更新:
看起来服务器没有被入侵,但被用作中继服务器。现在我正在尝试弄清楚如何禁用它。
我的服务器运行的是 Ubuntu 12.04 LTS,其中有多个域在 Apache 上运行,并带有虚拟主机。我的电子邮件是通过 Google Apps 设置的。
我对服务器发送垃圾邮件有一些抱怨。
这是我收到的一封确认电子邮件:
[ SpamCop V4.8.0.059 ]
This message is brief for your comfort. Please use links below for details.
Email from XXX.XXX.XXX.XXX / Tue, 10 Sep 2013 19:22:59 -0700
http://www.spamcop.net/w3m?i=z6002772272zbb4b8610e997f80936afe5c5a7dd4341z
[ Offending message ]
Delivered-To: x
Received: by 10.182.37.42 with SMTP id v10csp64759obj;
Tue, 10 Sep 2013 19:23:00 -0700 (PDT)
X-Received: by 10.182.230.135 with SMTP id sy7mr18722181obc.24.1378866179839;
Tue, 10 Sep 2013 19:22:59 -0700 (PDT)
Return-Path: <x>
Received: from MY-DOMAIN.com ([XXX.XXX.XXX.XXX])
by mx.google.com with ESMTPS id t6si11838598oei.122.1969.12.31.16.00.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 10 Sep 2013 19:22:59 -0700 (PDT)
Received-SPF: neutral (google.com: XXX.XXX.XXX.XXX is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com;
spf=neutral (google.com: XXX.XXX.XXX.XXX is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from MY-DOMAIN.com (localhost [127.0.0.1])
by MY-DOMAIN.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id r8B2Q5Fw006220
for <x>; Wed, 11 Sep 2013 04:26:05 +0200
Received: (from www-data@localhost)
by MY-DOMAIN.com (8.14.3/8.14.3/Submit) id r8B2Q5SA006219;
Wed, 11 Sep 2013 04:26:05 +0200
Date: Wed, 11 Sep 2013 04:26:05 +0200
Message-Id: <[email protected]>
To: x
Subject: =?UTF-8?B?SGVsbG8hIENhbiBJIGFzayB5b3UgdG8gcmVhZCB0aGUgbGV0dGVyPw==?=
X-PHP-Originating-Script: 33:collector.php
MIME-Version: 1.0
From: Francine Gillham <[email protected]>
Reply-To: Francine Gillham <x>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8;
Hello!
My friend showed me your account and I became aroused in anticipation of seeing u and knowing each other a little bit closer.
I know for sure you couldn't be against of knowing me better after checking up my personal page too.
What I can tell about myself? I'm a petite brunette beauty with cute face and fresh figure.
My name is Francine and I am 23 years. Stare at me!
I'll be waiting for you.
I'll be glad to meet you life!
x
我不知道从哪里开始以及如何解决问题...我的服务器被劫持了吗?是恶意软件还是...有人能帮我指明正确的方向吗?我的服务器应该能够通过 PHP/mail 函数发送邮件,但其他与邮件相关的所有操作都是通过 Google Apps 完成的。
我尝试运行 rkhunter 时遇到以下问题:
[20:43:43] /usr/sbin/adduser [ Warning ]
[20:43:43] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: a /usr/bin/perl script text executable
[20:43:46] /usr/bin/ldd [ Warning ]
[20:43:46] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[20:43:55] /bin/which [ Warning ]
[20:43:55] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable
[20:46:10] Checking if SSH root access is allowed [ Warning ]
[20:46:10] Warning: The SSH and rkhunter configuration options should be the same:
[20:46:10] SSH configuration option 'PermitRootLogin': yes
[20:46:10] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
[20:46:12] Checking /dev for suspicious file types [ Warning ]
[20:46:12] Warning: Suspicious file types found in /dev:
[20:46:12] /dev/.udev/queue.bin: data
[20:46:12] /dev/.udev/db/block:xvda1: ASCII text
[20:46:12] /dev/.udev/db/block:xvda: ASCII text
[20:46:12] /dev/.udev/db/block:xvdc1: ASCII text
[20:46:12] /dev/.udev/db/block:xvdc: ASCII text
[20:46:12] /dev/.udev/db/input:event0: ASCII text
[20:46:12] /dev/.udev/db/input:mouse0: ASCII text
[20:46:12] /dev/.udev/db/block:ram7: ASCII text
[20:46:13] /dev/.udev/db/block:ram14: ASCII text
[20:46:13] /dev/.udev/db/block:ram15: ASCII text
[20:46:13] /dev/.udev/db/block:ram10: ASCII text
[20:46:13] /dev/.udev/db/block:ram5: ASCII text
[20:46:13] /dev/.udev/db/block:ram13: ASCII text
[20:46:13] /dev/.udev/db/block:ram6: ASCII text
[20:46:13] /dev/.udev/db/block:ram1: ASCII text
[20:46:13] /dev/.udev/db/block:ram4: ASCII text
[20:46:13] /dev/.udev/db/block:ram3: ASCII text
[20:46:13] /dev/.udev/db/block:ram2: ASCII text
[20:46:13] /dev/.udev/db/block:ram8: ASCII text
[20:46:13] /dev/.udev/db/block:ram12: ASCII text
[20:46:13] /dev/.udev/db/block:ram9: ASCII text
[20:46:13] /dev/.udev/db/block:ram0: ASCII text
