nobody@server - bounced emails

[chasmcg]

Someone was sending email from my server using the 'nobody' account. I stopped the user 'nobody' from being able to send emails in WHM. He is still sending the emails but now they are being bounced back to me.

I know the directory that he is sending from (I think). I have no idea which file it might be. It would be a PHP file. The website is a game website. I have compared my local drive to the server drive and no new files are there and no new dates. How can I find the file he might be using? Thanks for any help.

[nibin]

Hello,

Most probably, it should be sent vis a script. Check the logs thoroughly and see if you can find anything. Do you have "Mailheader" enabled with PHP ( you can do this from EA3 ); if so, you can find the exact script which sent the emails if you check the header of any of the spam emails sent from your server ( exim -Mvh <email id> and check X-script field ).

Thank you,
Nibin,

[chasmcg]

Thanks for the reply, Nibin. What is EA3?

Using putty.exe, if I enter this short script

"awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq
-c | sed "s|^ *||g" | sort -nr"

I'm told it's being sent from /home/myserver/public_html. But as stated in my original post I have no idea which file may be doing the sending.

Below is one of the headers from one of the bounced emails but I don't see any information that would be helpful. Funny thing about this, the emails, if sent, are being sent to one of my Yahoo email addresses.

Return-path: <nobody@server.myserver.com>
Received: from nobody by server.myserver.com with local (Exim 4.69)
(envelope-from <nobody@server.myserver.com>)
id 1RrvHD-0001jj-P6
for chbvcx@ymail.com; Mon, 30 Jan 2012 11:44:23 -0600
To: chbvcx@ymail.com
Subject: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
Content-Type: text/plain
From: <Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online>
Reply-To: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
Message-Id: <E1RrvHD-0001jj-P6@server.myserver.com>
Date: Mon, 30 Jan 2012 11:44:23 -0600

[nibin]

Hello,

EA3 = EasyApche 3 ; you can enable the PHP module I mentioned with EasyApche. In fact, it is good to have this enabled on a shared + DSO ( PHP as Apche module ) server to track such email abuses.

More about this module - http://choon.net/php-mail-header.php

Since you could find the account which is abusing server, review the conetnts of the account; check whether any files modified / uploaded recently to this account and scan those files carefully.

Good Luck

Thank you,
Nibin.

[nibin]

Hello,

Also make sure "Track email origin via X-Source email headers " is enabled in tweak settings!

Tweak Settings

Thank you,
Nibin.

[chasmcg]

Nibit, thanks a lot for your help. I am going to follow your instructions in a bit but first, another question.

I disabled EXIM. I am the only person that uses my server. How will this affect things? I don't use the mail at all on my server. But will I still get messages from the server such as warnings and such? Thanks.

[nibin]

Hello,

No, why do you pay the resource for a service that you do don't use! It is better to have all the services which we don't use on a server, for better performance and security.

What kind of warning messages are getting from your server? Have you diabled "monitor" for exim service as well ( remove it from chkservd conf )?

Thank you,
Nibin.

[nibin]

Hello,

Also, from PHP 5.3 there is a function called mail.log, which will log all emails sent using PHP mail(). If you use PHP 5.3 on a shared server ever, configure it out and it will be a great stuffs to track emails send via PHP script

Details - PHP: Runtime Configuration - Manual

Thank you,
Nibin.

[arunsv84]

Well there is an easy and quick way to detect a spammer by dropping a few lines into your shell.

just type the following in your command prompt

grep cwd=/home /var/log/exim_mainlog

that will retrieve all emails sent via php or cgi

[chasmcg]

Below is what I came up with using the command "grep cwd=/home /var/log/exim_mainlog"

If so how are they sending this email and how are they able to do this? If they have a script on my site, how did it get there? And how do I proceed from here? Thanks a lot.

