which process or script is sending spam?

arjanvr

• December 12, 2014 03:45

If there is a lot of spam coming from an account and maldet says there is no malware and the owner does not know either. Is it possible to trace which process or script is sending?

• 

  Infopro

  • December 12, 2014 09:08

  This thread may be of some use to you: Why didn't my email get delivered? or where did my email go? - cPanel Forums

  0
• 

  arjanvr

  • December 12, 2014 10:31

  I meant outgoing spam. How can I trace what is causing it as I cannot find anything in that topic. Thanks

  0
• 

  Infopro

  • December 12, 2014 10:38

  Where are you seeing the spam?

  0
• 

  arjanvr

  • December 12, 2014 11:28

  In the mail queue manager where it is in cueue due to send restrictions I enforce on accounts. Otherwise it would have send 10000's already but there is no malware detected

  0
• 

  Infopro

  • December 12, 2014 11:43

  Click the icon there to, View Message. You might find some details there of some use.

  0
• 

  arjanvr

  • December 12, 2014 12:18

  They are all Facebook spam mail but I don't know what is sending.
  Mail Control Data: nederlandsewyand 615 616 1418368873 0 -ident nederlandsewyand -received_protocol local -body_linecount 150 -max_received_linelength 146 -auth_id nederlandsewyand -auth_sender nederlandsewyand@vps1.domain.nl -allow_unqualified_recipient -allow_unqualified_sender
  

  0
• 

  Infopro

  • December 12, 2014 13:16

  Not sure what you mean by facebook spam.

  0
• 

  arjanvr

  • December 12, 2014 13:41

  Fake mails as if sent from facebook security team asking people to login. My question is if I can find out which script or process is sending them

  0
• 

  cPanelMichael

  • December 12, 2014 13:46

  The following thread might be helpful to you: Unknown Spam Source Thank you.

  0
• 

  arjanvr

  • December 12, 2014 16:08

  so when i use this command
  awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
  it shows me
  login as: root root@195.242.xx.xxx's password: Last login: Fri Dec 12 05:00:09 2014 from 86.93.xxx.xxx root@vps1 [~]# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq - c | sed "s|^ *||g" | sort -nr 32860 cwd=/home/username/public_html/administrator/templates/hathor/html /com_redirect/links
  does that mean something in that directory is spamming?

  0
• 

  cPanelMichael

  • December 12, 2014 16:09

  Yes, you should review that directory and look for scripts that can send out email. It's possible that the script has been exploited and you may need to investigate that further. Thank you.

  0
• 

  arjanvr

  • December 12, 2014 16:16

  Well now maldet confirms also
  Dec 12 05:00:27 vps1 maldet(5152): {scan} file list completed, found 13840 files... Dec 12 05:46:17 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/administrator/templates/hathor/html/com_redirect/links/xml.php Dec 12 05:48:58 vps1 maldet(5152): {md5hash} malware hit {MD5}php.cmdshell.unclassed.5408 on /home/username/public_html/modules/mod_araticlhess/mod_araticlhess.php Dec 12 05:52:45 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/.test.php Dec 12 05:59:36 vps1 maldet(5152): {scan} scan completed on /home/username/public_html/: files 13840, malware hits 3, cleaned hits 0
  It's good to have learned this command
  awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
  Thank you all for assistance

  0

Please sign in to leave a comment.