[20:46:13] /dev/.udev/db/block:loop7: ASCII text
[20:46:13] /dev/.udev/db/block:loop4: ASCII text
[20:46:13] /dev/.udev/db/block:loop6: ASCII text
[20:46:13] /dev/.udev/db/block:loop2: ASCII text
[20:46:13] /dev/.udev/db/block:loop5: ASCII text
[20:46:13] /dev/.udev/db/block:loop3: ASCII text
[20:46:13] /dev/.udev/db/block:ram11: ASCII text
[20:46:13] /dev/.udev/db/block:loop1: ASCII text
[20:46:13] /dev/.udev/db/block:loop0: ASCII text
[20:46:13] /dev/.udev/rules.d/root.rules: ASCII text
[20:46:14] Checking for hidden files and directories [ Warning ]
[20:46:14] Warning: Hidden directory found: '/dev/.udev'
[20:46:14] Warning: Hidden directory found: '/dev/.initramfs'
编辑,新信息:
我已启用 PHP mail.log,但它似乎不是来自 PHP 文件。查看我的 mail.log,我可以看到有很多邮件被发送出去。所以这是我的服务器。有人能帮我找出是什么发送了所有这些电子邮件吗?以下是日志中的一些内容:
Sep 12 16:16:39 MY-DOMAIN sendmail[5733]: r8CEGdCb005733: from=www-data, size=827, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:16:39 MY-DOMAIN sendmail[5733]: r8CEGdCb005733: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30827, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:44 MY-DOMAIN sendmail[5767]: r8CEGi2D005767: from=www-data, size=868, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:16:44 MY-DOMAIN sendmail[5767]: r8CEGi2D005767: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30868, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:49 MY-DOMAIN sendmail[5769]: r8CEGnZ1005769: from=www-data, size=808, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:16:49 MY-DOMAIN sendmail[5769]: r8CEGnZ1005769: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30808, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:54 MY-DOMAIN sendmail[5771]: r8CEGrtE005771: from=www-data, size=908, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:16:54 MY-DOMAIN sendmail[5771]: r8CEGrtE005771: [email protected], ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30908, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:16:59 MY-DOMAIN sendmail[5776]: r8CEGxNE005776: from=www-data, size=833, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:16:59 MY-DOMAIN sendmail[5776]: r8CEGxNE005776: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30833, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:01 MY-DOMAIN sendmail[5784]: r8CEH1SX005784: from=www-data, size=520, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:17:01 MY-DOMAIN sendmail[5784]: r8CEH1SX005784: to=www-data, ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30520, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:03 MY-DOMAIN sendmail[5787]: r8CEH3xm005787: from=www-data, size=866, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:17:03 MY-DOMAIN sendmail[5787]: r8CEH3xm005787: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30866, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:09 MY-DOMAIN sendmail[5789]: r8CEH890005789: from=www-data, size=440, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:17:09 MY-DOMAIN sendmail[5789]: r8CEH890005789: [email protected], ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30440, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:15 MY-DOMAIN sendmail[5791]: r8CEHEf4005791: from=www-data, size=757, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:17:15 MY-DOMAIN sendmail[5791]: r8CEHEf4005791: [email protected], ctladdr=www-data (33/33), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30757, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Sep 12 16:17:20 MY-DOMAIN sendmail[5793]: r8CEHKGp005793: from=www-data, size=835, class=0, nrcpts=1, msgid=<[email protected]>, relay=www-data@localhost
Sep 12 16:17:20 MY-DOMAIN sendmail[5793]: r8CEHKGp005793: [email protected], ctladdr=www-data (33/33), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30835, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
答案1
根据 rkhunter 的输出,可以合理地假设您的计算机已获得 root 权限。当然,除非您用 Perl 脚本替换了 ldd,但我认为没有人会合理地这样做。
补救这种情况的最佳方法是擦拭该盒子并重新安装。您可以尝试清洁它,但您永远无法 100% 确定您已正确清洁了所有内容。
当您重新安装时,请听取 rkhunters 的建议,不要留下PermitRootLogin: yesSSHD 配置文件。
答案2
您也可以使用 maldethttp://www.rfxn.com/projects/linux-malware-detect/并扫描您的网络文件以查找垃圾邮件机器人。