1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

nobody@server - bounced emails

Discussion in 'Security' started by chasmcg, Jan 30, 2012.

  1. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Someone was sending email from my server using the 'nobody' account. I stopped the user 'nobody' from being able to send emails in WHM. He is still sending the emails but now they are being bounced back to me.

    I know the directory that he is sending from (I think). I have no idea which file it might be. It would be a PHP file. The website is a game website. I have compared my local drive to the server drive and no new files are there and no new dates. How can I find the file he might be using? Thanks for any help.
     
  2. NixTree

    NixTree Member

    Joined:
    Aug 19, 2010
    Messages:
    359
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    /proc
    Hello,

    Most probably, it should be sent vis a script. Check the logs thoroughly and see if you can find anything. Do you have "Mailheader" enabled with PHP ( you can do this from EA3 ); if so, you can find the exact script which sent the emails if you check the header of any of the spam emails sent from your server ( exim -Mvh <email id> and check X-script field ).

    Thank you,
    Nibin,
     
  3. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply, Nibin. What is EA3?

    Using putty.exe, if I enter this short script

    "awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq
    -c | sed "s|^ *||g" | sort -nr"

    I'm told it's being sent from /home/myserver/public_html. But as stated in my original post I have no idea which file may be doing the sending.

    Below is one of the headers from one of the bounced emails but I don't see any information that would be helpful. Funny thing about this, the emails, if sent, are being sent to one of my Yahoo email addresses.

    Return-path: <nobody@server.myserver.com>
    Received: from nobody by server.myserver.com with local (Exim 4.69)
    (envelope-from <nobody@server.myserver.com>)
    id 1RrvHD-0001jj-P6
    for chbvcx@ymail.com; Mon, 30 Jan 2012 11:44:23 -0600
    To: chbvcx@ymail.com
    Subject: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
    Content-Type: text/plain
    From: <Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online>
    Reply-To: Patent Pointed-Toe Pump - $134.99 : Christian Louboutin, Discount Christian Louboutin,Cheap Christian Louboutin Shoes,Christian Louboutin Pumps Sale,Discounted Louboutins Store Online
    Message-Id: <E1RrvHD-0001jj-P6@server.myserver.com>
    Date: Mon, 30 Jan 2012 11:44:23 -0600
     
    #3 chasmcg, Jan 31, 2012
    Last edited: Jan 31, 2012
  4. NixTree

    NixTree Member

    Joined:
    Aug 19, 2010
    Messages:
    359
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    /proc
    Hello,

    EA3 = EasyApche 3 ; you can enable the PHP module I mentioned with EasyApche. In fact, it is good to have this enabled on a shared + DSO ( PHP as Apche module ) server to track such email abuses.

    More about this module - http://choon.net/php-mail-header.php

    Since you could find the account which is abusing server, review the conetnts of the account; check whether any files modified / uploaded recently to this account and scan those files carefully.

    Good Luck :)

    Thank you,
    Nibin.
     
    #4 NixTree, Jan 31, 2012
    Last edited: Jan 31, 2012
  5. NixTree

    NixTree Member

    Joined:
    Aug 19, 2010
    Messages:
    359
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    /proc
    Hello,

    Also make sure "Track email origin via X-Source email headers " is enabled in tweak settings!

    Tweak Settings

    Thank you,
    Nibin.
     
  6. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Nibit, thanks a lot for your help. I am going to follow your instructions in a bit but first, another question.

    I disabled EXIM. I am the only person that uses my server. How will this affect things? I don't use the mail at all on my server. But will I still get messages from the server such as warnings and such? Thanks.
     
  7. NixTree

    NixTree Member

    Joined:
    Aug 19, 2010
    Messages:
    359
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    /proc
    Hello,

    No, why do you pay the resource for a service that you do don't use! It is better to have all the services which we don't use on a server, for better performance and security.

    What kind of warning messages are getting from your server? Have you diabled "monitor" for exim service as well ( remove it from chkservd conf )?

    Thank you,
    Nibin.
     
  8. NixTree

    NixTree Member

    Joined:
    Aug 19, 2010
    Messages:
    359
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    /proc
    Hello,

    Also, from PHP 5.3 there is a function called mail.log, which will log all emails sent using PHP mail(). If you use PHP 5.3 on a shared server ever, configure it out and it will be a great stuffs to track emails send via PHP script :)

    Details - PHP: Runtime Configuration - Manual

    Thank you,
    Nibin.
     
  9. arunsv84

    arunsv84 Member

    Joined:
    Oct 20, 2008
    Messages:
    374
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    Well there is an easy and quick way to detect a spammer by dropping a few lines into your shell.

    just type the following in your command prompt

    that will retrieve all emails sent via php or cgi
     
  10. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Below is what I came up with using the command "grep cwd=/home /var/log/exim_mainlog"

    If so how are they sending this email and how are they able to do this? If they have a script on my site, how did it get there? And how do I proceed from here? Thanks a lot.

