The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Additional Places To Find Spammer?

Discussion in 'General Discussion' started by webgazelle, Oct 22, 2005.

  1. webgazelle

    webgazelle Member

    Joined:
    Jan 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I discovered that I my server was running spam scripts after I got blacklisted. I used this forums extensively and discovered two sets of scripts running in the /tmp and /var/tmp directories. The scripts all seemed to originate from Brazil as the vast majority of email addresses in the spam library had .br extensions.

    Here is what I did:

    1. I removed the scripts (xXx.txt, enviar.txt, ... directory, and supporting scripts that seem to be perl based)

    2. I recompiled php with the phpsuexec option turned on

    3. I added this spamlog script to fish for which account was sending the spam. Nothing has shown up when monitoring this log. (http://www.webhostgear.com/232_print.html)

    4. I converted the /tmp directory so that it won't execute scripts anymore (http://www.webhostgear.com/34.html)

    And yet, it seems that I'm still sending out spam because of the bounce backs that I'm seeing.

    So my questions are:

    1. Where can I see outgoing email messages? I'm not sure which log to look at.

    2. Using Cpanel, I notice that mailnull and nobody are the big offenders when looking at View Mail Statistics. What else can I look at to get more detail info instead of just totals?

    Any help here would be great. I'm just looking to catch this script in the act and get rid of this. My system doesn't have PHPbb running and I'm not exactly sure which script was used to access and take advantage of my /tmp directories.
     
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Did you turn on;

    Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

    From tweaks?

    With phpsuexec on, you should be able to tell whos sending spam but somebody may be abusing the scripts in /usr/local/cpanel/cgi-sys/. Did you check your /usr/local/apache/logs/error_log for cgi-sys abusers?
     
  3. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Also try adding this: log_selector = +all to the Exim Configuration Editor > Advanced Mode in the first text box - Save - and then
    tail -f /var/log/exim_mainlog
     
  4. webgazelle

    webgazelle Member

    Joined:
    Jan 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I did turn on the prevent nobody from sending out mail in Cpanel.

    I've gone through the error_logs and they are unexceptional. The typical 404 errors were about the only thing there.

    I did turn on the log_selector last night in the Exim Config Editor. Within my exim_mainlog there was a flurry of emails sent from nobody during those days I was "occupied", but there isn't anything like that right now.
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    One of the main reasons behind phpsuexec is that it gives you a clear idea of who sent the email, and knowing that is one of the keys to solving the problem. The exim logging tip above may help you see who is sending the spam. Also if you go into tweaks you can limit the number of emails per hour per user, which may help.

    You should try commands like "top" and look in the cron log to see if stuff is running regularly, that may also tip you off. It might be as simple as having a still running process from when you killed off the files in /tmp etc.

    The next question is whether the spam is even going through exim on your machine. You should be able to set up firewall rules (from memory there may even be something in tweaks to do it) to prevent processes connecting to off-machine SMTP servers as that's one way spam is sent.
     
Loading...

Share This Page