How to find the compromised file sending emails from your server

on
Spam emails can be a nuisance, and when they originate from your own Linux server, it’s crucial to find the source and stop it.


Finding the Source of Spam Email on a Linux Server

Spam emails can be a nuisance, and when they originate from your own Linux server, it’s crucial to find the source and stop it. Here’s a guide on how to do just that.

Step 1: Connect to the Server

First, connect to your server via SSH.

Step 2: Create a Sendmail Wrapper

Next, create a /usr/sbin/sendmail-wrapper script with the following content:

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/usr/sbin/sendmail-bin "$@"

Step 3: Create a Log File

Create a /var/tmp/mail.send log file and set a+rw permissions. Make the wrapper executable, rename the old sendmail file, and link it to the new wrapper:

touch /var/tmp/mail.send
chmod a+rw /var/tmp/mail.send
chmod a+x /usr/sbin/sendmail-wrapper
mv /usr/sbin/sendmail /usr/sbin/sendmail-bin
ln -s /usr/sbin/sendmail-wrapper /usr/sbin/sendmail

Step 4: Collect Data

Wait for a while to collect data. This usually takes about 30-60 minutes.

Step 5: Rename Sendmail

Rename sendmail-bin back to /usr/sbin/sendmail:

mv /usr/sbin/sendmail /root/backup__sendmail
mv /usr/sbin/sendmail-bin /usr/sbin/sendmail

Note: The file /var/tmp/mail.send is not rotated automatically and it is not recommended to leave it for a long period of time as it could consume a server disk space. Delete and create a new file /var/tmp/mail.send after every check up.

Step 6: Check the Log File

Check the /var/tmp/mail.send file. There should be lines starting with “X-Additional-Header” pointing to the domain folders where the scripts that sent the mail are located.

The directories, from which mail PHP scripts are run, can be seen using the following command:

grep X-Additional /var/tmp/mail.send

Note: If no output is shown from the command above, it means no mail was sent using the PHP mail function from the server’s directory.

Usually, that means one of the mail accounts has been compromised. Check the login attempt count:

zgrep -c 'sasl_method=LOGIN' /var/log/maillog*

If an unusually high number of login attempts is shown, it is very likely accounts were compromised. Try identifying these accounts in the following way:

zgrep -h 'sasl_method' /var/log/maillog* | cut -d' ' -f9 | cut -d= -f2 | sort | uniq -c | sort -nr

To stop spam from being sent, change passwords for the compromised accounts and restart the Postfix service.

I hope this guide helps you in your quest to maintain a spam-free server!

Please note that the commands and file paths mentioned above are common defaults and might vary based on your specific setup and the mail server software you’re using. Always refer to your server’s specific documentation for the most accurate information.

Let me know if you need help with anything else!

Comments

Post a Comment