Spam emails being sent from cPanel account

Buffcode18

• November 11, 2016 12:27

I've looked through many threads and followed the advice on this page - Event: success ] Sender User: holttwin Sender Domain: example.com Sender: twinsister@example.com Sent Time: Nov 11, 2016 12:18:12 PM Sender Host: www.domain.com Sender IP: 95.173.172.82 Authentication: dovecot_login Spam Score: 0 Recipient: someusr@hotmail.com Delivered To: someusr@hotmail.com Delivery User: -remote- Delivery Domain: Router: dkim_lookuphost Transport: dkim_remote_smtp Out Time: Nov 11, 2016 12:18:12 PM ID: 1c5GPE-00061S-2f Delivery Host: mx3.hotmail.com Delivery IP: 65.55.37.120 Size: 1.44 KB Result: Accepted Here is the result of the send in my exim_mainlog - 2016-11-11 13:18:28 1c5GPE-00061S-2f H=(www.domain.com) [95.173.172.82]:59161 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-1.0/40)" 2016-11-11 13:18:28 1c5GPE-00061S-2f <= twinsister@example.com H=(www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:twinsister@example.com S=1476 id=427a3fde29b1abda9013bc30746a1dc5@www.domain.com T="4 Waiting Quick F#ck Request" for someusr@hotmail.com 2016-11-11 13:18:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5GPE-00061S-2f 2016-11-11 13:18:28 1c5GPE-00061S-2f SMTP connection outbound 1478888308 1c5GPE-00061S-2f example.com someusr@hotmail.com 2016-11-11 13:18:28 SMTP connection from (www.domain.com) [95.173.172.82]:59161 closed by QUIT
I am at the end of the rope of how to prevent/solve this? Running the command " awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n" gives me this as the first line - 27698 cwd=/var/spool/exim

• 

  Eminds

  • November 12, 2016 02:05

  did you checked if the account is infected with malicious script ? .. scan the website data with clamav or maldet and see what you get.

  0
• 

  SysSachin

  • November 12, 2016 08:56

  Change your twinsister@ email account password, Because that mail was sent from your twinsister@ account. You can suspend this single email account through your cPanel.

  0
• 

  Jcats

  • November 13, 2016 02:03

  did you checked if the account is infected with malicious script ? .. scan the website data with clamav or maldet and see what you get.

  
  You yourself may want to study up a bit as the answer lies right within the logs he posted, no need to have him go on a wild good chase. Anytime there is spam coming from the server, there will be 1 of 2 ways, in most cases anyway. 1. Spam coming from someone using SMTP authentication with an actual email account, in most cases this is from a weak password. 2. Someone sending POST requests to a PHP script How do you distinguish between the two? Easy.. 1. Spam being sent via SMTP authentication, we can use the OPs example.. This line says it all:

  -11-11 13:18:28 1c5GPE-00061S-2f <= twinsister@example.com[/EMAIL] H=(www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:twinsister@example.com S=1476 id=427a3fde29b1abda9013bc30746a1dc5@www.domain.com T="4 Waiting Quick F#ck Request" for someusr@hotmail.com[/EMAIL]

