being spammed, looks like Cpanel exploit ?

[mtindor]

What's in exim_outgoing.conf? That's nothing I recognize as a Cpanel file.

Mike

I am newbie to the tracking down of Spam source

but from a little research it appears one of our servers has been the subject of a spam attack outbound sending out phishing emails

now the attack started 11pmish yesterday evening, and looking through the exim_mainlog are the following lines

2007-10-27 23:28:35 [15481] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007fw-6T
2007-10-27 23:28:35 [15482] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007g1-An
2007-10-27 23:28:35 [15483] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gK-DI
2007-10-27 23:28:35 [15484] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gM-CZ
2007-10-27 23:28:35 [15485] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007go-21
2007-10-27 23:28:35 [15486] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007h9-EZ


and 1000s more

all the emails are under the nobody account and cannot find any trace of any php files for any of the accounts on the server being used nor any of them having more than standard emails dispatched.

Is there some form of loophole being used here in our cpanel config to send email ?

any suggestions on digging deeper ?

We are on the following:
WHM 11.11.0 cPanel 11.15.0-R17665
CENTOS Enterprise 4.5 i686 on standard - WHM X v3.1.0

[fuzioneer]

I am newbie to the tracking down of Spam source

but from a little research it appears one of our servers has been the subject of a spam attack outbound sending out phishing emails

now the attack started 11pmish yesterday evening, and looking through the exim_mainlog are the following lines

2007-10-27 23:28:35 [15481] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007fw-6T
2007-10-27 23:28:35 [15482] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007g1-An
2007-10-27 23:28:35 [15483] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gK-DI
2007-10-27 23:28:35 [15484] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gM-CZ
2007-10-27 23:28:35 [15485] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007go-21
2007-10-27 23:28:35 [15486] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007h9-EZ


and 1000s more

all the emails are under the nobody account and cannot find any trace of any php files for any of the accounts on the server being used nor any of them having more than standard emails dispatched.

Is there some form of loophole being used here in our cpanel config to send email ?

any suggestions on digging deeper ?

We are on the following:
WHM 11.11.0 cPanel 11.15.0-R17665
CENTOS Enterprise 4.5 i686 on standard - WHM X v3.1.0

[mtindor]

What does one of those 'spam' messages look like? Certainly with that volume you should have some sitting in your mail queue waiting to be delivered, which you could look at via Mail Queue Manager in WHM.

Also, i did some searching and I'm guessing you are using Mailscanner?

Mike

[fuzioneer]

exim_outgoing.conf looks like a standard exim file

y using MailScanner

[fuzioneer]

sample email headers with some info stripped

1IjNOv-0001oW-B6-H
mailnull 47 12
<>
1192921597 0
-ident mailnull
-received_protocol local
-body_linecount 126
-max_received_linelength 259
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1192921598
-localerror
XX
1
online.security@visa.com

160P Received: from mailnull by xxx.xxxxx.com with local (Exim 4.68)
id 1IjNOv-0001oW-B6
for online.security@visa.com; Sun, 21 Oct 2007 00:06:37 +0100
044 X-Failed-Recipients: user@comcast.net
029 Auto-Submitted: auto-replied
069F From: Mail Delivery System <Mailer-Daemon@xxx.xxxxx.com>
029T To: online.security@visa.com
059 Subject: Mail delivery failed: returning message to sender
058I Message-Id: <E1IjNOv-0001oW-B6@xxx.xxxxx.com>
038 Date: Sun, 21 Oct 2007 00:06:37 +0100

[sparek-3]

This looks like a returned message. You will need to read the body of the message to find out the true culprit.

exim -Mvb 1IjNOv-0001oW-B6

The body should contain the original headers in the return message.

[fuzioneer]

I have done that and i get no such file or directory

I have gone through a few bounces that are in the delivery queue and get the same when i check the id on them all ?