# tracking spam injected on localhost to exim



## chrcol (Aug 11, 2011)

Ok I have what looks like spam been submitted over tcp 127.0.0.1:25 to exim smtp server.

I suspect is a rogue web/php script of which there is 100s of accounts on the server.

So I can either manually check 100s of apache access logs and look for matching timestamp to email submission or what seems more logical is somehow monitor 127.0.0.1:25 connections.

so it seems I need to if possible monitor for localhost:25 connections and then have the system tell me what file is doing that access.  Is this possible and if so how do I do this?

Ideally I need to lock this down to a file, if I just lock it down to a uid it will probably be the apache user as its a mod_php installation so no unique uid's running scripts.

exim logs on max verbosity simply tell me the email is submitted over 127.0.0.1:25 tcp, if it was done over sendmail then it would show the script but it wasnt it was done over tcp.

I think I am looking at either a server root compromise or rogue script on server.

the obvious places such as /tmp are clean.

thanks.


----------



## redw0lfx (Aug 11, 2011)

A quick way that comes to mind is doing a small script in bash and have it running to monitor connections:


```
#!/usr/local/bin/bash

if ! echo -n > /tmp/watchMe;
then
  echo "Not able to write to /tmp/watchMe. Exiting"
  exit 1
fi

while true;
do
  clear
  line=`sockstat -4 |grep 127.0.0.1:25 |grep apache`
  if [[ -z $line ]];
  then
    echo `date`: NOCONN
  else
    echo "`date`: $line" | tee -a /tmp/watchMe
  fi
  if [[ `stat /tmp/watchMe | awk '{print $8}'` -gt 102400 ]];
  then
    echo "Max set size for /tmp/watchMe reached. Exiting script"
    exit 1
  fi  
  sleep 1
done
```

It needs a bit of cleanup and testing (specifically the section for checking max file size) and probably setting it to run every half second instead of every second, but hopefully this can help in getting you on the right track.

Disclaimer: 
I come from a linux background and am new to FreeBSD. I have seen that FreeBSD contains more system monitoring tools than linux, and such a tool might already exist.


----------



## redw0lfx (Aug 11, 2011)

Hate to post twice concurrently, but just realized sockstat will probably just give you 'php' for the command that is connecting to that port, and not the script's name.

Might need additional code to retrieve the process id using sockstat and awk, and then run procstat -c PID (replace PID with the process id from sockstat/awk) in order to get the actual script name that PHP is running.


----------



## Crivens (Aug 11, 2011)

Something like "tarpit" comes to mind here. That could slow the mail delivery of the spam down enough so that checking once in an hour is sufficient. Worth a try? (provided no legitimate user is affected)


----------



## OH (Aug 11, 2011)

Assuming that the users which supplies the mails is Apache and the users have each their own virtualhost, you can supply "-femailaddress" to exim in that virtualhost configuration. It will then show that adress in the mail sent and the Exim mainlog.

[cmd=]php_value mail.force_extra_parameters -femailaddress[/cmd]

Implementing this on a running production server might be a bit of a chore though.


----------