2012-02-01 05:59:42 [29421] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:43 [29428] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:45 [29435] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:45 [29442] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:46 [29450] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:47 [29457] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:47 [29464] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:48 [29471] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:49 [29479] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:49 [29482] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:53 [29494] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
2012-02-01 05:59:55 [29501] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i

[storminternet]

Find out with the egrep command which script is using sendmail to send all these emails.
Type the commands

cd /home/myserver/public_html

egrep "/usr/sbin/sendmail" * -R

Disable it's permission once you are able to find offended script from egrep output. Moreover you can also disable emails from nobody user from WHM Tweak Settings

[chasmcg]

storminternet, thanks for the reply.

I did as you said and got this...

Binary file public_html/cgi-bin/cgiemail matches
Binary file public_html/cgi-bin/cgiecho matches

Then changed the permissions to 700 on each file. Hope that works. Thanks a lot.

[chasmcg]

Update: Below is the latest header that is being bounced to me. Can anyone decipher this for me?

Also, I'm concerned about this line - "X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL". What does this mean? I've looked it up but haven't found anything relating to email headers, only server logs. Thanks a lot.


Delivered-To: me#1@gmail.com - "Note: this email was delivered to me from my server"
Received: by 10.112.75.231 with SMTP id f7cs21483lbw;
Sat, 4 Feb 2012 23:48:18 -0800 (PST)
Received: by 10.101.2.32 with SMTP id e32mr5681702ani.13.1328428097089;
Sat, 04 Feb 2012 23:48:17 -0800 (PST)
Return-Path: <>
Received: from server.myserver.com ([xx.xx.xx.xx])
by mx.google.com with ESMTPS id d9si12050327yhn.109.2012.02.04.23.48.16
(version=TLSv1/SSLv3 cipher=OTHER);
Sat, 04 Feb 2012 23:48:16 -0800 (PST)
Received-SPF: neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) client-ip=xx.xx.xx.xx;
Authentication-Results: mx.google.com; spf=neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) smtp.mail=
Received: from mailnull by server.myserver.com with local (Exim 4.69)
id 1RtwpR-0005ic-L6
for nobody@server.myserver.com; Sun, 05 Feb 2012 01:48:05 -0600
X-Failed-Recipients: me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@server.myserver.com>
To: nobody@server.myserver.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1RtwpR-0005ic-L6@server.myserver.com>
Date: Sun, 05 Feb 2012 01:48:05 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.myserver.com
X-AntiAbuse: Original Domain - server.myserver.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL
X-Source-Dir: my-domain-on-my-server.com:/public_html - "Note: I've known directory from day 1 but don't know which file"

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:


me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@server.myserver.com>
Received: from nobody by server.myserver.com with local (Exim 4.69)
(envelope-from <nobody@server.myserver.com>)
id 1RtwpR-0005iX-Je
for me#2@yahoo.com; Sun, 05 Feb 2012 01:48:05 -0600
To: me#2@yahoo.com
Subject: DOUqlPNSvKbX
Content-Type: text/plain
From: jvdhqolofp <fvtznp@hriczt.com>
Reply-To: fvtznp@hriczt.com
Message-Id: <E1RtwpR-0005iX-Je@server.myserver.com>
Sender: Nobody <nobody@server.myserver.com>
Date: Sun, 05 Feb 2012 01:48:05 -0600


wWFooc <a href="http://ewldkxtawrtp.com/">ewldkxtawrtp</a>,
dsxkhijxzmpv,
[link=http://plrnqcmsqhha.com/]plrnqcmsqhha
[/link], http://rzwkriqhjpka.com/

[k-planethost]

http://forums.cpanel.net/f185/determ...ce-227612.html

[chasmcg]

I am really stupid. It took me awhile to catch on. This is a game website. I have it just as a complimentary service for my customers on another website. It's a game script I purchased and really haven't paid that much attention to what it does. I have a "Contact" link on the website. This person is sending the spam from that. It sends an email to my admin email address and "nobody" on my server sends the email. I think that is the problem. 3 or 4 days wasted looking into this. Oh well, I learned a few things. Thanks to everyone.