Re: [exim] Hijacked "www" user for sending out spam

Top Page
Delete this message
Reply to this message
Author: Patrick Boutilier
Date:  
To: exim-users
Subject: Re: [exim] Hijacked "www" user for sending out spam
list1 wrote:
> Hello,
> It seems like somebody has hijacked "www" user for sending out spam like
> there is no tomorrow. You can see a small section of my exim log below
> or a little longer at this address:
> http://www.dnsbureau.com/exim_main.log.txt I've been looking at various
> other logs for hours trying to figure out what was compromised, but
> there is absolutely no trace of activity like logins from authenticated
> or system users via smtp/imap/pop. www is a system account with no shell
> access. sshd is shut all the time. I've had some php forms played with
> in the past, but that leaves at least one entry in the http logs
> accessing the forms in the first place. Email accounts are authenticated
> via Mysql wihout exception. www is listed as trusted_users in exim
> config. Does that make it inherently unsafe or an open relay? How can
> you make a call to a server that leaves no trace anywhere other than
> exim log (below).


There could be a process running on your server as user www. The P=local
in the log indicates that exim was called from the command line. Use
something like "ps aux|grep www" to find out what program it is.




Even log selector set to +all I don't get any extra
> info that would reveal how they accessing me. After 2 minutes that I
> noticed the activity, I shut the server down and left me with almost
> 3000 pieces in the que. The interesting part was that some of the docs
> were called like "hdr.21217" instead of the usual "IW9K5R-0008Y1-RA-H"
> type.
>
>
>
>
> I use some acls to deal with "injections"
> ------
> acl_check_not_smtp
>
>  drop  condition = ${if match {$message_body}\
>                        {\N.*\
>                        MIME-Version:.*\N}{true}}
>        log_message = "Spam MIME-Version: $header_subject: "
>  drop  condition = ${if match {$message_body}\
>                        {\N.*\
>                        Content-Type:.*\N}{true}}
>        log_message = "Spam: Content-Type: $header_subject: "
> ------

>
>
> 2006-03-18 10:32:28 IWC664-000E7C-7V <= <> R=IWC664-000E7B-70 U=exim
> P=local S=2135
> 2006-03-18 10:32:28 IWC664-000E7E-8R <= www@??? U=www P=local
> S=1484
> 2006-03-18 10:32:28 IWC664-000E7C-7V ** www@???: Unrouteable
> address
> 2006-03-18 10:32:28 IWC664-000E7C-7V Frozen (delivery error message)
> 2006-03-18 10:32:28 IWC664-000E7G-9R <= www@??? U=www P=local
> S=1468
> 2006-03-18 10:32:28 IWC664-000E7I-BY <= www@??? U=www P=local
> S=1478
> 2006-03-18 10:32:28 IWC664-000E7K-E4 <= www@??? U=www P=local
> S=1458
> 2006-03-18 10:32:28 IWC664-000E7N-FO <= www@??? U=www P=local
> S=1460
> 2006-03-18 10:32:28 IWC664-000E7P-H4 <= www@??? U=www P=local
> S=1480
> 2006-03-18 10:32:28 IWC664-000E7R-IP <= www@??? U=www P=local
> S=1458
> 2006-03-18 10:32:28 IWC664-000E7T-KA <= www@??? U=www P=local
> S=1466
> 2006-03-18 10:32:28 IWC664-000E7W-ML <= www@??? U=www P=local
> S=1456
> 2006-03-18 10:32:28 IWC664-000E81-OW <= www@??? U=www P=local
> S=1466
> 2006-03-18 10:32:29 IWC665-000E84-02 <= www@??? U=www P=local
> S=1446
> 2006-03-18 10:32:29 IWC665-000E87-26 <= www@??? U=www P=local
> S=1490
> 2006-03-18 10:32:29 IWC665-000E8A-4O <= www@??? U=www P=local
> S=1472
> 2006-03-18 10:32:29 IWC665-000E8C-75 <= www@??? U=www P=local
> S=1462
> 2006-03-18 10:32:29 IWC664-000E7R-IP => 011037p@??? R=dnslookup
> T=remote_smtp H=mx3.hotmail.com [65.54.244.72]
> 2006-03-18 10:32:29 IWC664-000E7R-IP Completed
> 2006-03-18 10:32:29 IWC665-000E8E-8U <= www@??? U=www P=local
> S=1470
> 2006-03-18 10:32:29 IWC665-000E8C-75 ** 020y@???: Unrouteable
> address
> 2006-03-18 10:32:29 IWC665-000E8I-B5 <= www@??? U=www P=local
> S=1472
> 2006-03-18 10:32:29 IWC665-000E8J-CI <= <> R=IWC665-000E8C-75 U=exim
> P=local S=688
> 2006-03-18 10:32:29 IWC665-000E8C-75 Completed
> 2006-03-18 10:32:29 IWC665-000E8J-CI ** www@???: Unrouteable
> address
> 2006-03-18 10:32:29 IWC665-000E8J-CI Frozen (delivery error message)
> 2006-03-18 10:32:29 IWC665-000E8L-EH <= www@??? U=www P=local
> S=1458
> 2006-03-18 10:32:29 IWC665-000E8O-GG <= www@??? U=www P=local
> S=1478
> 2006-03-18 10:32:29 IWC665-000E8R-I2 <= www@??? U=www P=local
> S=1472
> 2006-03-18 10:32:29 IWC665-000E8U-K9 <= www@??? U=www P=local
> S=1474
> 2006-03-18 10:32:29 IWC665-000E8R-I2 ** 0604vifuve@???:
> Unrouteable address
> 2006-03-18 10:32:29 IWC665-000E8W-MB <= www@??? U=www P=local
> S=1474
> 2006-03-18 10:32:29 IWC665-000E8Y-MV <= <> R=IWC665-000E8R-I2 U=exim
> P=local S=698
> 2006-03-18 10:32:29 IWC665-000E8R-I2 Completed
> 2006-03-18 10:32:29 IWC665-000E91-OE <= www@??? U=www P=local
> S=1478
> 2006-03-18 10:32:29 IWC665-000E8Y-MV ** www@???: Unrouteable
> address
> 2006-03-18 10:32:29 IWC665-000E8Y-MV Frozen (delivery error message)
> 2006-03-18 10:32:29 IWC665-000E93-PH <= www@??? U=www P=local
> S=1460
> 2006-03-18 10:32:30 IWC665-000E95-RI <= www@??? U=www P=local
> S=1462
> 2006-03-18 10:32:30 IWC666-000E97-1A <= www@??? U=www P=local
> S=1458
> 2006-03-18 10:32:30 IWC665-000E93-PH ** 07g@???: Unrouteable
> address
> 2006-03-18 10:32:30 IWC665-000E95-RI ** 07ubrk@???: an MX or SRV
> record indicated no SMTP service
> 2006-03-18 10:32:30 IWC666-000E9B-2L <= <> R=IWC665-000E95-RI U=exim
> P=local S=714
> 2006-03-18 10:32:30 IWC666-000E9B-2L ** www@???: Unrouteable
> address
> 2006-03-18 10:32:30 IWC666-000E9B-2L Frozen (delivery error message)
> 2006-03-18 10:32:30 IWC665-000E95-RI Completed
>