The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Am I hacked?? Exim has gone mad!

Discussion in 'Security' started by indiocomantxe, Feb 28, 2012.

  1. indiocomantxe

    indiocomantxe Registered

    Joined:
    Feb 28, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Althoug I have skills on Linux, i'm newbie with Cpanel and it's virtualization systems.

    I have a Centos 5.5 server with Cpanel + HyperVM configured with OpenVZ driver. I've recived several warnings from the hosting crew explaining that my server is sending spam mails.

    1) 358 processes as those (I list only some of them) are running at a time and those are hogging all the system memory:

    # ps -ef | grep exim

    mailnull 300 0.0 0.0 67692 3724 ? S 00:58 0:00 /usr/sbin/exim -MCP -MC remote_smtp mx.rediffmail.rediff.akadns.net 119.252.147.10 4 1S2AEK-0007NC-6d
    mailnull 477 0.0 0.0 67584 2988 ? S 00:59 0:00 /usr/sbin/exim -Mc 1S2XsI-0008Q1-TC
    root 2552 0.0 0.1 67532 5696 ? S 00:59 0:00 /usr/sbin/exim -Mc 1S2Xtd-0000rg-FF
    mailnull 2602 0.0 0.0 64272 176 ? Ss Jan22 0:00 /usr/sbin/exim -bd -q1h
    root 2744 0.0 0.1 67552 5832 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xtm-0000wG-SZ
    root 2751 0.0 0.1 67592 5836 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xtn-0000wZ-S4
    mailnull 2830 0.0 0.0 67604 2972 ? S 00:46 0:00 /usr/sbin/exim -Mc 1S2Xem-0007x8-RK
    mailnull 3035 0.0 0.0 67596 2884 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xtn-0000wZ-S4
    mailnull 3059 0.0 0.0 67560 3004 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xtm-0000wG-SZ
    mailnull 4216 0.0 0.0 67536 2744 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xtd-0000rg-FF
    mailnull 4243 0.0 0.0 67528 2860 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2Xs5-0008Mp-8t
    root 4267 0.0 0.1 67564 5844 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XuD-0001L7-Hv
    mailnull 4279 0.0 0.0 67520 2728 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XrH-0007ri-V6
    root 4347 0.0 0.1 67580 5820 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XuJ-0001N9-Ff
    root 4435 0.0 0.1 67560 5828 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XuS-0001Ol-2C
    mailnull 4492 0.0 0.0 67572 2912 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XuD-0001L7-Hv
    root 4501 0.0 0.1 67556 5816 ? S 01:00 0:00 /usr/sbin/exim -Mc 1S2XuV-0001PK-5P

    2) /usr/sbin/exim does not exist in the filesystem and the command "rpm -qa | grep exim" gives an empty output. Exim doest'n seem to be installed.

    3) I have another clean testing environment with the same software and there are no "exim" processes.


    What's going on??? I dont think it would be normal. Am I hacked??? :eek:
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    No idea if you are hacked or not. You haven't given nearly enough information for anybody to make that claim.

    Those processes are exim (the mailserver) sending out emails. Log into WHM and look at the Mail Queue Manager and/or from the commandline type exiqgrep|less and scroll down to see who the emails are from and where they are going.

    Could be your server is an open relay [by default it isn't]. Could be that some email user with a weak email password got their email account hijacked and that it is now being used to send spam.

    Could be a script was uploaded to the server which is now being used to generate spam.

    Your server may be fine. An account on your server may have been hacked or hijacked. Or your whole system may be root compromised. Pretty darned difficult to tell with what you've given.

    If your server is truly a cPanel server, then /usr/sbin/exim should exist and rpm -qa |grep exim should reveal that exim is installed. If it isn't there, did your hosting provider remove exim?

    The virtualization system is not cPanel related.

    Mike
     
  3. ChrisFirth

    ChrisFirth Active Member
    PartnerNOC

    Joined:
    Apr 10, 2008
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    The logging in exim should give away who is causing the problem and if the emails are actually indeed spam. You can view the headers for the email which should show you how the email was sent (eg. via external SMTP or locally from the server) and what username was used or which user sent it.

