Wenn das System für den Spam Versand genutzt wurde, sollte man sich so schnell wie möglich auf die Suche nach der Quelle machen, um mögliche Blacklist-Einträge der eigenen IP-Adresse zu vermeiden.
In diesem Beispiel möchte ich zeigen, wie man auch ohne Spamerkennung per Sendmail Wrapper und X-Header die Ursache beim Schopfe packen kann.
Punkt 1: Die Mail-Queue begutachten
Wir rufen die Mail-Queue unter Postfix mit postqueue -p auf und sehen bereits jede Menge Spam E-Mails.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# mailq [..] A19A01A7481 715 Fri Feb 21 08:07:49 deirdre_kelly@tauernresidence.at (delivery temporarily suspended: host mailin-03.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html) gerio7769@aol.com A324A1A7E26 699 Sat Feb 22 06:41:27 cassandra_turner@tauernresidence.at (delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html) ryanshay@aol.com A34A01A7A6B 681 Fri Feb 21 20:04:56 alta_munoz@tauernresidence.at (delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html) lseitelman@aol.com AB2C4561DA6 744 Fri Feb 21 09:02:09 mollie_lester@tauernresidence.at (delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html) mbarney555@aol.com A493D590B20 765 Thu Feb 20 19:32:19 terri_duffy@tauernresidence.at (delivery temporarily suspended: host mailin-02.mx.aol.com[64.12.88.163] refused to talk to me: 421 4.7.1 : (DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.html) canarien9561@aol.com -- 32354 Kbytes in 12505 Requests. |
Punkt 2: Spam wurde über ein PHP Script verschickt
Um den schuldigen Benutzer zu finden, öffnen wir ein paar dieser Postfix ID’s, beispielsweise AB2C4561DA6.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# postcat -q AB2C4561DA6 *** ENVELOPE RECORDS deferred/A/AB2C4561DA6 *** message_size: 744 185 1 0 744 message_arrival_time: Fri Feb 21 09:02:09 2014 create_time: Fri Feb 21 09:02:09 2014 named_attribute: rewrite_context=local sender_fullname: sender: xxx@xxx.de *** MESSAGE CONTENTS deferred/A/AB2C4561DA6 *** Received: by xxx.xxx.de (Postfix, from userid 4079) id AB2C4561DA6; Fri, 21 Feb 2014 09:02:09 +0100 (CET) To: mbarney555@aol.com Subject: Re: Good day From: "xxx" <xxx@xxx.de> Reply-To: "xxx" <xxx@xxx.de> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message-Id: <20140221080209.AB2C4561DA6@xxx.xxx.de> Date: Fri, 21 Feb 2014 09:02:09 +0100 (CET) |
In Zeile 10 findet man die User ID 4079, diese suchen wir nun in der /etc/passwd
um den Benutzernamen herauszubekommen.
1 2 |
# grep 4079 /etc/passwd web274:x:4079:4079::/var/www/web274:/bin/false |
Wir wechseln in den Ordner indem sich die Apache Logfiles dieses Benutzers befinden.
- Plesk: /var/www/vhosts/domain.de/statistics/logs/
- Confixx: /var/www/webX/log/
Jetzt suchen wir in den access_log nach erfolgreichen POST Einträgen (Status 200).
Anbei seht ihr ein Beispiel wie die „Spammer“ mehrere PHP Scripte aufrufen um die Spam E-Mails zu versenden.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
localhost:/var/www/web274# zcat log/old/access_log_2014_w9-0.gz [..] 68.71.243.135 - - [22/Feb/2014:06:30:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:30:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:30:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:31:16 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:31:32 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:31:47 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:32:03 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:32:19 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:32:35 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:32:51 +0100] "POST /images/header/xmlrpclAag.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:35:39 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:35:54 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:36:10 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:36:28 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:36:44 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:37:00 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:37:15 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" 68.71.243.135 - - [22/Feb/2014:06:37:31 +0100] "POST /info/sommer/popupkttX.php HTTP/1.1" 200 372 "-" "-" [..] |
Jetzt sollten diese Dateien schnellstmöglich ausfindig gemacht und beseitigt werden, das Tool Malware Detect hilft dabei.
