TheCrimsonHorror

So I'm working on a guys server today, and he's been having issues with this server generating SPAM.  Not a lot, just like a couple hundred a day. 

A small enough to not really be noticed at first, so it goes on long enough that the server gets blakclisted everywhere. 

The thing with this, is that it wasn't a standard SPAM script that was getting hit, and generating spam, or a hacked email account.
This was basically EVERY domain on the server (Almost all owned by one reseller on the server) all sending one or two pieces of spam here and there from info@<customerdomain>

The mail logs would just show generic information like

Mail Control Data:

mailnull 47 12
<info@(customerdomain)>
1483750320 0
-helo_name (customerdomain)
-host_address 127.0.0.1.57428
-interface_address 127.0.0.1.25
-received_protocol esmtp
-aclc _authenticated_local_user 6
nobody
-body_linecount 16
-max_received_linelength 390
-host_lookup_failed
XX
1
(someRandom)@aol.com

This was really annoying me. 

I exhausted all of my usual Spam hunting tactics, using things like Maldet and ClamAV to look for known spam scrips and hacks and came up empty. 
So I started looking at the traffic to the server as a whole, looking for patterns. 
Eventually I started seeing that xmlrpc POSTs was really the only pattern happening to all sites. 

tail -f /usr/local/apache/domlogs/*.com | grep POST | grep xmlrpc

91.197.232.105 - - [07/Jan/2017:06:15:55 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
91.197.232.105 - - [07/Jan/2017:06:16:53 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
91.197.232.105 - - [07/Jan/2017:06:17:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
91.197.232.105 - - [07/Jan/2017:06:17:14 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
91.197.232.105 - - [07/Jan/2017:06:17:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.32 - - [07/Jan/2017:06:21:53 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.58 - - [07/Jan/2017:06:26:10 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.58 - - [07/Jan/2017:06:27:05 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.58 - - [07/Jan/2017:06:28:40 +0000] "POST /xmlrpc.php HTTP/1.0" 301 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.58 - - [07/Jan/2017:06:28:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 384 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.230.108 - - [07/Jan/2017:06:28:59 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.230.108 - - [07/Jan/2017:06:30:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 384 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
212.47.230.108 - - [07/Jan/2017:06:31:15 +0000] "POST /xmlrpc.php HTTP/1.0" 301 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.43.32 - - [07/Jan/2017:06:31:40 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.144.12.15 - - [07/Jan/2017:06:31:47 +0000] "POST /xmlrpc.php HTTP/1.1" 200 403 "-" "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; uk; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"
163.172.132.253 - - [07/Jan/2017:06:31:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

So I started comparing the POSTs to the info@ spam in the Queue
Tossed this into the server command line 

sed -i '1i <Files xmlrpc.php>\norder deny,allow\ndeny from all\n</Files>\n ' /home/*/public_html/.htaccess

And now every domain has a block  that kills access to xmlrpc.php, and prevents this ongoing spam ordeal for this customer. 

FUN!!