    The headers can be viewed with 'exim -Mvh <msg id>' or the message body with 'exim -Mvb <msg id>'

    That should give you some clues as to who is sending it out. If it is being sent locally you can usually find the script easily by either looking for processes under the user it is being sent from (there may be perl processes etc. sending the emails) using ps or the like or tail the access logs for the site which could give the script away.

    There isn't a lot of info you have given at this stage so these pointers are pretty broad, if you can find how the spam is being sent I can give you a few more tips.
     
  4. smith002

    smith002 Registered

    Joined:
    Feb 28, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Mostly the relay is turned on .. You can check in the webmin manager, there all emails which are in queue.
    To check relay u try..

    MAIL TO:sender@domain.com [enter]
    RCPT FROM:yourid@domain.com [enter]
    DATA [enter]
    Type your email [enter]
    . [enter]

    If you successfully sent the mail then your relay is turned ON
     
    #4 smith002, Feb 29, 2012
    Last edited: Feb 29, 2012
  5. indiocomantxe

    indiocomantxe Registered

    Joined:
    Feb 28, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for all your feedbacks, I found the problem.

    First of all I realised thanks to "strace" and "lsof" commands that in the one hand there was a lot of communications opened with this IP from Beirut, cataloged as High risk by McAfee threat database 212.98.147.235 - IP - McAfee Labs Threat Center. After that I found one directory structure with a huge email database as destination of the spam.

    In the other hand I used ClamAV antivirus and I found a malware farm:

    Email.Phishing.Pay-44
    Email.Trojan-108
    Email.Trojan-171
    Email.Trojan-234
    Email.Trojan-238
    Email.Trojan-240
    Email.Trojan-242
    Email.Trojan-244
    Email.Trojan-246
    Email.Trojan-253
    Email.Trojan-256
    Email.Trojan.GZC
    Heuristics.Phishing.Email.SpoofedDomain
    Heuristics.Phishing.Email.SSL-Spoof
    Heuristic.Trojan.SusPacked.CEP
    HTML.Phishing.Auction-293
    Linux.RST.B
    PHP.Hide
    PHP.Mailer-7
    PHP.Remoteadmin-1
    PHP.Shell
    Suspect.Bredozip-zippwd-10
    Suspect.Bredozip-zippwd-11
    Suspect.Bredozip-zippwd-12
    Suspect.Bredozip-zippwd-13
    Suspect.Bredozip-zippwd-2
    Suspect.Bredozip-zippwd-6
    Suspect.DoubleExtension-zippwd-12
    Suspect.Trojan.Generic.FD-1
    Suspect.Trojan.Generic.FD-2
    Suspect.Trojan.Generic.FD-4
    Trojan.Agent-173270
    Trojan.Agent-245365
    Trojan.Agent-248965
    Trojan.Backdoor-17
    Trojan.Bredolab-1256
    Trojan.Chepvil-3
    Trojan.Chepvil-7
    Trojan.Chepvil-9
    Trojan.Downloader-103788
    Trojan.Downloader-103793
    Trojan.Downloader-105271
    Trojan.Downloader-111271
    Trojan.Downloader-112455
    Trojan.Downloader-112958
    Trojan.Downloader-113415
    Trojan.Downloader-114118
    Trojan.Downloader-114165
    Trojan.Downloader-115187
    Trojan.Downloader-116929
    Trojan.Downloader.Agent-1452
    Trojan.Downloader.Agent-1502
    Trojan.Downloader.Agent-1511
    Trojan.Downloader.Agent-1514
    Trojan.Downloader.Banload-5897
    Trojan.Downloader.FraudLoad-62
    Trojan.Downloader.FraudLoad-84
    Trojan.Downloader.Inject-1
    Trojan.Downloader.Injecter-4
    Trojan.Downloader.Small-3296
    Trojan.Downloader.Small-3297
    Trojan.FakeAV-9693
    Trojan.Generic.Bredolab-2
    Trojan.Menti-1
    Trojan.Perlbot
    Trojan.PHP.C99Shell
    Trojan.Sasfis-25
    Trojan.Sasfis-26
    Trojan.Spy.SpyEyes-214
    Trojan.Yakes-13
    Trojan.Yakes-15
    Trojan.Yakes-23
    Trojan.Yakes-6
    Trojan.Yakes-8
    Trojan.Yakes-9

