cPanel User Spamming

ceh2324

• November 11, 2013 01:51

Hello, One of the cPanel user is spamming and when ever he is spamming we are receiving mail with subject "Excessive resource usage: User (3386 (Parent PID:3386))" and the mail body is as follows: Time: Wed Nov 6 16:52:51 2013 +0300 Account: user Resource: Process Time Exceeded: 1849 > 1800 (seconds) Executable: /usr/bin/perl Command Line: /usr/bin/crond PID: 3386 (Parent PID:3386) Killed: No When I recieve this mail I see spamming as the queue size increases so when I kill this process ID the user stops spamming. How can we find what is causing this user to spam. Regards, CEH

• 

  cPanelMichael

  • November 11, 2013 15:28

  Hello :) Check to see if there are any cron jobs configured for this account. Look for any scripts with the ability to send out email. Also, review one of the SPAM messages in the queue to see if you can find any information in the message headers. Thank you.

  0
• 

  ceh2324

  • November 12, 2013 05:06

  Hello, 1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob. 2. How can I check for scripts which are sending mails is there any way to find them. 3. The mail header shows its generated from the cpanel user. from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script

  0
• 

  mbodamer

  • November 12, 2013 12:28

  [quote="ceh2324, post: 1504982">Hello, 1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob. 2. How can I check for scripts which are sending mails is there any way to find them. 3. The mail header shows its generated from the cpanel user. from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script
  Hi, Not sure if this will help you... but I find after a situation like this I run maldet to detect suspicious files. You can check it out here, its free and it works well. https://www.rfxn.com/projects/linux-malware-detect/ Hope it helps.

  0
• 

  cPanelMichael

  • November 13, 2013 20:07

  Have you reviewed the files within the account for any scripts with the ability to send out email? Look for files with the ability to send email, and try contacting the user to see if they are aware of this behavior. You may want to consider suspending the account if you want to prevent additional SPAM from sending out while you investigate. Thank you.

  0
• 

  ceh2324

  • November 16, 2013 06:47

  As from my first it says that script is using perl but i can't find any .pl file in the users home directory. Is there any way to find the script exactly or any procedure to find the culprit.

  0
• 

  iserversupport

  • November 16, 2013 15:33

  Try ps -aux | grep PID and see more details of that pid also you can see all process of that particular user using ps -aux | grep username

  0

Please sign in to leave a comment.