SPAMGUARD AND FIX QMAIL SPAM PROBLEM

[dacapel]

hi

we note that have a 2200 emails queue because one person hack qmail server, he probe and probe users to send the emails, any ideas to fix it?

- first: im installed SPAMGUARD to protect ban my server, whith this we can limit the emails sended

- second: i block the ip senders

- third: i would like fix the hole not to be in the same problem, any help?

thanks

[MRatWork]

Investigate maillog with 'cat /var/log/maillog|grep sendmail'. You will see something like 'Mar 12 04:34:50 oln3 root: sendmail: CALLER="php-fpm: pool devel" PWD="/home/devel/forum.mratwork.com" BAN="no"'.

The key is 'PWD'. If you think certain PWD (in above example is '/home/devel/forum.mratwork.com') is sender as spammer, add '/home/devel/forum.mratwork.com' to '/var/qmail/control/badsendmailfrom' file. And then every send message from this PWD will 'banned'.

[dacapel]

Code: [Select]

Jan 11 10:46:51 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundsbp64f" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 10:51:52 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundai4que" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 10:56:52 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundSodyMT" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:01:52 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgrounds5XWfA" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:06:52 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundFRaLgv" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:11:53 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundnsea1j" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:16:53 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/background6Bife4" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:22:10 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundoDFIqk" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:25:54 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundbCMsq1" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:31:05 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundn0L8dj" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:36:18 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/background0MOwTS" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:41:29 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundOQ9oZa" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:46:48 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/background7VbKig" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:51:48 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundcyuSsX" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Jan 11 11:56:55 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundD1hdmO" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/background6FV89C" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundV4BpFJ" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundM8oYY2" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"

i think could be this

/usr/local/lxlabs/kloxo.2016-01-04-12-29-26/bin/common/background.php

this file have this code

Code: [Select]

<?php

include_once "lib/html/include.php";

background_main();

function background_main()
{
        global $argv;
        //sleep(100);
        $rem = unserialize(lfile_get_contents($argv[1]));
        unlink($argv[1]);

        if (!$rem) { exit; }

        if (isset($rem->sleep)) {
                sleep($rem->sleep);
        }

        if ($rem->__type == 'object') {
                $func = $rem->func;
                $rem->__exec_object->$func();
        } else {
                // workaround for the following php bug:
                //   http://bugs.php.net/bug.php?id=47948
                //   http://bugs.php.net/bug.php?id=51329
                if (is_array($rem->func) && count($rem->func) > 0) {
                        $class = $rem->func[0];
                        class_exists($class);
                }
                // ---
                call_user_func_array($rem->func, $rem->arglist);
        }
}




[dacapel]

Code: [Select]

Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/background6FV89C" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundV4BpFJ" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"
Mar 14 12:36:21 server1 logger: sendmail: CALLER="/opt/php54s/usr/bin/php -c /opt/php54s/custom/php.ini ../bin/common/background.php /tmp/backgroundM8oYY2" PWD="/usr/local/lxlabs/kloxo/httpdocs" BAN="no"



[dacapel]

this is the emails queues...

 --------------
MESSAGE NUMBER 57429537
 --------------
Received: (qmail 1322 invoked from network); 14 Mar 2016 14:27:04 -0000
Received: from unknown (HELO mail.safemail.it) (david@xxx.xxx.xxx @62.75.175.95)
  by xxxxxxx.xxx.xxxx with ESMTPA; 14 Mar 2016 14:27:04 -0000
FROM: Service<memo@net-443spend-33my.com>
TO: 3053300752@mymetropcs.com
SUBJECT: NetSpend Alert
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1

Notice: Call 1-904-323-0474 to update your profile.

[MRatWork]

Delete mail queue with 'sh /script/mailqueue -D' and then monitoring mail queue again.

[dacapel]

ok i find this services...

   24763   ?   1.63   root   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx 0 995 /usr/bin/couriertls -server -tcpd /usr/
   24785   ?   1.63   root   /usr/bin/tcpserver -v -R -c 200 0 110 /var/qmail/bin/qmail-popup xxxxx.xxxxx.xxxx /home/vpopm
   24790   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   24783   ?   1.63   root   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx 0 143 /usr/sbin/imaplogin /usr/bin/imapd Mail
   24782   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   24776   ?   1.63   root   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx 0 993 /usr/bin/couriertls -server -tcpd /usr/
   24788   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxxx.xxxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791

[dacapel]

Can't exec "pidof": No such file or directory at
        /usr/local/lxlabs/kloxo/bin/misc/qmHandle line 811 (#1)
    (W exec) A system(), exec(), or piped open call could not execute the
    named program for the indicated reason.  Typical reasons include: the
    permissions were wrong on the file, the file wasn't found in
    $ENV{PATH}, the executable in question was compiled for another
    architecture, or the #! line in a script points to an interpreter that
    can't be run for similar reasons.  (Or maybe your system doesn't support
    #! at all.)

[MRatWork]

Look like something wrong with qmail and or perl.

Try reinstall with 'yum reinstall *-toaster perl* -y; sh /script/restart-mail'.

[dacapel]

ok, but i prefer to clean system after, could you confirm me that is normal process?

510   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   500   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   514   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791

this tcpserver is a usual process?

thanks

[MRatWork]

ok, but i prefer to clean system after, could you confirm me that is normal process?

510   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   500   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791
   514   ?   1.63   qmaild   /usr/bin/tcpserver -v -R -H -l xxxx.xxxx.xxxx -x /etc/tcprules.d/tcp.smtp.cdb -c 50 -u 7791

this tcpserver is a usual process?

thanks

Yes. Smtp using tcpserver process.

[dacapel]

ok, im cleaning services...and system..