Postfix: Identify Spam from Malware Script
This guide you will learn how to identify spam from malware script. Most of Signetique Plesk server are using Postfix for default server (shared hosting). However, some of might got qmail for mail server (VPS customer some). Before we start, make sure you know how to deal with spam postfix first. Don’t know yet? Ask senior how to deal with spam with Postfix.
Table of Contents
Step 1 : Identify
Now we need to know whether the mail queue is a real deal or it is just common stuck mail server used by PHP sendmail. Now we check the mail queue :
mailq | less
And see randomly.
postcat -qv 8817625C5928
And example result :
postcat: name_mask: all postcat: inet_addr_local: configured 6 IPv4 addresses postcat: inet_addr_local: configured 1 IPv6 addresses *** ENVELOPE RECORDS hold/8817625C5928 *** message_size: 507 173 1 0 507 message_arrival_time: Wed Nov 20 13:29:34 2019 create_time: Wed Nov 20 13:29:34 2019 named_attribute: rewrite_context=local sender_fullname: sender: [email protected] *** MESSAGE CONTENTS hold/8817625C5928 *** regular_text: Received: by proton.hostcentral.net (Postfix, from userid 10174) regular_text: id 8817625C5928; Wed, 20 Nov 2019 13:29:34 +0800 (+08) regular_text: To: ".."@proton.hostcentral.net regular_text: Subject: GxPortfolio System Error regular_text: X-PHP-Originating-Script: 10174:lib_api.php regular_text: From: <> regular_text: X-PPP-Message-ID: <[email protected]> regular_text: X-PPP-Vhost: smellon.com regular_text: Message-Id: <[email protected]> regular_text: Date: Wed, 20 Nov 2019 13:29:34 +0800 (+08) regular_text: regular_text: getLiveStockPrice Routine Failure - ticker 0198.HK *** HEADER EXTRACTED hold/8817625C5928 *** original_recipient: .. recipient: [email protected] *** MESSAGE FILE END hold/8817625C5928 ***
Step 2 : Check User Passwd
Now take a look at this line : regular_text: X-PHP-Originating-Script: 10174:lib_api.php
We will check within /etc/passwd file see which user is it.
[root@proton hold]# less /etc/passwd | grep 10174 smellonh:x:10174:503::/var/www/vhosts/smellon.com:/bin/false wwwarionasiaftp:x:10174:503::/var/www/vhosts/smellon.com/arionasia.com:/bin/false ftpgplat_crm_sub:x:10174:503::/var/www/vhosts/smellon.com/globalxplatform.com/crm/subscriber:/bin/false ftpgport_trader:x:10174:503::/var/www/vhosts/smellon.com/globalxportfolio.com/trader:/bin/false ftpgxplat_crm:x:10174:503::/var/www/vhosts/smellon.com/globalxplatform.com/crm:/bin/false wwwoneasia:x:10174:503::/var/www/vhosts/smellon.com/oneasiainvestmentpartners.com:/bin/false wwwoaipftp:x:10174:503::/var/www/vhosts/smellon.com/oaip.asia/accounts:/bin/false ftpgplat_dawn:x:10174:503::/var/www/vhosts/smellon.com/globalxplatform.com/dawn:/bin/false ftp_neda_crm:x:10174:503::/var/www/vhosts/smellon.com/neda-global.org/crm:/bin/false
Now we know the culprit is.
Step 3 : Search
The rest, just do the search :
[root@proton hold]# find /var/www/vhosts/smellon.com -name lib_api.php /var/www/vhosts/smellon.com/globalxportfolio.com/trader/lib_api.php
Now you get the suspected file. Stop the process by chmod to 0000.
chmod 000 /var/www/vhosts/smellon.com/globalxportfolio.com/trader/lib_api.php
Done.
Step 4 : Clean the Mail Queue with prefix we found
After that, we clean all spam email within queue with prefix we found earlier. Which is : lib_api.php
