Investigating outgoing spam issues on Plesk servers

Use the modified qmHandle's qmHandle -tt to see the top senders/recipients. Look at one of the spam messages and look at the Received line, which will either show you a UID or received from network.

If it shows you a UID, then the spam is coming from a compromised script.
UID 48 indicates apache, and that the compromised script is probably PHP.
You can use the following command to see what php processes are running at the moment:

lsof +r 1 -p `ps axww | grep httpd | grep -v grep |\
awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'`| grep vhosts | grep php

This should let you identify the source of any currently ongoing spamming (note that the script goes through a ton of data, so takes a while to run).

An actual UID, e.g. 10003 indicates that it is a CGI script owned by the associated user.

Received from network indicates that the mail was sent by a valid, authenticated user (probably someone whose password got brute forced).
You can see all the mail users and passwords with the following query:

SELECT CONCAT(mail_name,'@', domains.name) as `e-mail`, password FROM domains LEFT JOIN mail on domains.id=mail.dom_id
LEFT JOIN accounts on mail.account_id = accounts.id WHERE postbox='true';
and the users who have sent the most messages recently with: 
cat /var/log/messages|grep -I smtp_auth|grep -I user|awk {'print $11'}|sort|uniq -c|sort -n

Note: sometimes this information will be in /var/log/maillog, or /usr/local/psa/var/log/maillog instead.

If there are a large number of email accounts and/or you're familiar with CPAN, you can use the following script, which goes through all of the Plesk email accounts on the server and prints out the accounts and passwords that fail a cracklib check. More info:

Here's a perl script I wrote that does a cracklib check against every email account on the box, and prints out email accounts with weak passwords (and the corresponding password). Unfortunately, it has a few dependencies:
cracklib
cracklib-dicts
perl-DBD-MySQL
perl-DBI
Crypt::Cracklib

cracklib and cracklib-dicts should already be installed. cracklib, cracklib-dicts, perl-DBD-MySQL and perl-DBI are all available via up2date. Crypt::Cracklib needs to be installed via cpan (you may need to do a force), e.g. perl -MCPAN -e "force install Crypt::Cracklib"

And the script: http://partytime.wackyfunster.com/leet/psapwdcheck

Submitted by jkelly on Wed, 2007-06-20 19:28. categories [ | | | ] login or register to post comments