View Mail stats ( View Relayers) oh boy!!

[rpmws]

Can you guys check to see if you see if using this tool produces a list of sending users that do NOT appear to be users?

I am seeing users listed like:

Ice^Stylez
x0b0r
hidden-user


and a few others that have me worried. When I click on them I get (invalid user). The mail log shows maybe one or 2 emails for each. Thta's it. I ran chkrootkit with no warnings. I am still a bit worried.

cPanel.net Support Ticket Number:

[efeito]

What tool?

cPanel.net Support Ticket Number:

[rpmws]

in WHM ..under the email section.

( View Relayers)

cPanel.net Support Ticket Number:

[efeito]

Sorry, but i dont see that option anywhere.

Under the Mail Section i only have this:

Mail Troubleshooter
Manage Mail Queue
View Mail Statistics

cPanel.net Support Ticket Number:

[rpmws]

Originally posted by efeito
Sorry, but i dont see that option anywhere.

Under the Mail Section i only have this:

Mail Troubleshooter
Manage Mail Queue
View Mail Statistics

cPanel.net Support Ticket Number:

my WHM must be "special"

cPanel.net Support Ticket Number:

[efeito]

My version is WHM 7.4.2 cPanel 7.4.2-R158
on redhat 9
and yours?

cPanel.net Support Ticket Number:

[rpmws]

Originally posted by efeito
My version is WHM 7.4.2 cPanel 7.4.2-R158
on redhat 9
and yours?

cPanel.net Support Ticket Number:

I run edge on all my boxes

cPanel.net Support Ticket Number:

[munk]

Try searching through your logfiles in /var/log/exim/ to find occurences of those dodgy usernames:

grep youruser /var/log/exim -ri

and paste the results

cPanel.net Support Ticket Number:

[rpmws]

Originally posted by munk
Try searching through your logfiles in /var/log/exim/ to find occurences of those dodgy usernames:

grep youruser /var/log/exim -ri

and paste the results

cPanel.net Support Ticket Number:

root@mybox [~]# grep Ice^Stylez /var/log/exim_mainlog -ri
2003-09-15 16:06:04 19z0Xs-0001zb-5Z <= 8zuq3o11z@hotmail.com H=(myiphere) [69.67.67.2] U={Ice^Stylez] P=smtp S=1403 id=6v$qv736-t8-t5kl$$4--5u4@bo1hf1v.ukgtj1

another ..1 entry

2003-09-16 03:18:34 19zB2f-0003pP-JP <= ycni2o@aol.com H=(myserverip) [210.182.108.189] U=DTQLNNNIX P=smtp S=4702 id=3j60a$qu5dy$2$41-$7---z@d4zq8z.3e.b.vf


Looks like one entry for the most fishy usernames
Note these are NOT real users on my system. well not supposed to be. I also see some for "administrator", "daemon" and a few weird "users"
cPanel.net Support Ticket Number:

[rpmws]

