_www sending spam emails

Question

Level 1

0 points

_www sending spam emails

I am running Leopard Server 10.5.8 and I have been hacked and I don't know how.

Starting last night, the _www account started sending spam emails at about 1 per second.

I have turned off mail sending to slow the activity, but I can't seem to find the process that is generating the messages.

Any suggestions on how to go about shutting this off?

I have ClamXav running, but it it running very slowly. This is the only mail server for the company, so I need to get it back up as soon as possible.

Mac mini, Mac OS X (10.5.8), Server

Posted on Jul 5, 2011 3:35 PM

Reply

Answer 1

Aug 17, 2011 9:51 PM in response to PatStanford

I'm getting the same problem... Did you find a solution?

Reply

Answer 2

PatStanford Author

Level 1

0 points

Aug 17, 2011 10:14 PM in response to brasskazoo

No, I never got a real answer.

I changed all the admin passwords and set the _www account to have no email permission.

I also installed Little Snitch and let it block a lot of outgoing connection attempts.

There were a number of outgoing attempts that looked suspicious, but I was never able to pin down exactly what was sending the mail.

Reply

Answer 3

Camelot

Level 9

54,333 points

Aug 18, 2011 2:11 PM in response to PatStanford

Apache isn't going to send any mail on its own. The only way it would is through dynamic content systems such as a CGI or PHP page.

Do you have any such CGI or PHP on your server? It's possible someone's using an insecure web form to generate the mail. If your server isn't secure it's also possible that someone pushed such a form to your server.

The apache logs would be the logical place to start. If they're generating at that rate it shouldn't be hard to see where they're coming from.

Reply

Answer 4

Aug 19, 2011 7:21 PM in response to PatStanford

One issue that I had was Apache's proxy settings were incorrect - it was initially acting as a forward proxy, and changes in our firewall meant that it was given a public IP, which then allowed it to be used as an open relay for spammers.

Config item was this: http://httpd.apache.org/docs/2.1/mod/mod_proxy.html#proxyrequests

I believe that has stopped some of the problem, but Little Snitch is still reporting a lot of weird requests.

I also turned off ping responses in OS X security settings, and the console still reports a massive amount IPs that it doesn't respond to... :-/

Reply