Spam being sent from server. Can't trace route

samjsharples

• April 11, 2015 06:56

Hi I have spam being sent from an email on one of my accounts to a specific email address roughly every 10 minutes. I have changed the passwords etc and now have an exim log but I am unsure whats going on. It doesn't specify that a php script is being run. any ideas? - Snipped -

• 

  noahbalboah

  • April 11, 2015 16:03

  Hello. Run the command below to, it'll tell you where if any directories are sending out spam from a script. grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100 It'll give a number on the left side, the higher the number, the more spam coming from that directory.

  0
• 

  24x7server

  • April 11, 2015 16:17

  2015-04-11 11:45:46 [24726] 1Ygssc-0006Qo-D2 <= sales@xxx.co.uk[/EMAIL] H=176-35-166-24.xdsl.domain.net (ACCOUNTNAME) [176.35.xxx.xx]:64985 I=[78.109.xxx.xx]:25 P=esmtpa A=dovecot_login:sales@xxx.co.uk[/EMAIL] S=8059216 M8S=0 id=319901d0744d$3b717720$b2546560$@co.uk T="LAST e-mail for ACCOUNTNAME" from for me@domain.co.uk[/EMAIL]
  As per the provided logs I can see your mails has been sent from your sales@xxx.co.uk[/EMAIL] account using the mail account password. So change your this mail account password and update your server setting with

  0
• 

  samjsharples

  • April 11, 2015 16:33

  I already changed the password to a secure one. would this mean that the computer that has the email account has a virus or something?

  0
• 

  noahbalboah

  • April 11, 2015 16:50

  I already changed the password to a secure one. would this mean that the computer that has the email account has a virus or something?

  
  Most likely not. Have you checked for scripts sending out mail using the command I gave you? I'd double check that first. Otherwise, if it's being sent out by a single email account it's usually a compromised password.

  0
• 

  samjsharples

  • April 12, 2015 16:03

  i'm pretty new to this stuff. I'm using a mac so I have connected via SSH using terminal, run the script you sent and all I got was this: root@server [~]# grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100 1 [17933] 1 [17934] 1 [17937] 1 [17939] 1 [17949] 1 [19453] 1 [19460] 1 [20490] 1 [20494] 1 [20616] 1 [20621] 1 [21921] 1 [21963] 1 [21972] 1 [21982] 1 [21991] 1 [23123] 1 [23258] 1 [23263] 1 [24124] 1 [5297] 1 [5302] 1 [5734] 1 [5739] root@server [~]#

  0
• 

  noahbalboah

  • April 14, 2015 01:16

  i'm pretty new to this stuff. I'm using a mac so I have connected via SSH using terminal, run the script you sent and all I got was this: root@server [~]# grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100 1 [17933] 1 [17934] 1 [17937] 1 [17939] 1 [17949] 1 [19453] 1 [19460] 1 [20490] 1 [20494] 1 [20616] 1 [20621] 1 [21921] 1 [21963] 1 [21972] 1 [21982] 1 [21991] 1 [23123] 1 [23258] 1 [23263] 1 [24124] 1 [5297] 1 [5302] 1 [5734] 1 [5739] root@server [~]#

  
  Basically, it didn't find a script spamming on the server, so that's good news. Other than a script or a password compromise it might be hard to troubleshoot without knowing more information. Have you opened a cPanel ticket to see if they can login to your server and assist you?

  0
• 

  madmanmachines

  • April 14, 2015 13:05

  Hi, The logs clearly show this was sent via password authentication and not a script.
  A=dovecot_login:sales@xxx.co.uk
  A search for scripts sending mail is not needed. Simply update the password. The password may have been guessed or bruteforced by a hacker. I recommend using long 3-character-class passwords. As well, the password may have been obtained from a computer infected with malware. I recommend that you run a scan on all computer's that are used to access this email account. As well, I recommend ensuring that all email clients are using the SSL connection details in their mail client which is provided at cPanel > Email Accounts > More > Configure. Thanks,

  0
• 

  nisamudeen97

  • April 14, 2015 15:04

  2015-04-11 11:45:46 [24726] 1Ygssc-0006Qo-D2 <= sales@xxx.co.uk[/EMAIL] H=176-35-166-24.xdsl.domain.net (ACCOUNTNAME) [176.35.166.24]:64985 I=[78.109.xxx.xx]:25 P=esmtpa A=dovecot_login:sales@xxx.co.uk[/EMAIL] S=8059216 M8S=0 id=319901d0744d$3b717720$b2546560$@co.uk T="LAST e-mail for ACCOUNTNAME" from for me@domain.co.uk[/EMAIL]
  Hi, The log you have provided it self says all the mails were sent via dovecot with smtp authentication hence no need to check for scripts used. Let me try to explain the log you have provided. The above log clearly shows the mail was originated from the mail account "[EMAIL='sales@xxx.co.uk">sales@xxx.co.uk"[/EMAIL]. The variable "P=esmtpa" shows the mail account has authentication to sent this particular mail. The variable I shows the public IP from which mail has originated. In your case the mail is originated from the public IP "78.109.xxx.xx" so the user from this public IP has used authentication of [EMAIL='sales@xxx.co.uk">"sales@xxx.co.uk"[/EMAIL] to sent mail. The T denotes the subject of the message, so as per the above log subject is "LAST e-mail for ACCOUNTNAME". If the mail is not supposed to be sent without your knowledge, this clearly shows spammer has used got the password of mail account and exploited it. You have to change the password of the mail account with immediate effect. :)

  0
• 

  cPanelMichael

  • April 15, 2015 16:31

  Hello, Feel free to update this thread with the outcome after changing the password of the email account, as advised in the previous posts. Thank you.

  0

Please sign in to leave a comment.