LinkBack URL
About LinkBackshow do i find a user sending spam using nobody as the sender?
how to find nobody scripts sending mail
how do i find a user sending spam using nobody as the sender?
Search the forums - there's a nice thread around that covers how to track nobody senders if you don't have phpsuexec enabled.
Alternatively, enable phpsuexec.
Enabled Exim Extended Logging...
One solution I've found... Enabled extended logging in Exim...
P.S. In the instructions you will see the line below referenced... this should be a SINGLE line in the config... for more information see http://www.webhostgear.com/118.html
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
----------------------------------------------------------------
1. Open exim.conf
pico /etc/exim.conf
2) Find this;
Ctrl + W: hostlist auth_relay_hosts = *
#########################
Runtime configuration file for Exim #
#########################
3) After hostlist auth_relay_hosts = *
add the following
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
4) The final result should look like this
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
WARNING CPANEL USERS:
Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following
chattr +i /etc/exim.conf
![! z3uS !]!
That is completely unnecessary and you should not edit and chattr exim.conf in that way
If you want to enable extended logging use the Exim Configuration Editor in WHM and simply add the following to the first text area in Advanced Mode:
log_selector = +all
Or if you want less output and just the essentials, this will usually do instead:
log_selector = +arguments
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
So if I add log_selector = +arguments to the exim config I will be able to
tail -f /var/log/exim_mainlog and determine what user has setup this spam script?
Thank you very much
What it does is provide the context within which a request was made to exim (i.e. CWD) so it usually provides the directory from where the script runs that starts the mail connection. If that is present, you can then go to that folder and track down the PHP script within that directory.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Shorter/Quicker/Easier always works best for me... *noted*
Though I do recommend the log_selector = +all because then you don't have to sit there watching the tail -f and if you miss some spam you can seach the log for say... the subject of the email etc etc. Or just pick out which variables you think would be useful and use those.
![! z3uS !]!
perfect !
Hello z3usy
Thank you !!! Is perfect. I found all hackers in my servers !
but the best way to look is
grep sendmail exim_mainlog
Konrath
Originally Posted by z3usy
I edit exim.conf is erros = /
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
Pls help
root@deksite [~]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [FAILED]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim-26: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim-smtps: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting antirelayd: [ OK ]
Starting spamd: [ OK ]
root@deksite [~]#
Looks like you already had a log_selector line in your conf file. Look for the other one and remove one of the two...
It's probably happening if you edited exim.conf which I warned against in my post following that.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Is ok script tks
I verified all directory cwd=/home/fenix/public and I did not find none script that he can send Spam, alguem helps many sendings me of email.
2006-08-16 13:54:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1GDOf0-0001mr-SD
2006-08-16 13:54:31 1GDOf1-0001n2-4y <= nobody@fenix.deksite.com.br U=nobody P=local S=5704 T="Atualiza\347\343o cr\355tica do windows" from <nobody@fenix.deksite.com.br> for boyw@hotmail.com Microsoft@windowsupdate.com eMicrosoft@windowsupdate.com
2006-08-16 13:54:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GDOf1-0001n2-4y
2006-08-16 13:54:31 cwd=/home/fenix/public_html 3 args: /usr/sbin/sendmail -t -i
Then you've missed the script that is doing it.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Help = (
I do not obtain to locate the script or IP or the person that is making this
Then you'll need to ask someone who understands PHP to check for you, since it's clearly from a script in that directory (unless it has deleted itself).
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Reply With Quote