Assistance in helping track down spam script

superdmon

Member
Mar 4, 2016
7
0
1
Ohio
cPanel Access Level
Root Administrator
I am currently serving a client with a unmanaged VPS running cpanel / whm and I have full root access. I seem to keep getting rid of this particular malware script issue, but it keeps coming back.

I've eliminated the obvious files that were infected, even did a thorough scan with jamss.php to find and eliminate some files that had injected code, now when running this command:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

I get a listing like so:
1 /home/*siteuser*/public_html/*sitename*
4 /usr/local/cpanel/logs
11 /root
476 /etc/csf
13990 /usr/local/cpanel/whostmgr/docroot
50844 /
75844 /home/*siteuser*/public_html/*sitename*/templates/beez3/language

The last line, I found a script and was able to eliminate it, however, mail keeps churning and the second to the last line seems to be the culprit. That number keeps increasing on refresh, but it does not show a path, but rather just a "/" meaning root?

Any assistance to track down would be greatly appreciated!
 

Neutrall

Active Member
PartnerNOC
Jul 22, 2014
26
3
3
cPanel Access Level
DataCenter Provider
Hi,
Install configServer MailQueue to see the full header of the outgoing spam.

Aslo, even if you clean the file, the you find the hole by which the file came in?
 

superdmon

Member
Mar 4, 2016
7
0
1
Ohio
cPanel Access Level
Root Administrator
I'll take a look at that. I have turned on some additional headers on the exim messages. I can even see the X-Script header, but all it says is *domain*/ and does not give the location of the script that launched it. Will configServer MailQueue provide more information?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I'll take a look at that. I have turned on some additional headers on the exim messages. I can even see the X-Script header, but all it says is *domain*/ and does not give the location of the script that launched it. Will configServer MailQueue provide more information?
Hello :)

The following document is also helpful:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Note the lack of a specific path from the "cwd" line is a known issue stemming from the recent Exim security patch:

CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

Internal case CPANEL-4597 addresses the issue and restores the previous functionality related to the "cwd" entry in Exim logs. You can monitor our change log to see when the resolution is released:

Change Logs - Documentation - cPanel Documentation

Thank you.
 

superdmon

Member
Mar 4, 2016
7
0
1
Ohio
cPanel Access Level
Root Administrator
Thanks for the links to the very helpful documentation. I'm still reading over some of them and this will definitely help me armor the mail server. As of right now, I've stopped all malicious activity on the server, Yay!

I tracked down some additional scripts and put in some ip geolocation blocks from obvious offenders. I also turned on a bunch of notifications so I can keep close tabs on what is happening on the server. So far, so good.

Thanks for jumping in, I'm somewhat a n00b when it comes to sysadmin type stuff. I'm a front-end developer with a client who has a unmanaged VPS, so it's trial by fire! :)


Hello :)

The following document is also helpful:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

Note the lack of a specific path from the "cwd" line is a known issue stemming from the recent Exim security patch:

CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

Internal case CPANEL-4597 addresses the issue and restores the previous functionality related to the "cwd" entry in Exim logs. You can monitor our change log to see when the resolution is released:

Change Logs - Documentation - cPanel Documentation

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I'm happy to see we were able to provide you with some helpful information. That's what we are here for. :)

Also, the patch to restore the functionality of the "cwd" entry in /var/log/exim_mainlog should be available later today on the "Current" and "Release" build tiers:

Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line.

Thank you.