Skip to main content

email failed due to suspicious file activity

Comments

6 comments

  • 24x7server
    Hello :), I can see your this mail has been sent from your rripp1.php file, which is present under your one of the user (USER id : 501). Please check this account and remove unwanted files this account and secure it.
    0
  • keat63
    I just looked and dont have an account under 501. Not that I can see anyway Incidentally, the IP 101.251.x.x is not my server I've googled this a few times, but cannot find anything definitive. Lots of posts mentioning hosts files. This is mine
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 213.xxx.xxx.xx my.server.co.uk my server213-xxx-xxx-xxx.hosts-servers.net server213-xxx-xxx-xx
    Could there be some sort of bypass where the hacker, spammer, etc sends an email as localhost, and then my server interprets this as it'self, and that's why I recieved the failure notification ??
    0
  • mtindor
    I'd say search your filesystem for the file: rripp1.php find / -name rripp1.php -type -f | xargs ls -alt Might take a long time if you have a lot of files. 501 is usually clamav user on many of my machines, but on other machines its my first hosting account user. Look for 501 in your /etc/passwd and /etc/group M
    0
  • keat63
    I found an entry for 501 in the group file. It's saying Mailtrap Is there a syntax error in that find command as I get a message pop up about " Arguments to -type should contain only one letter", then a whole host of files and folders appear, but I don't see rripp1.php amongst them
    0
  • keat63
    I have CSF explorer installed and didn't realise that this had a search facility. It's coming back and saying no results for rripp1.php
    0
  • cPanelMichael
    Hello :) Is the "mlocate" package installed on your system? If so, you can try searching the file via a command such as:
    locate rripp1.php
    The database is cached, so as long as it has not updated recently, it should show you if that file existed in the past and was recently deleted. Thank you.
    0

Please sign in to leave a comment.