Ebenfalls sollte das CMS auf den neusten Stand gebracht, der Image/Upload Ordner gesichert und die Mail-Queue gesäubert werden.
Punkt 3: Spam wurde über einen Benutzer verschickt
Im folgenden Beispiel sieht man, dass ein Login stattgefunden hat sasl_username=kontakt@xxx.de
. Das Passwort dieses Benutzers sollte so schnell wie möglich geändert werden.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
# postcat -q 5942C8948326 *** ENVELOPE RECORDS active/5942C8948326 *** message_size: 934 1432 8 0 917 message_arrival_time: Sun Jan 19 15:50:31 2014 create_time: Sun Jan 19 15:50:31 2014 named_attribute: rewrite_context=remote named_attribute: sasl_method=LOGIN named_attribute: sasl_username=kontakt@xxx.de sender: gaf@xxx.de named_attribute: log_client_name=93-120-196-244.dynamic.mts-nn.ru named_attribute: log_client_address=93.120.196.244 named_attribute: log_client_port=3555 named_attribute: log_message_origin=93-120-196-244.dynamic.mts-nn.ru[93.120.196.244] named_attribute: log_helo_name=cisqyltfbn named_attribute: log_protocol_name=ESMTP named_attribute: client_name=93-120-196-244.dynamic.mts-nn.ru named_attribute: reverse_client_name=93-120-196-244.dynamic.mts-nn.ru named_attribute: client_address=93.120.196.244 named_attribute: client_port=3555 named_attribute: helo_name=cisqyltfbn named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;tomnagy91@gmail.com original_recipient: tomnagy91@gmail.com done_recipient: tomnagy91@gmail.com named_attribute: dsn_orig_rcpt=rfc822;hingkik@yahoo.com original_recipient: hingkik@yahoo.com recipient: hingkik@yahoo.com named_attribute: dsn_orig_rcpt=rfc822;shaunmurray24@yahoo.com original_recipient: shaunmurray24@yahoo.com recipient: shaunmurray24@yahoo.com named_attribute: dsn_orig_rcpt=rfc822;malcolmervin57@gmail.com original_recipient: malcolmervin57@gmail.com done_recipient: malcolmervin57@gmail.com named_attribute: dsn_orig_rcpt=rfc822;blondie@yahoo.com original_recipient: blondie@yahoo.com recipient: blondie@yahoo.com named_attribute: dsn_orig_rcpt=rfc822;o.ne...112.23.3.44.5566@gmail.com original_recipient: o.ne...112.23.3.44.5566@gmail.com done_recipient: o.ne...112.23.3.44.5566@gmail.com named_attribute: dsn_orig_rcpt=rfc822;ramanadxn@gmail.com original_recipient: ramanadxn@gmail.com done_recipient: ramanadxn@gmail.com named_attribute: dsn_orig_rcpt=rfc822;rich_miracle@rediffmail.com original_recipient: rich_miracle@rediffmail.com recipient: rich_miracle@rediffmail.com *** MESSAGE CONTENTS active/5942C8948326 *** X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network X-No-Relay: not in my network Received: from cisqyltfbn (93-120-196-244.dynamic.mts-nn.ru [93.120.196.244]) (Authenticated sender: kontakt@xxx.de) by xxx.xxx.de (Postfix) with ESMTPA id 5942C8948326; Sun, 19 Jan 2014 15:50:31 +0100 (CET) Subject: Date: Sun, 19 Jan 2014 15:36:27 -0700 From: "ny fyha" <gaf@xxx.de> To: <tomnagy91@gmail.com>, <hingkik@yahoo.com>, <shaunmurray24@yahoo.com>, <malcolmervin57@gmail.com>, <blondie@yahoo.com>, <o.ne...112.23.3.44.5566@gmail.com>, <ramanadxn@gmail.com>, <rich_miracle@rediffmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-5 |