Please explain Mail Control Data
Hello,
in the WHM Mail Queue i see SPAMer is sending out e-mails from multiple cPanel accounts
info@example.com
info@example1.com
It is always info@ and sometimes such mailbox do not exist
Please can you help to say what means following data i got when clicking queued e-mail in WHM?:
It would be greatly helpful if anyone can explain a) what this e-mail mean b) what means highlighted phrasses i found interesting Especialy i found interesting that the cPanel account "cpanelaccountnamewhichisnotrelatedtothe_mydomainhere.com_cpanel" knows about neighbour domains. Probably some spammer injected malicious script or abusing flaw in that single cpanel and then found domains on same server IP and trying to send out SPAM faking sender e-mail addresses? Can such e-mail be delivered when sent from other cPanel than sender e-mail domain? How can i prevent such e-mails processed by exim and sent away? Thank you alot Thank you alot
Mail Control Data:
mailnull 47 12
1471148307 0
-helo_name mydomainhere.com
-host_address ::1.42812
-interface_address ::1.25
-received_protocol esmtp
-aclc _authenticated_local_user 8
cpanelaccountnamewhichisnotrelatedtothe_mydomainhere.com_cpanel
-body_linecount 32
-max_received_linelength 76
-host_lookup_failed
XX
1
recipientaccounthere@aol.com
Received:
from [::1] (port=42812 helo=mydomainhere.com)
by myservhost.name.here with esmtp (Exim 4.87)
(envelope-from )
id 1bYmsV-0008LO-8y
for recipientaccounthere@aol.com; Sun, 14 Aug 2016 04:18:27 +0000
X-mailer: Mailer v1.0
---------
It would be greatly helpful if anyone can explain a) what this e-mail mean b) what means highlighted phrasses i found interesting Especialy i found interesting that the cPanel account "cpanelaccountnamewhichisnotrelatedtothe_mydomainhere.com_cpanel" knows about neighbour domains. Probably some spammer injected malicious script or abusing flaw in that single cpanel and then found domains on same server IP and trying to send out SPAM faking sender e-mail addresses? Can such e-mail be delivered when sent from other cPanel than sender e-mail domain? How can i prevent such e-mails processed by exim and sent away? Thank you alot Thank you alot
-
Hello, Could you search for one of the messages in /var/log/exim_mainlog and let us know the output? You can use a command such as: exigrep info@domain /var/log/exim_mainlog
Thank you.0 -
Hi, we have the same issue on multiple domain. Outgoing mail originated from localhost with sender info@somedomain.com for somerecipient@aol.com (in most case the recipient domain is aol but not always). We already tried to analyze the exim_mainlog and access_log of these domains but we didn't find any clue. We also run various scan with maldet and rkhunter. Is there anything else we can search for? Thanks 0 -
Outgoing mail originated from localhost with sender info@somedomain.com[/EMAIL] for somerecipient@aol.com[/EMAIL] (in most case the recipient domain is aol but not always). We already tried to analyze the exim_mainlog and access_log of these domains but we didn't find any clue. We also run various scan with maldet and rkhunter. Is there anything else we can search for?
Could you provide an example of one of the entries in /var/log/exim_mainlog? Thank you.0 -
Hi, below you can find an example: 2016-08-20 14:17:50 [23807] 1bb5Di-0006Bz-Ht H=(someclientdomain.com) [127.0.0.1]:38007 I=[127.0.0.1]:25 Warning: Message has been scanned: no virus or other harmful content was found 2016-08-20 14:17:50 [23807] 1bb5Di-0006Bz-Ht <= info@someclientdomain.com H=(someclientdomain.com) [127.0.0.1]:38007 I=[127.0.0.1]:25 P=esmtp S=1717 M8S=0 id=1476252299.7533613.1471695471308@someclientdomain.com T="RE: hi somerecipient" from for somerecipient@aol.com 2016-08-20 14:17:50 [23820] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bb5Di-0006Bz-Ht 2016-08-20 14:17:50 [23820] 1bb5Di-0006Bz-Ht SMTP connection identification H= A=127.0.0.1 P=38007 M=1bb5Di-0006Bz-Ht U=nobody ID=99 S=nobody B=authenticated_local_user 2016-08-20 14:17:53 [23820] 1bb5Di-0006Bz-Ht => somerecipient@aol.com F= P= R=dkim_lookuphost T=dkim_remote_smtp S=2248 H=mailin-03.mx.aol.com [152.163.0.67]:25 I=[185.78.64.20]:50166 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=yes DN="/C=US/ST=Virginia/L=Dulles/O=AOL Inc./OU=AOL Mail/CN=mx.aol.com" C="250 2.0.0 Ok: queued as 91EE0700000AC" QT=3s DT=3s 2016-08-20 14:17:53 [23820] 1bb5Di-0006Bz-Ht Completed QT=3s0 -
I think, these emails are being sent from a php script and not from an email account, I recommend you to check access log file of that someclientdomain.com domain name for a presence of malicious file which is present at this path :- /home/cPanel_User/access_logs/someclientdomain.com 0 -
U=nobody ID=99 S=nobody
This suggests the email is coming from a script. Try using a command like this to look for directories that have sent out high numbers of emails:grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Thank you.0 -
Could you search for one of the messages in /var/log/exim_mainlog and let us know the output?