root@mybox [~]# grep hidden-user /var/log/exim_mainlog -ri
2003-09-15 10:09:03 19yuyN-0000ns-AM <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1928 id=Pine.SGI.4.44.0309151007500.19117519-100000@itchy.southern.net
2003-09-15 10:29:27 19yvI6-00022u-Pp <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2615 id=Pine.SGI.4.44.0309151029250.19117519-100000@itchy.southern.net
2003-09-15 10:49:09 19yvbA-0003Uf-Qm <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=5141 id=Pine.SGI.4.44.0309151037160.19117519-100000@itchy.southern.net
2003-09-15 11:01:50 19yvnR-0004kV-NI <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2986 id=Pine.SGI.4.44.0309151101010.19117519-100000@itchy.southern.net
2003-09-15 11:29:14 19ywDx-0006zy-CL <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=7877 id=Pine.SGI.4.44.0309151108350.19117519-100000@itchy.southern.net
2003-09-15 11:50:37 19ywYe-0008Rn-9s <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=10090 id=Pine.SGI.4.44.0309151149540.19117519-100000@itchy.southern.net
2003-09-15 16:04:02 19z0Vu-0001sF-OC H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>"
2003-09-15 16:30:16 19z0vI-0003QR-B7 <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1863 id=Pine.SGI.4.44.0309151628541.18773790-100000@itchy.southern.net
2003-09-15 16:32:34 19z0xW-0003Za-2V <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2376 id=Pine.SGI.4.44.0309151631300.18277281-100000@itchy.southern.net
2003-09-15 16:43:20 19z17w-0004Em-Ew <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3095 id=Pine.SGI.4.44.0309151641450.18277281-100000@itchy.southern.net
2003-09-16 15:50:20 19zMmC-0002kX-9Q <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=4227 id=Pine.SGI.4.44.0309161543130.19062074-100000@itchy.southern.net
2003-09-16 15:51:24 19zMnA-0002o3-Rk <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3538 id=Pine.SGI.4.44.0309161550460.19062074-100000@itchy.southern.net
2003-09-16 16:03:31 19zMyx-0004Yw-AS H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>"
2003-09-16 17:30:05 19zOKg-0001zd-AJ <= shtfnwm6@yahoo.com H=(nezu.kiban.co.jp) [210.230.183.225] U=hidden-user P=smtp S=6633 id=e6$$-m01sr4s5g20$51w5-21@1iok5gm24d6d

cPanel.net Support Ticket Number:

[munk]

Try:

grep hidden-user /etc -ri

cPanel.net Support Ticket Number:

[rpmws]

Originally posted by munk
Try:

grep hidden-user /etc -ri

cPanel.net Support Ticket Number:

I get a few "too many sym links" and:

/etc/httpd/domlogs/ftp.a -domain-on-my-box.com-ftp_log:Sat Sep 6 21:06:14 2003 194 mailhub.infinityward.com 32274243 /home/same-domain-user/public_html/visitor/music/ref.zip b _ i r real-user ftp 1 hidden-user c

could it be it's a client that is authinticated for SMTP but has a box that is using the "hidden-user" for username?

cPanel.net Support Ticket Number:

[munk]

Well the U- part indicates the login name of the process that called exim to submit a message, so there is a user on your system called 'hidden-user' I imagine. It's not to do with authentication - you would see 'P=asmtp' if the user had authenticated.

Can't you see the user in the 'List Accounts' page in WHM?

Given the results of the second search it looks like the user is active in whatever domain resides under /home/same-domain-user.

cPanel.net Support Ticket Number:

[rpmws]

Originally posted by munk
Well the U- part indicates the login name of the process that called exim to submit a message, so there is a user on your system called 'hidden-user' I imagine. It's not to do with authentication - you would see 'P=asmtp' if the user had authenticated.

Can't you see the user in the 'List Accounts' page in WHM?

Given the results of the second search it looks like the user is active in whatever domain resides under /home/same-domain-user.

cPanel.net Support Ticket Number:

no ..no ..see thats just it. These users aren't listed in my WHM and they don't have a place in /home either. It's a closed box that no new accounts are on. No resellers either.

Also when I get this list in the "list relayers" in the table in teh list all the other senders have a email@domainname beside it. Beside these few that the users look weird to me there is no email@anydomain.com and when I click on the username the next page says "Invalid user".

I been searching through this damn box for 10 hours and I can't figure out what is going on yet. How can I see a complete list of all local linux users with any privilages at all?

cPanel.net Support Ticket Number:

[munk]

Open the /etc/passwd file to view the local users on the server. Obviously be careful not to make any changes - if you want to edit the password list by hand then use 'vipw' which allows you to make changes to the system password dbs.

Did you try grepping the /etc directory for the username's of those dodgy users? It could be that there's an alias or somesuch for Exim in there somewhere.

cPanel.net Support Ticket Number: