Apache-2.2

誰或什麼從我的伺服器(CentOS / Apache / suPHP)發送垃圾郵件

  • February 1, 2014

我的伺服器正在發送大量垃圾郵件,我已經搜尋了幾個小時的問題。Google搜尋後,我找到了一個論壇,他們討論了這個問題並提到要探勘 exim 日誌,所以我做了,發現電子郵件是從以下位置發送的:

$$ username $$@vps1。$$ hostname $$.$$ tld $$. 在論壇中,他們說這些電子郵件可能是從我的伺服器發送的,因為這不是一個使用過的電子郵件地址。他們還提到要探勘 php 日誌。 我已經嘗試過了,但找不到任何東西,所以我現在通過電子郵件標題嘗試檢測發送所有這些電子郵件的腳本。我現在被困住了。

我通過添加以下規則更改了 php.ini:

mail.add_x_header = On
mail.log = /var/log/phpmail.log

我還添加exim.conf了這一行:

+arguments \

重新啟動 exim 和 apache,但我在 exim 日誌中看不到任何 X-PHP-Script 標頭,並且未創建 php 郵件日誌。

我唯一看到的是 exim 日誌中的 X 標頭:

X=TLSv1:RC4-SHA:128

誰能告訴我下一步該怎麼做?

編輯

以下是 exim 日誌中的一些行:

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qq-S2
2014-01-31 16:19:16 1W9FsC-0003qq-S2 <= instijl@vps1.xxx.nl U=instijl P=local S=816 T="Re:  It's good to see you," from <instijl@vps1.xxx.nl> for richisone@bigpond.com
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsC-0003qq-S2 ** richisone@bigpond.com F=<instijl@vps1.xxx.nl> R=lookuphost T=remote_smtp: SMTP error from remote mail server after initial connection: host extmail.bigpond.com [61.9.168.122]: 554 nskntcmgw02p BigPond Inbound IB103. Connection refused. 141.138.199.65 has a poor reputation on the Cloudmark Sender Intelligence (CSI) list. Please visit http://csi.cloudmark.com/reset-request/?ip=141.138.199.65 to request a delisting.
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsD-0003r9-H9 <= <> R=1W9FsC-0003qq-S2 U=mail P=local S=2006 T="Mail delivery failed: returning message to sender" from <> for instijl@vps1.xxx.nl
2014-01-31 16:19:17 1W9FsC-0003qq-S2 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qc-M7
2014-01-31 16:19:16 1W9FsC-0003qc-M7 <= instijl@vps1.xxx.nl U=instijl P=local S=822 T="Re:  It's good to see you," from <instijl@vps1.xxx.nl> for richisingh7710@gmail.com
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsC-0003qc-M7 ** richisingh7710@gmail.com F=<instijl@vps1.xxx.nl> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.65.26]: 550-5.7.1 [141.138.199.65      12] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for\n550 5.7.1 more information. y48si18631040eew.58 - gsmtp
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsD-0003r1-BS <= <> R=1W9FsC-0003qc-M7 U=mail P=local S=2146 T="Mail delivery failed: returning message to sender" from <> for instijl@vps1.xxx.nl
2014-01-31 16:19:17 1W9FsC-0003qc-M7 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frw-0003oS-Gd
2014-01-31 16:19:00 1W9Frw-0003oS-Gd <= instijl@vps1.xxx.nl U=instijl P=local S=823 T="FW:  Yo" from <instijl@vps1.xxx.nl> for ketabatgooll@yahoo.com
2014-01-31 16:19:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frw-0003oS-Gd
2014-01-31 16:19:02 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [98.136.217.203]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:03 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [98.136.216.26]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:04 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.36]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:06 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [98.138.112.33]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd == ketabatgooll@yahoo.com R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<instijl@vps1.xxx.nl> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frg-0003mP-S6
2014-01-31 16:18:44 1W9Frg-0003mP-S6 <= instijl@vps1.xxx.nl U=instijl P=local S=814 T="call me" from <instijl@vps1.xxx.nl> for ket@web.de
2014-01-31 16:18:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frg-0003mP-S6
2014-01-31 16:18:45 1W9Frg-0003mP-S6 => ket@web.de F=<instijl@vps1.xxx.nl> R=lookuphost T=remote_smtp S=837 H=mx-ha03.web.de [213.165.67.104] X=TLSv1:AES256-SHA:256 C="250 Requested mail action okay, completed: id=0Le6s0-1VUM4v1jno-00pvEX"
2014-01-31 16:18:45 1W9Frg-0003mP-S6 Completed

故障排除步驟摘要

/var/log/exim/mainlog 摘錄中顯示的*“U=instijl”告訴您發送電子郵件的任何內容都以使用者instijl 身份執行。首先查看使用者是否使用shell登錄。其次使用*“ps aux”**來查找該使用者是否正在執行任何程序。第三,查看您的 apache 訪問日誌,以查看在與上述 4 封郵件完全相同的時間發送到 apache 的流量。我懷疑您有一個不安全的“向我發送回饋”表單被濫用(不安全,因為您允許傳入的 http 請求設置發件人、收件人和郵件正文)。

如果提供並接受此請求的虛擬主機沒有自己的訪問日誌條目,它不會記錄到一般訪問日誌(這很可能是您發現的)。找到正在回答該使用者請求的特定部分並添加訪問日誌條目(或者如果它已經在記錄,請找出文件名)。如果您執行**‘httpd -S’**,apache 會列印出基本的虛擬主機配置,以幫助您更輕鬆地找到該部分在配置文件中受控制/配置的位置。

您可以做的另一件事是**“yum install ngrep”(可能在 epel 等外部儲存庫中)並執行“ngrep -n -q port 80”並查看傳入的流量。更具體的命令僅顯示傳入請求將是“ngrep -q -s 240 ‘GET|POST’ 埠 80”**。如果您想查看更多或更少的請求,請向上或向下調整 240,如果您想查看完整的請求,請忽略它。

引用自:https://serverfault.com/questions/571308