Tracking down spamming in Plesk – 2

This post will help you to track down spamming from a Plesk server, if its employed using PHP scripts in any of the domains.

– Use this one to view the folders which have mail PHP scripts enabled and running.

# vi /var/qmail/bin/sendmail-wrapper

(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send
# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

– Wait for at some time and then change sendmail back:

# rm -f /var/qmail/bin/sendmail
# mv /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Once this is completed, run the following command, which will show you all the folders from where mail PHP scripts were run :

# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e 's/HTTPD_VHOSTS_D//' `

– If your PHP version is greater than 5.3, you can also consider about enabling extended logging which will help to add a header to all outgoing email and that will help you to track the location of the script which is involved in spamming.

Add the following line to your php.ini file :

mail.add_x_header = On

– Check out the headers ( check this post know about finding the headers from the queue ) and spot the script involved.


Tracking down spamming in Plesk – 1

Finding the source of spamming in a server provisioned with Plesk is a tough job.

Some of the useful commands which might help you are given down.

  • Find the number of mails hung in the queue :

# /var/qmail/bin/qmail-qstat

  • To get an idea about the the message headers of mails in queue :

# /var/qmail/bin/qmail-qread

The above one shows the senders and recipients of messages. Now try to find this message in the queue by its ID

# find /var/qmail/queue/mess/ -name XXXXXX ( <- Message ID )

cat the o/p file of the above command and inspect the message headers closely.

Examine the message and find the line “Received” to find out from where it was sent for the first time.

For example, if you find:

1-> Received: (qmail 19514 invoked by uid xxxx ); 13 Sep 2005 17:48:22 +0700

It means that this message was sent via a CGI by user with UID xxxx . Using this UID, it is possible to find the domain:

# grep xxxx /etc/passwd

2-> Received: (qmail 19622 invoked from network); date/time
Received: from (xx.xx.xx.xx)

It means that the message has been accepted and delivered via SMTP, and that the sender is an authorized mail user. This might mean that the password of the email account has been compromised.

You can use the following command to find the users which have attempted to login via authentication. If you find lots of authentication attempts to a particular user/from a particular IP, then it might be the vulnerability present in your server.

# cat /usr/local/psa/var/log/maillog |grep -I smtp_auth |grep -I user

Also, when you check the headers of the mail in the queue, if you find that the mails are received from a particular IP address, like :

Received: (qmail 10728 invoked from network); date

Received: from unknown (HELO User) (xx.xx.xx.xx)

by with SMTP ; date

We can use the tool tcpdump to find out what is being communicated over the network from/to the IP in question :

# tcpdump -i venet0:0 -n src xx.xx.xx.xx \or dst xx.xx.xx.xx -s 2048 -w /home/wiresharklog.pcap

– Replace  venet0:0 with your appropriate interface

– Replace xx.xx.xx.xx with the IP in question.

You will obtain the logs in /home/wiresharklog.pcap. Open this pcap file using wireshark ( or any related softwares ) and have a glance through the ‘Statistics -> Flow graph’ . Check this if you can spot the connections/packets being sent over.

3-> If the “Received” line contains a UID of the user “apache” (for example, invoked by UID 48), it means that spam was sent through a PHP script. Find this post useful for dealing with this.

There is another case of spamming which has been noticed.

– When checking the qmail maillogs (usr/local/psa/var/log/maillog) :

date  xxxx smtp_auth: SMTP connect from (null)@(null) [xx.xx.xx.xx]
date  xxxx smtp_auth: smtp_auth: SMTP user xxxxx: logged in from (null)@(null) [xx.xx.xx.xx]

We can see that spamming is being done by brute forcing Plesk
email passwords and then authenticating using base 64 encoding on the username.

The built in qmail logging cannot handle this encoding and as a result the logs will just show (null) instead of the username used. This is applicable for servers running on older versions of Plesk.

The solution would be to upgrade Plesk to a more stable version.

Note : You can also check if there are any email accounts within your hosting environments which uses the mail name ‘test’. Around 90% of the accounts created as test are employed with weak passwords which make it easier for hackers to brute-force attack them.

Use this query to find if any such ones are there :

# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa

# SELECT m.mail_name, FROM mail AS m LEFT JOIN (domains AS d, accounts AS a) ON (m.dom_id = AND m.account_id = WHERE m.mail_name='test' ;

Hope this was helpful 🙂