Detecting PHP email spam scripts on your server

Detecting PHP email spam scripts on your server

In this article I am describing how to identify PHP scripts that are being used for email spamming through a Postfix mail server on an Debian based server.

I just recognized last week an unnormal high workload on my server, causing the fast-cgi PHP instances not working well anymore. There was a noticeable delivery of HTTP 500 error pages to the browsers.

When starting to investigate that problem I came up, that there is no root kit installed on my server, but the mail server load was distinctly above average.

So I went up to show all emails that are currently in the mail queue:

user@server:/var# sudo mailq

[...] 5B4B2255C565 759 Wed Jan 7 00:33:40 cheryl_rose@domain.de (host mx-eu.mail.am0.yahoodns.net[188.125.69.xx] said: 421 4.7.1 [TS03] All messages from 85.214.246.xx will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command)) heykowagner@yahoo.de [...] -- 221201 Kbytes in 211122 Requests.

There are a lot of spam mails in the queue (requests: 211122) that haven´t been delivered, yet. Based on the feedback in some of those mails I came to the knowledge, that my server was blacklisted for mail spamming. You can check , if your server is blacklisted or not at mxtoolbox.com.

In my case, there were a lot of mails issued from three different domains, I am hosting.

To get more information from those mails, you can call them by their ID with postcat, like presented below:

user@server:/var# sudo postcat -q 5B4B2255C565
*** ENVELOPE RECORDS deferred/5/5B4B2255C565 ***
message_size:             759             195               1               0             759
message_arrival_time: Wed Jan  7 00:33:40 2015
create_time: Wed Jan  7 00:33:40 2015
named_attribute: rewrite_context=local
sender_fullname:
sender: cheryl_rose@domain.de
*** MESSAGE CONTENTS deferred/5/5B4B2255C565 ***
Received: by matrix.internet-reloaded.de (Postfix, from userid 10x01)
        id 5B4B2255C565; Wed,  7 Jan 2015 00:33:40 +0100 (CET)
To: heykowagner@domain.de
Subject: RE:  Hi
X-PHP-Originating-Script: 10001:stats.php
From: "Cheryl Rose" <cheryl_rose@domain.de>
Reply-To:"Cheryl Rose" <cheryl_rose@domain.de>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <201501x6x33340.5B4B2xxxC565@matrix.internet-reloaded.de>
Date: Wed,  7 Jan 2015 00:33:40 +0100 (CET)
[...]
*** MESSAGE FILE END deferred/5/5B4B2255C565 ***

Taking a deeper look to line 14, where the header information „X-PHP-Originating-Script“ was stated, you get the information where this mail was orginated from.

In that case, a script, named stats.php, belonging to the user with the ID 10001 was used for sending this mail. You might have to check multiple of your mails to find all spam sending scripts on your server. If you did not get these information presented, you can check another article about necessary changes to your PHP configuration.

First we are checking, which username is cloaked behind that user ID.

user@hserver:/var# sudo cat /etc/passwd | grep 10001
USERNAME:x:10001:1005::/home/USERNAME:/bin/bash

In that case, a user called „USERNAME“ owns the spam sending script. In the next step we are going to check, if there is a script called stats.php that belongs to the user.

user@server:/var# sudo find / -name 'stats.php' | grep USERNAME
/var/www/USERNAME/path/stats.php

This works for me, as I name the virtual host web directories according to the username. Otherwise, you can just try to get the script in another way:

user@server:/var# sudo find / -name 'stats.php'
/var/www/dir_1/path/stats.php
/var/www/dir_2/path/stats.php
/var/www/dir_3/path/stats.php

You should now take a look to all of these scripts and check if they have suspicious code in them.

If some of the scripts only have a preg_replace statement, they are is very likely a malicious one.

<?php
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x6[...]);
?>

You can move the scripts to another directory not avaliable through your webserver or also delete them.

 

Just a final hint:

If you really have a lot of mails in your queue, you can delete all mails in the postfix mail queue with the following statement. But keep in mind, that this will also delete unobtrusive ones!

sudo postsuper -d ALL

 

 

2019-01-03T16:47:10+01:00Tags: , , , , , , |

Share This Story, Choose Your Platform!

3 Comments

  1. Marcel 14. Januar 2015 at 18:28 - Reply

    I just had the same problem on my server. I was able repair it with this tutorial and another one I found in the web. I had more than 10.000 mails in the postfix queue

    So thanks for the help!

    • Sven Seiler 16. Januar 2015 at 19:34 - Reply

      You are welcome. Good to know I was able to help others with this issue, as well!
      Have a nice weekend
      Sven

  2. Juan Clearst 1. Februar 2015 at 00:25 - Reply

    While trying to solve this stupid issue I found your website. Thanks it worked for me.

Leave A Comment