Php – how to track down a spamming script

My server sent 83,000 spam emails last night, I've been trying to track down the culprit, but I'm not sure how to find out exactly.

in the logs the "from" address is always something like @#!
the connections appear to be from the localhost

leading me to believe this is a script using the php mail(); function or a CGI.. so, how do I find out which script?

EDIT
Correction, 354284 emails sent with 50 'to' addresses each…. 17,714,200 emails …. excellent.

EDIT
Looks like an smtp user/bot net… the mails are being sent by an authenticated user….

Apr 22 06:31:41 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25411 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25412 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25413 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25414 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25415 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:42 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25416 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:42 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25417 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25418 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25419 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25420 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:43 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25422 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25421 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25423 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25424 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:44 impulsemedia relaylock: /var/qmail/bin/relaylock: mail from 71.129.165.22:25425 (adsl-71-129-165-22.dsl.irvnca.pacbell.net)
Apr 22 06:31:45 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:45 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: SMTP connect from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:46 impulsemedia smtp_auth: smtp_auth: SMTP user --removed--@--removed--.com : /var/qmail/mailnames/--removed--.com/--removed-- logged in from unknown@adsl-71-129-165-22.dsl.irvnca.pacbell.net [71.129.165.22]
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: Handlers Filter before-queue for qmail started ...
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: from=mysteryshopping@stmarysalumni.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=ctrudel0103@aol.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=d__franco@msn.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=d__john2258@yahoo.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=d_1n_only@yahoo.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=d_5boyz@yahoo.com
Apr 22 06:31:49 impulsemedia qmail-queue-handlers[28215]: to=d_85242@yahoo.com

Then 50 or more "to" addresses, reason I didn't catch this in the logs is they logged in here – dumped most of the emails in the queue then the rest of the 300m+ log is delivery messages looking like a script. That ip address '71.129.165.22' also shows up on the spamhause CBL ….

Just goes for a lesson to read my logs more carefully when there is a problem.

-sean

Best Answer

We got attacked by a spammer earlier this week as well. One piece of advice I found was to look at the full headers of the earliest spam message you can find and look for the invoked by UID. You can look this up in the password file to determine which login was used to run the process that sent the emails.

For what its worth, the entry point for the spam turned out to be our web mail interface. The spammer logged in using an existing account and password and then sent emails using the web mail application. From what I can tell, the spammer never compromised the actual system.

Best Answer

Related Solutions

How to track who is sending spam through an Exchange server

Linux – Server Sending Spam

Related Topic