cPanel Forums
09-16-2003, 04:45 PM
|
||||
|
||||
View Mail stats ( View Relayers) oh boy!!
Can you guys check to see if you see if using this tool produces a list of sending users that do NOT appear to be users?
I am seeing users listed like: Ice^Stylez x0b0r hidden-user and a few others that have me worried. When I click on them I get (invalid user). The mail log shows maybe one or 2 emails for each. Thta's it. I ran chkrootkit with no warnings. I am still a bit worried. cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase     
|
|
09-16-2003, 05:48 PM
|
||||
|
||||
|
in WHM ..under the email section.
( View Relayers) cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 06:14 PM
|
||||
|
||||
|
Quote:
cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 06:23 PM
|
||||
|
||||
|
Quote:
cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 08:24 PM
|
||||
|
||||
|
Quote:
2003-09-15 16:06:04 19z0Xs-0001zb-5Z <= 8zuq3o11z@hotmail.com H=(myiphere) [69.67.67.2] U={Ice^Stylez] P=smtp S=1403 id=6v$qv736-t8-t5kl$$4--5u4@bo1hf1v.ukgtj1 another ..1 entry 2003-09-16 03:18:34 19zB2f-0003pP-JP <= ycni2o@aol.com H=(myserverip) [210.182.108.189] U=DTQLNNNIX P=smtp S=4702 id=3j60a$qu5dy$2$41-$7---z@d4zq8z.3e.b.vf Looks like one entry for the most fishy usernames Note these are NOT real users on my system. well not supposed to be. I also see some for "administrator", "daemon" and a few weird "users" cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase Last edited by rpmws; 09-16-2003 at 08:46 PM.
|
|
09-16-2003, 08:28 PM
|
||||
|
||||
|
root@mybox [~]# grep hidden-user /var/log/exim_mainlog -ri
2003-09-15 10:09:03 19yuyN-0000ns-AM <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1928 id=Pine.SGI.4.44.0309151007500.19117519-100000@itchy.southern.net 2003-09-15 10:29:27 19yvI6-00022u-Pp <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2615 id=Pine.SGI.4.44.0309151029250.19117519-100000@itchy.southern.net 2003-09-15 10:49:09 19yvbA-0003Uf-Qm <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=5141 id=Pine.SGI.4.44.0309151037160.19117519-100000@itchy.southern.net 2003-09-15 11:01:50 19yvnR-0004kV-NI <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2986 id=Pine.SGI.4.44.0309151101010.19117519-100000@itchy.southern.net 2003-09-15 11:29:14 19ywDx-0006zy-CL <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=7877 id=Pine.SGI.4.44.0309151108350.19117519-100000@itchy.southern.net 2003-09-15 11:50:37 19ywYe-0008Rn-9s <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=10090 id=Pine.SGI.4.44.0309151149540.19117519-100000@itchy.southern.net 2003-09-15 16:04:02 19z0Vu-0001sF-OC H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>" 2003-09-15 16:30:16 19z0vI-0003QR-B7 <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1863 id=Pine.SGI.4.44.0309151628541.18773790-100000@itchy.southern.net 2003-09-15 16:32:34 19z0xW-0003Za-2V <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2376 id=Pine.SGI.4.44.0309151631300.18277281-100000@itchy.southern.net 2003-09-15 16:43:20 19z17w-0004Em-Ew <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3095 id=Pine.SGI.4.44.0309151641450.18277281-100000@itchy.southern.net 2003-09-16 15:50:20 19zMmC-0002kX-9Q <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=4227 id=Pine.SGI.4.44.0309161543130.19062074-100000@itchy.southern.net 2003-09-16 15:51:24 19zMnA-0002o3-Rk <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3538 id=Pine.SGI.4.44.0309161550460.19062074-100000@itchy.southern.net 2003-09-16 16:03:31 19zMyx-0004Yw-AS H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>" 2003-09-16 17:30:05 19zOKg-0001zd-AJ <= shtfnwm6@yahoo.com H=(nezu.kiban.co.jp) [210.230.183.225] U=hidden-user P=smtp S=6633 id=e6$$-m01sr4s5g20$51w5-21@1iok5gm24d6d cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 09:09 PM
|
||||
|
||||
|
Quote:
/etc/httpd/domlogs/ftp.a -domain-on-my-box.com-ftp_log:Sat Sep 6 21:06:14 2003 194 mailhub.infinityward.com 32274243 /home/same-domain-user/public_html/visitor/music/ref.zip b _ i r real-user ftp 1 hidden-user c could it be it's a client that is authinticated for SMTP but has a box that is using the "hidden-user" for username? cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 09:34 PM
|
||||
|
||||
|
Well the U- part indicates the login name of the process that called exim to submit a message, so there is a user on your system called 'hidden-user' I imagine. It's not to do with authentication - you would see 'P=asmtp' if the user had authenticated.
Can't you see the user in the 'List Accounts' page in WHM? Given the results of the second search it looks like the user is active in whatever domain resides under /home/same-domain-user. cPanel.net Support Ticket Number:
|
|
09-16-2003, 09:51 PM
|
||||
|
||||
|
Quote:
Also when I get this list in the "list relayers" in the table in teh list all the other senders have a email@domainname beside it. Beside these few that the users look weird to me there is no email@anydomain.com and when I click on the username the next page says "Invalid user". I been searching through this damn box for 10 hours and I can't figure out what is going on yet. How can I see a complete list of all local linux users with any privilages at all? cPanel.net Support Ticket Number:
__________________
Just keeping my "eye" on things.... R. Paul Mathews RPMWS - diehard cPanel Nutcase
|
|
09-16-2003, 11:44 PM
|
||||
|
||||
|
Open the /etc/passwd file to view the local users on the server. Obviously be careful not to make any changes - if you want to edit the password list by hand then use 'vipw' which allows you to make changes to the system password dbs.
Did you try grepping the /etc directory for the username's of those dodgy users? It could be that there's an alias or somesuch for Exim in there somewhere. cPanel.net Support Ticket Number:
|
 |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT -5. The time now is 02:10 PM.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
© cPanel Inc
