Server Sending Spam Problem
Hi everyone, i"m kind of desesperate, my server sends spam from email acounts very similar to the real one.
Real Mail Account: info@example.com
Spammers:
info115@example.com
info116@example.com
info117@example.com
info118@example.com
info119@example.com
....
After of write this: grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n
I get this details:
So it seems its root user witch sends spam, but i can not find a way to get the spammer script Thanks very much
1 /home/biovidrio/public_html
1 /home/meollo/public_html
1 /home/tyd/public_html
1 /home/webes/public_html/base
1 /home/webes/public_html/clinicadental
1 /home/webes/public_html/serviamb
1 /var/log
2 /home/adventurerooms/public_html
2 /home/webes/public_html/tienda
3 /home/enigmabohemia/public_html
3 /home/legionella/public_html
4 /home/ruraly/public_html
4 /home/webes/public_html
4 /home/webtematica/public_html
5 /home/actormania/public_html
5 /home/albertogorgojo/public_html
5 /home/algodonmerlin/public_html
5 /home/antonioaznar/public_html
5 /home/elperiodismo/public_html
5 /home/fisioterapia/public_html
5 /home/fontanerosmadrid/public_html
5 /home/inmobiliaria/public_html
5 /home/kristianboys/public_html
5 /home/serviamb/public_html
6 /home/disenowebmadrid/public_html
7 /home/costurasnontol/public_html
7 /home/cursoderevit/public_html
8 /tmp
14 /home/portalclasico/public_html
78 /
110 /usr/local/apache/domlogs/portalclasico
181 /home
960 /root
6748 /usr/local/cpanel/whostmgr/docroot
So it seems its root user witch sends spam, but i can not find a way to get the spammer script Thanks very much
-
Hello, It's seems the mail sending from account using php mail script. I think there is infected file under the account which is sending mails. Please try to check logs using below command so that you will get account account which is sending mail. tail -n2000 /var/log/exim_mainlog|grep /home/0 -
Thanks for the replay, i"m only get this details: 2016-12-30 11:42:37 [3507] cwd=/home/someusr/public_html 4 args: /usr/sbin/sendmail -t -i -finfo@example.com0 -
Real Mail Account: info@example.com[/EMAIL] Spammers: info115@example.com[/EMAIL] info116@example.com[/EMAIL] info117@example.com[/EMAIL] info118@example.com[/EMAIL] info119@example.com[/EMAIL] ....
If spam mails sending one account then try to scan account with maldet and clamscan if found any infected mail script under that account.0 -
Remember this may not be an infected script, and may not be detected by antivirus or malware detection software. Check for things like unpatched versions ( eg PHPMailer that has just had 2 critical updates in 3 days, and which may well be being actively exploited.) and any other php scripts that might be installed. 0 -
Thanks for the replay, i check with malded and clam, but not show results, about PHPMailer, not know what to do or update Any ideas, thanks very much in advance and happy new year 0 -
I repeat the grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n and this is the result 1 1 /home/actormania/public_html 1 /home/albertogorgojo/public_html 1 /home/algodonmerlin/public_html 1 /home/antonioaznar/public_html 1 /home/costurasnontol/public_html 1 /home/cursoderevit/public_html 1 /home/disenowebmadrid/public_html 1 /home/elperiodismo/public_html 1 /home/enigmabohemia/public_html 1 /home/fisioterapia/public_html 1 /home/fontanerosmadrid/public_html 1 /home/inmobiliaria/public_html 1 /home/kristianboys/public_html 1 /home/ruraly/public_html 1 /home/serviamb/public_html 1 /home/webes/public_html 3 /home/webtematica/public_html 164 /root 318 / 3700 /usr/local/cpanel/whostmgr/docroot0 -
Hi, Following command that will show you the script which is using script to send the email. If it is from php then use # egrep -R "X-PHP-Script" /var/spool/exim/input/* Thanks, 0 -
Hello, The following document is a good place to start: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation In particular, review the section titled "Experimental: Rewrite From: header to match actual sender": Experimental: Rewrite From: header to match actual sender Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email. To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's 0
Please sign in to leave a comment.
Comments
8 comments