me as much as the
fact that we were listed on the spamcop.net blacklist for 24 hours
because of it. And it looks like it's coming from inside the server.
I don't know if this will have fixed it, but I saw in another posting
that fetchmail was causing a similar problem. They said it would try to
download a spam e-mail from an external server and try to deliver it from
their server. This morning when I noticed an increase of messages in the
queue, I was watching the maillog fly by with these e-mails. I decided
to remove fetchmail and re-boot the server. When it came back up, it
continued for a few minutes then stopped. I moved the messages out of
the queue so they wouldn't try to re-deliver. It doesn't make sense why
fetchmail would target many different e-mail addresses if this were the
case.
Mike
tessi...@gmail.com
tessi...@gmail.com
Grant Taylor
> Just recently I've notice a lot of spam being sent through our
> server from a domainA to a domainB but in the headers it says "from
> ro...@localhost.localdomain". Neither of domainA nor domainB are hosted on
> my server so it looks like it is being used as a relay. I know it's not
> an open relay. I have about 10 domains that I host on a dedicated box.
>
> How can I find out where this is coming from? And what can I do?
Based on dealing with things like this before, it looks exactly like
what I would expect if there is something on one of the websites that is
compromised and originating the email.
Check for compromises in your web sites.
Check your web server access logs to see if there's something atypical
or unexpected.
> I've run checkRootKit and it found nothing.
they aren't root kits.)
> The From ip address is 127.0.0.1.
originate from.
> Some go through, some get stuck in the Queue.
Don't be surprised if your server ends up on one or more email
blacklists. Almost all of which are used to your scenario and provide
directions to get removed. Others are simple timeouts.
> Is there a way with sendmail to prevent a user (root) from sending e-mail
> out, but still e-mail local accounts?
Even if there was something trivial, it would only address the symptom
and not the source of the email.
> The following are the headers from one of these e-mails. The only thing
> modified was my actual domain name was replaced with web1.MyServerName.com
> No IP address were changed.
--
Grant. . . .
unix || die