Following the ART guidelines here (http://www.atomicorp.com/wiki/index.php/Spam) it turns out that the compromised user is qscand. Looking through /var/clamav i can see plenty of files that are not supposed to be there and look to have been created by an outside source.
Any suggestions?
Using COS5/Plesk8.6/pyzor/razor/qgreylist/clamav etc. all the usual stuff from the atomic respository.
spam through user qscand
Re: spam through user qscand
Spam is being sent through the server using the following user:
qscand10112:103:Qmail-Scanner Account:/var/spool/qscan:/bin/false
Any ideas on how I can stop this?
qscand10112:103:Qmail-Scanner Account:/var/spool/qscan:/bin/false
Any ideas on how I can stop this?
-
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
Re: spam through user qscand
What exactly makes you think that qscand is sending spam? This is actually the user that runs your spam and virus filtering. And what kind of files are you seeing in /var/clamav that are not supposed to be there?
Lemonbit Internet Dedicated Server Management
Re: spam through user qscand
Problem now sorted!
Breun, you were right. It made me go back (with a clear head) and look again at what was going on. Using the guidelines I was able to isolate the spam message headers:
I looked up the uid 10112, and it belonged to qscand. What I should have been looking up was uid 48, which was the true source of the spam. This turned out to be a compromised account, whose password has now been changed to something better!
With regards to the qscand trail, I looked in /var/clamav/ and I saw files such as lott.hdb, phish.hdb, honeypot.hdb etc. which (I believed) I hadn't seen before and assumed that they were installed through a compromised login. Have since found out that they are signature databases for ClamAV.
Thanks, Breun.
Breun, you were right. It made me go back (with a clear head) and look again at what was going on. Using the guidelines I was able to isolate the spam message headers:
Code: Select all
Received: (qmail 1156 invoked by uid 10112); 6 Aug 2009 18:43:46 +0100
Received: from by server.domain.com (envelope-from <mailbox@domain.com>, uid 48) with qmail-scanner-2.06st
With regards to the qscand trail, I looked in /var/clamav/ and I saw files such as lott.hdb, phish.hdb, honeypot.hdb etc. which (I believed) I hadn't seen before and assumed that they were installed through a compromised login. Have since found out that they are signature databases for ClamAV.
Thanks, Breun.