谁或什么从我的服务器 ( CentOS / Apache / suPHP ) 发送垃圾邮件

谁或什么从我的服务器 ( CentOS / Apache / suPHP ) 发送垃圾邮件

我的服务器发送了大量垃圾邮件,我花了几个小时寻找问题所在。在谷歌搜索后,我找到了一个论坛,他们讨论了这个问题,并提到要深入研究 exim 日志,所以我照做了,发现电子邮件是从 [用户名]@vps1.[主机名].[tld] 发送的。他们在论坛上说这些电子邮件可能是从我的服务器发送的,因为这不是使用过的电子邮件地址。他们还提到要深入研究 php 日志。

我试过这个,但什么也没找到,所以我现在通过电子邮件标题尝试检测发送所有这些电子邮件的脚本。这就是我现在陷入困境的地方。

我通过添加以下规则更改了 php.ini:

mail.add_x_header = On
mail.log = /var/log/phpmail.log

我还添加了exim.conf这一行:

+arguments \

重新启动了 exim 和 apache,但我在 exim 日志中没有看到任何 X-PHP-Script 标头,并且没有创建 php 邮件日志。

我唯一看到的是 exim 日志中的 X 标头:

X=TLSv1:RC4-SHA:128

谁能告诉我下一步该怎么做?

编辑

以下是来自 exim 日志的一些内容:

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qq-S2
2014-01-31 16:19:16 1W9FsC-0003qq-S2 <= [email protected] U=instijl P=local S=816 T="Re:  It's good to see you," from <[email protected]> for [email protected]
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsC-0003qq-S2 ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after initial connection: host extmail.bigpond.com [61.9.168.122]: 554 nskntcmgw02p BigPond Inbound IB103. Connection refused. 141.138.199.65 has a poor reputation on the Cloudmark Sender Intelligence (CSI) list. Please visit http://csi.cloudmark.com/reset-request/?ip=141.138.199.65 to request a delisting.
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qq-S2
2014-01-31 16:19:17 1W9FsD-0003r9-H9 <= <> R=1W9FsC-0003qq-S2 U=mail P=local S=2006 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2014-01-31 16:19:17 1W9FsC-0003qq-S2 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9FsC-0003qc-M7
2014-01-31 16:19:16 1W9FsC-0003qc-M7 <= [email protected] U=instijl P=local S=822 T="Re:  It's good to see you," from <[email protected]> for [email protected]
2014-01-31 16:19:16 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsC-0003qc-M7 ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.65.26]: 550-5.7.1 [141.138.199.65      12] Our system has detected that this message is\n550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,\n550-5.7.1 this message has been blocked. Please visit\n550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for\n550 5.7.1 more information. y48si18631040eew.58 - gsmtp
2014-01-31 16:19:17 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1W9FsC-0003qc-M7
2014-01-31 16:19:17 1W9FsD-0003r1-BS <= <> R=1W9FsC-0003qc-M7 U=mail P=local S=2146 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2014-01-31 16:19:17 1W9FsC-0003qc-M7 Completed

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frw-0003oS-Gd
2014-01-31 16:19:00 1W9Frw-0003oS-Gd <= [email protected] U=instijl P=local S=823 T="FW:  Yo" from <[email protected]> for [email protected]
2014-01-31 16:19:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frw-0003oS-Gd
2014-01-31 16:19:02 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.136.217.203]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:03 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.136.216.26]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:04 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.36]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:06 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [98.138.112.33]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html
2014-01-31 16:19:07 1W9Frw-0003oS-Gd == [email protected] R=lookuphost T=remote_smtp defer (-45): SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=1866: host mta6.am0.yahoodns.net [66.196.118.35]: 421 4.7.1 [TS03] All messages from 141.138.199.65 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html

bash-3.2# cat /var/log/exim/mainlog | grep 1W9Frg-0003mP-S6
2014-01-31 16:18:44 1W9Frg-0003mP-S6 <= [email protected] U=instijl P=local S=814 T="call me" from <[email protected]> for [email protected]
2014-01-31 16:18:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1W9Frg-0003mP-S6
2014-01-31 16:18:45 1W9Frg-0003mP-S6 => [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=837 H=mx-ha03.web.de [213.165.67.104] X=TLSv1:AES256-SHA:256 C="250 Requested mail action okay, completed: id=0Le6s0-1VUM4v1jno-00pvEX"
2014-01-31 16:18:45 1W9Frg-0003mP-S6 Completed

答案1

故障排除步骤摘要

“U=instijl”从 /var/log/exim/mainlog 摘录中可以看到,发送电子邮件的程序正在以用户身份运行因斯蒂尔。首先查看用户是否使用 shell 登录。第二次使用‘ps aux’查找该用户是否正在运行任何进程。第三,查看您的 apache 访问日志,查看与上述 4 封邮件完全相同的时间发送到 apache 的流量。我怀疑您有一个不安全的“向我发送反馈”表单被滥用(不安全是因为您允许传入的 http 请求设置发件人、收件人和邮件正文)。

如果正在服务和接受此请求的虚拟主机没有自己的访问日志条目,它将不会记录到通用访问日志(您可能找到的就是这个)。找到正在响应该用户请求的特定部分并添加访问日志条目(或者如果它已经记录,找出文件名)。如果您运行‘httpd -S’,apache 打印出基本的虚拟主机配置,以帮助您更轻松地找到配置文件中控制/配置该部分的位置。

您可以做的另一件事是‘yum 安装 ngrep’(可能在外部仓库中,例如 epel)并运行‘ngrep -n -q 端口 80’并查看传入的流量。仅显示传入请求的更具体命令是“ngrep -q -s 240‘GET|POST’端口 80”。如果您想要查看更多或更少的请求,请将 240 调高或调低,如果您想要查看完整的请求,请忽略它。

相关内容