  
  and more specifically this part "A=dovecot_login:twinsister@example.com". This is someone authenticating with the account: twinsister@example.com[/EMAIL] This is a good one liner you can use to check on the amount of authentications used per email:
  head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
  Example output:
  root@server[/]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}' 2016-11-06 2 jay@domain.com 2 justin@domain.com 38 scott@domain.com 68 billing@domain.com 154 abuse@domain.com 180 sales@domain.com 3383 support@domain.com 2016-11-12
  You can see between the dates 2016-11-06 and 2016-11-12 the account support@domain.com[/EMAIL] has auth'd 3383 times and compared to the others, its way above the average so its a good possibility its spamming. You can easily check those outgoing emails by grepping the same log file:
  grep dovecot_login:support@domain.com /var/log/exim_mainlog
  You can easily tell by the subject if they are spamming in most cases. 2. Finding out if the spam is coming from a PHP script, example of an email from a PHP script via the exim_mainlog:
  2016-11-12 19:59:25 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i 2016-11-12 19:59:25 1c5k4r-003iYa-6K <= user@server.domain.com U=user P=local S=25164 T=Some spam subject" for some@poor.soul 2016-11-12 19:59:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5k4r-003iYa-6K 2016-11-12 19:59:25 1c5k4r-003iYa-6K SMTP connection outbound 1479002365 1c5k4r-003iYa-6K poor.soul some@poor.soul 2016-11-12 19:59:25 SMTP connection from [x.x.x.x]:46374 (TCP/IP connection count = 3) 2016-11-12 19:59:27 1c5k4r-003iYa-6K => some@poor.soul R=lookuphost T=remote_smtp H=mx.domain.com [x.x.x.x] X=TLSv1.2:AES128-SHA:128 CV=yes C="250 Message received" 2016-11-12 19:59:27 1c5k4r-003iYa-6K Completed
  This time around, you can see there is no "A=dovecot_login" anywhere within the log, however the first line you can see it starts off with
  cwd=/home/user/public_html
  Although it doesn't tell you the exact script, its telling you the location from where the mail is being sent from. A good one liner to use to track down spam scripts, this one liner will show you each time the PHP script is posted to and recorded in the log.
  head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
  Example:
  root@hearted [~]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}' 2016-11-06 195674 cwd=/home/someuser99/public_html/wp-content/plugins/wpgform 155601 cwd=/home/someuser99/public_html/blog/wp-admin/network 1945 cwd=/home/someuser662 1665 cwd=/home/someuser233/public_html/charm/forum 969 cwd=/home/someuser1 114 cwd=/home/someuser51/public_html/domain.com/shop 97 cwd=/home/someuser1/public_html/CupOfGossip 42 cwd=/home/someuser23/public_html/blog 40 cwd=/home/someuser2313/public_html/blog 26 cwd=/home/someuser54/public_html 24 cwd=/home/someuser12/public_html/domain.com/shop/wp-admin 2016-11-12
  I think its pretty clear here that there is some spam coming from the top 2 directories. A super easy way to pin point which scripts they are.. example using the above results:
  grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
  This will grepo all the POST requests and sort them by the amount of times each PHP script has been hit, example:
  root@server[~]# grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n 1 /wp-cron.php?doing_wp_cron=1478973503.4872438907623291015625 1 /wp-cron.php?doing_wp_cron=1478975746.5134899616241455078125 2 /wp-content/themes/accesspress-lite/slide-menues.php 3 /wp-admin/ 3 /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain.com%2Fwp-admin%2F&reauth=1 8 /xmlrpc.php 650 /wp-content/plugins/wpgform/test44.php 2461 /wp-login.php
  The culprit being: /wp-content/plugins/wpgform/test44.php Hope this helps!

  0
• 

  cPanelMichael

  • November 14, 2016 19:28

  Hello @Buffcode18, The previous response should help address the issue. Let us know if you have any additional questions. Thank you.

  0
• 

  Buffcode18

  • November 15, 2016 00:53

  Thanks Jcats - this helped a lot! Obviously the account in question was being spammed from authentication - still confusing since I reset the account password a few times and it didn't help but I just changed it again to something stronger. Your solution for PHP scripts spamming also helped me diagnose an account on another server

  0
• 

  Jcats

  • November 15, 2016 00:58

  For future, after you change the password, try restarting dovecot and exim, it may be that they are locked into a session which allows them to continue sending. And/or there might be emails sitting in the mail queue as well which are waiting to be sent. I usually flush it out after I know someone has been spamming:
  # exim -bp | exiqgrep -i | xargs exim -Mrm
  

  0
• 

  webhostuk

  • November 15, 2016 05:39

  Nice help Jcats to teach our new staff members on how to help such customers :)

  0

Please sign in to leave a comment.