Hello, take a look please: 2016-08-27 07:32:42 1bdXo8-0003xV-Az SMTP connection identification H= A=::1 P=34937 M=1bdXo8-0003xV-Az U=somecpaneluserhere ID=553 S=somecpaneluserhere B=authenticated_local_user 2016-08-27 07:32:42 1bdXo8-0003xV-Az From: header (rewritten was: [info@locallyhosteddomain.com], actual sender is not the same system user) original=[info@locallyhosteddomain.com] actual_sender=[somecpaneluserhere@host.domainhere.com] 2016-08-27 07:32:49 1bdXo8-0003xV-Az SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later." 2016-08-27 07:32:55 1bdXo8-0003xV-Az SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later." 2016-08-27 07:33:02 1bdXo8-0003xV-Az SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later." 2016-08-27 07:33:08 1bdXo8-0003xV-Az SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later." 2016-08-27 07:33:14 1bdXo8-0003xV-Az SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later." 2016-08-27 07:33:14 1bdXo8-0003xV-Az == someuserhere@aol.com[/EMAIL] R=dkim_lookuphost T=dkim_remote_smtp defer (-46) H=mailin-02.mx.aol.com [152.163.0.100]: SMTP error from remote mail server after end of data: 421 4.2.1 "Service unavailable. Please try again later."
What do you think please? When looking up access logs for "somecpaneluserhere", matching 07:** time today: grep -Ril "27/Aug/2016:07:3" /home/somecpaneluserhere/access_logs/ cat /home/somecpaneluserhere/access_logs/*|grep "27/Aug/2016:07:3" I can see: 79.6.173.* - - [27/Aug/2016:07:33:04 +0000] "GET /wp-login.php HTTP/1.1" 404 14 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" 199.201.90.* - - [27/Aug/2016:07:12:25 +0000] "POST /forum/Themes/default/languages/Login.albanian.php HTTP/1.1" 200 840 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0" 67.211.37.* - - [27/Aug/2016:07:18:41 +0000] "POST /wp-includes/js/swfupload/plugins/css.php HTTP/1.1" 200 361 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0" The second and third file was infected by 2 bad lines of code (encoded) so i removed bad linesgrep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
I tried this and "somecpaneluserhere" nor "locallyhosteddomain.com" cpanel was listed within most e-mail sending paths. Does it mean someone knows password to my somecpaneluserhere cpanel? OR some script within that somecpaneluserhere cpanel is sending out spam? i changed that acct password not long time ago and used unguessable long password0 -
Hi, we did find the source of the SPAM email. It wasn't in any of the account that was "sending" the mail (info@somedomain.com) and that i can find with the following command. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n It was in another account that wasn't sending email but was used send email as other user domain on the same machine. So do not limit searching for malicious script in the account that is actually sending the email. We did find it searching for all php script containing eval and searching for potential malicious code in base64. Also we crossrefenced the time of the email being sent with the access_log of the suspected compromised account that we find with the eval search. I hope this can help you. 0 -
actual_sender=[somecpaneluserhere@host.domainhere.com]
To answer your earlier question, yes, this suggests the email originates from that account. The steps you completed (changing the account password and removing the infected lines from those files) should address the issue. You may also want to search the term "secure wordpress" on our forums to see examples of how other users have secured their server to help prevent these types of attacks. Thank you.0 -
As i can't update my earlier posts, i will add this one. I think good way to find SPAM scripts (these was not detected by: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n ) Is to Click SPAM e-mail in WHM e-mail queue or find SPAM log entry in exim_mainlog When loooking up Mail Control Data section in WHM E-mail Queue/message I seen: -aclc _authenticated_local_user 8 infectedcpanelhere In exim_main log i seen: (actual_sender=[somecpaneluserhere@host.domainhere.com]) So it identify infected cpanel. Then lookup first time that message appeared in the queue, in WHM/MailQueue/Message i have example: Date: Mon, 12 Sep 2016 08:27:04 +0000 (UTC) So i copy hour and tens of minute: "08:2" and then cat access log for that cPanel, like: cat /usr/local/apache/domlogs/cpanelnamehere/*|grep ".php"|grep -vE "404|gif|jpg|png|robots.txt"|grep -E "08:2" Then view files accessed around that time and if found some bad script or injected malicious code, then lookup whole cpanel account for footprints of malicious code (grep -Ril "bad phrasse" /home/cpanelnamehere/public_html). and files that was modiffied in same day like this one (find /home -type f -path /home/virtfs -prune -o -name "*.php" -newermt 2014-11-05 ! -newermt 2014-11-07). That found files modiffied in 2014-11-06 0 -
I wanted to add another thing that may help. I am not allowed to update my previous post so i am bumping this topic with new reply. In previous post i found cpanel that sends the SPAM, so i can scan this cpanel user directory: maldet -a /home/usernamehere/public_html clamscan -ir /home/usernamehere/public_html it found some malicious scripts in my case. One can also grep the malicious script filename out of access log (grep file.php /home/usernamehere/access-logs/*) and consider banning some IPs. 0
Please sign in to leave a comment.
Comments
11 comments