    My client infected and destroyed the whole server using free templates and source code from a unknown source. Thanks for all the help
     
  6. indiocomantxe

    indiocomantxe Registered

    Joined:
    Feb 28, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I found the problem. with "Strace" and "Lsof" commands I realise:

    1) There was comunications with a high risk IP cataloged by McAfee threat database.

    2) I foud a directory subtree with a huge amount of files containing email addresses. I supose that those are the destinators of the spam. I also found mail templates written to cheat the people.

    3) I detected a giant malware farm with ClamAV antivirus:

    Email.Phishing.Pay-44
    Email.Trojan-108
    Email.Trojan-171
    Email.Trojan-234
    Email.Trojan-238
    Email.Trojan-240
    Email.Trojan-242
    Email.Trojan-244
    Email.Trojan-246
    Email.Trojan-253
    Email.Trojan-256
    Email.Trojan.GZC
    Heuristics.Phishing.Email.SpoofedDomain
    Heuristics.Phishing.Email.SSL-Spoof
    Heuristic.Trojan.SusPacked.CEP
    HTML.Phishing.Auction-293
    Linux.RST.B
    PHP.Hide
    PHP.Mailer-7
    PHP.Remoteadmin-1
    PHP.Shell
    Suspect.Bredozip-zippwd-10
    Suspect.Bredozip-zippwd-11
    Suspect.Bredozip-zippwd-12
    Suspect.Bredozip-zippwd-13
    Suspect.Bredozip-zippwd-2
    Suspect.Bredozip-zippwd-6
    Suspect.DoubleExtension-zippwd-12
    Suspect.Trojan.Generic.FD-1
    Suspect.Trojan.Generic.FD-2
    Suspect.Trojan.Generic.FD-4
    Trojan.Agent-173270
    Trojan.Agent-245365
    Trojan.Agent-248965
    Trojan.Backdoor-17
    Trojan.Bredolab-1256
    Trojan.Chepvil-3
    Trojan.Chepvil-7
    Trojan.Chepvil-9
    Trojan.Downloader-103788
    Trojan.Downloader-103793
    Trojan.Downloader-105271
    Trojan.Downloader-111271
    Trojan.Downloader-112455
    Trojan.Downloader-112958
    Trojan.Downloader-113415
    Trojan.Downloader-114118
    Trojan.Downloader-114165
    Trojan.Downloader-115187
    Trojan.Downloader-116929
    Trojan.Downloader.Agent-1452
    Trojan.Downloader.Agent-1502
    Trojan.Downloader.Agent-1511
    Trojan.Downloader.Agent-1514
    Trojan.Downloader.Banload-5897
    Trojan.Downloader.FraudLoad-62
    Trojan.Downloader.FraudLoad-84
    Trojan.Downloader.Inject-1
    Trojan.Downloader.Injecter-4
    Trojan.Downloader.Small-3296
    Trojan.Downloader.Small-3297
    Trojan.FakeAV-9693
    Trojan.Generic.Bredolab-2
    Trojan.Menti-1
    Trojan.Perlbot
    Trojan.PHP.C99Shell
    Trojan.Sasfis-25
    Trojan.Sasfis-26
    Trojan.Spy.SpyEyes-214
    Trojan.Yakes-13
    Trojan.Yakes-15
    Trojan.Yakes-23
    Trojan.Yakes-6
    Trojan.Yakes-8
    Trojan.Yakes-9

    My client destroyed his server downloading free web templates infected. Thanks for all your help!!
     
Loading...

Share This Page