In this article I am describing how to identify PHP scripts that are being used for email spamming through a Postfix mail server on an Debian based server.
I just recognized last week an unnormal high workload on my server, causing the fast-cgi PHP instances not working well anymore. There was a noticeable delivery of HTTP 500 error pages to the browsers.
When starting to investigate that problem I came up, that there is no root kit installed on my server, but the mail server load was distinctly above average.
So I went up to show all emails that are currently in the mail queue:
user@server:/var# sudo mailq[...] 5B4B2255C565 759 Wed Jan 7 00:33:40 email@example.com (host mx-eu.mail.am0.yahoodns.net[188.125.69.xx] said: 421 4.7.1 [TS03] All messages from 85.214.246.xx will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html (in reply to MAIL FROM command)) firstname.lastname@example.org [...] -- 221201 Kbytes in 211122 Requests.
There are a lot of spam mails in the queue (requests: 211122) that haven´t been delivered, yet. Based on the feedback in some of those mails I came to the knowledge, that my server was blacklisted for mail spamming. You can check , if your server is blacklisted or not at mxtoolbox.com.
In my case, there were a lot of mails issued from three different domains, I am hosting.
To get more information from those mails, you can call them by their ID with postcat, like presented below:user@server:/var# sudo postcat -q 5B4B2255C565 *** ENVELOPE RECORDS deferred/5/5B4B2255C565 *** message_size: 759 195 1 0 759 message_arrival_time: Wed Jan 7 00:33:40 2015 create_time: Wed Jan 7 00:33:40 2015 named_attribute: rewrite_context=local sender_fullname: sender: email@example.com *** MESSAGE CONTENTS deferred/5/5B4B2255C565 *** Received: by matrix.internet-reloaded.de (Postfix, from userid 10x01) id 5B4B2255C565; Wed, 7 Jan 2015 00:33:40 +0100 (CET) To: firstname.lastname@example.org Subject: RE: Hi X-PHP-Originating-Script: 10001:stats.php From: "Cheryl Rose" <email@example.com> Reply-To:"Cheryl Rose" <firstname.lastname@example.org> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Message-Id: <201501x6x33340.5B4B2xxxC565@matrix.internet-reloaded.de> Date: Wed, 7 Jan 2015 00:33:40 +0100 (CET) [...] *** MESSAGE FILE END deferred/5/5B4B2255C565 ***
Taking a deeper look to line 14, where the header information „X-PHP-Originating-Script“ was stated, you get the information where this mail was orginated from.
In that case, a script, named stats.php, belonging to the user with the ID 10001 was used for sending this mail. You might have to check multiple of your mails to find all spam sending scripts on your server. If you did not get these information presented, you can check another article about necessary changes to your PHP configuration.
First we are checking, which username is cloaked behind that user ID.user@hserver:/var# sudo cat /etc/passwd | grep 10001 USERNAME:x:10001:1005::/home/USERNAME:/bin/bash
In that case, a user called „USERNAME“ owns the spam sending script. In the next step we are going to check, if there is a script called stats.php that belongs to the user.user@server:/var# sudo find / -name 'stats.php' | grep USERNAME /var/www/USERNAME/path/stats.php
This works for me, as I name the virtual host web directories according to the username. Otherwise, you can just try to get the script in another way:user@server:/var# sudo find / -name 'stats.php' /var/www/dir_1/path/stats.php /var/www/dir_2/path/stats.php /var/www/dir_3/path/stats.php
You should now take a look to all of these scripts and check if they have suspicious code in them.
If some of the scripts only have a preg_replace statement, they are is very likely a malicious one.<?php preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x6[...]); ?>
You can move the scripts to another directory not avaliable through your webserver or also delete them.
Just a final hint:
If you really have a lot of mails in your queue, you can delete all mails in the postfix mail queue with the following statement. But keep in mind, that this will also delete unobtrusive ones!sudo postsuper -d ALL