Primary Hostname Sending spam
Hi,
Recently deployed a Cpanel server. We noticed a great deal of spam coming from the server hostname
Server hostname : ns1.wizkidhosting.com
A snippet of exim_mainlog
2022-04-25 08:22:24 1nimUi-0000ST-0I <= gmorone@ns1.domain.com H=(ns1.domain.com) [127.0.0.1]:57276 P=esmtp S=24112 id=19813511.7761749.13118692761361@ns1.domain.com T="You appeared in 4 searches this week" for username@aol.com
2022-04-25 08:22:24 SMTP connection from (ns1.domain.com) [127.0.0.1]:57276 closed by QUIT
2022-04-25 08:22:24 1nimUi-0000SU-1m <= csad@ns1.domain.com H=(ns1.domain.com) [127.0.0.1]:57278 P=esmtp S=23834 id=9997991566.39676664.36367636449@ns1.domain.com T="You appeared in 5 searches this week" for username@aol.com
Any insights much appreciated.
-
That shows 2 accounts, gmorone & csad, sending spam. 0 -
Hi @quietFinn, Yep but I can say that these accounts are non-existent and keeps changing all the time, in fact ns1.wizkidhosting.com is the primary domain and does not have a default mailbox 0 -
There is no such a thing as "primary domain", in the exim log you can see the usernames where the mails are sent from (i.e. form USERNAME@HOSTNAME). If those users are not cPanel users I'd think that your server is compromised. Check what users you have in /home directory. 0 -
@philwebservices when I tried to access your site I got this in my browser. Website blocked due to a Trojan Your Malwarebytes Premium blocked this website because it may contain a Trojan. We strongly recommend you do not continue. @quietFinn seems to be correct, you are compromised unfortunately 0 -
Thanks for the input, will have this scanned entirely 0 -
Scanned the server and found the php file culprit :) Thank you all! 0 -
Scanned the server and found the php file culprit :) Thank you all!
I"m Glad you found it and hopefully all is well and resolved.0
Please sign in to leave a comment.
Comments
7 comments