    2012-02-01 05:59:42 [29421] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:43 [29428] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:45 [29435] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:45 [29442] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:46 [29450] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:47 [29457] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:47 [29464] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:48 [29471] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:49 [29479] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:49 [29482] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:53 [29494] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
    2012-02-01 05:59:55 [29501] cwd=/home/myserver/public_html 3 args: /usr/sbin/sendmail -t -i
     
  11. storminternet

    storminternet Member

    Joined:
    Nov 2, 2011
    Messages:
    431
    Likes Received:
    0
    Trophy Points:
    16
    Find out with the egrep command which script is using sendmail to send all these emails.
    Type the commands

    Disable it's permission once you are able to find offended script from egrep output. Moreover you can also disable emails from nobody user from WHM Tweak Settings
     
  12. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    storminternet, thanks for the reply.

    I did as you said and got this...

    Binary file public_html/cgi-bin/cgiemail matches
    Binary file public_html/cgi-bin/cgiecho matches

    Then changed the permissions to 700 on each file. Hope that works. Thanks a lot.
     
  13. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Update: Below is the latest header that is being bounced to me. Can anyone decipher this for me?

    Also, I'm concerned about this line - "X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL". What does this mean? I've looked it up but haven't found anything relating to email headers, only server logs. Thanks a lot.


    Delivered-To: me#1@gmail.com - "Note: this email was delivered to me from my server"
    Received: by 10.112.75.231 with SMTP id f7cs21483lbw;
    Sat, 4 Feb 2012 23:48:18 -0800 (PST)
    Received: by 10.101.2.32 with SMTP id e32mr5681702ani.13.1328428097089;
    Sat, 04 Feb 2012 23:48:17 -0800 (PST)
    Return-Path: <>
    Received: from server.myserver.com ([xx.xx.xx.xx])
    by mx.google.com with ESMTPS id d9si12050327yhn.109.2012.02.04.23.48.16
    (version=TLSv1/SSLv3 cipher=OTHER);
    Sat, 04 Feb 2012 23:48:16 -0800 (PST)
    Received-SPF: neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) client-ip=xx.xx.xx.xx;
    Authentication-Results: mx.google.com; spf=neutral (google.com: xx.xx.xx.xx is neither permitted nor denied by best guess record for domain of server.myserver.com) smtp.mail=
    Received: from mailnull by server.myserver.com with local (Exim 4.69)
    id 1RtwpR-0005ic-L6
    for nobody@server.myserver.com; Sun, 05 Feb 2012 01:48:05 -0600
    X-Failed-Recipients: me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
    Auto-Submitted: auto-replied
    From: Mail Delivery System <Mailer-Daemon@server.myserver.com>
    To: nobody@server.myserver.com
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <E1RtwpR-0005ic-L6@server.myserver.com>
    Date: Sun, 05 Feb 2012 01:48:05 -0600
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.myserver.com
    X-AntiAbuse: Original Domain - server.myserver.com
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain -
    X-Source:
    X-Source-Args: /usr/local/apache/bin/httpd -k start -DSSL
    X-Source-Dir: my-domain-on-my-server.com:/public_html - "Note: I've known directory from day 1 but don't know which file"

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its recipients.
    This is a permanent error. The following address(es) failed:


    me#2@yahoo.com - "Note: email address spam is being sent to - one of my email addresses"
    Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <nobody@server.myserver.com>
    Received: from nobody by server.myserver.com with local (Exim 4.69)
    (envelope-from <nobody@server.myserver.com>)
    id 1RtwpR-0005iX-Je
    for me#2@yahoo.com; Sun, 05 Feb 2012 01:48:05 -0600
    To: me#2@yahoo.com
    Subject: DOUqlPNSvKbX
    Content-Type: text/plain
    From: jvdhqolofp <fvtznp@hriczt.com>
    Reply-To: fvtznp@hriczt.com
    Message-Id: <E1RtwpR-0005iX-Je@server.myserver.com>
    Sender: Nobody <nobody@server.myserver.com>
    Date: Sun, 05 Feb 2012 01:48:05 -0600


    wWFooc <a href="http://ewldkxtawrtp.com/">ewldkxtawrtp</a>,
    dsxkhijxzmpv,
    [link=http://plrnqcmsqhha.com/]plrnqcmsqhha
    [/link], http://rzwkriqhjpka.com/
     
  14. k-planethost

    k-planethost Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    Athens Greece
  15. chasmcg

    chasmcg New Member

    Joined:
    Mar 20, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I am really stupid. It took me awhile to catch on. This is a game website. I have it just as a complimentary service for my customers on another website. It's a game script I purchased and really haven't paid that much attention to what it does. I have a "Contact" link on the website. This person is sending the spam from that. It sends an email to my admin email address and "nobody" on my server sends the email. I think that is the problem. 3 or 4 days wasted looking into this. Oh well, I learned a few things. Thanks to everyone.
     

Share This Page