The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Assistance in helping track down spam script

Discussion in 'Security' started by superdmon, Mar 4, 2016.

  1. superdmon

    superdmon Member

    Joined:
    Mar 4, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ohio
    cPanel Access Level:
    Root Administrator
    I am currently serving a client with a unmanaged VPS running cpanel / whm and I have full root access. I seem to keep getting rid of this particular malware script issue, but it keeps coming back.

    I've eliminated the obvious files that were infected, even did a thorough scan with jamss.php to find and eliminate some files that had injected code, now when running this command:

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

    I get a listing like so:
    1 /home/*siteuser*/public_html/*sitename*
    4 /usr/local/cpanel/logs
    11 /root
    476 /etc/csf
    13990 /usr/local/cpanel/whostmgr/docroot
    50844 /
    75844 /home/*siteuser*/public_html/*sitename*/templates/beez3/language

    The last line, I found a script and was able to eliminate it, however, mail keeps churning and the second to the last line seems to be the culprit. That number keeps increasing on refresh, but it does not show a path, but rather just a "/" meaning root?

    Any assistance to track down would be greatly appreciated!
     
  2. Neutrall

    Neutrall Member
    PartnerNOC

    Joined:
    Jul 22, 2014
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hi,
    Install configServer MailQueue to see the full header of the outgoing spam.

    Aslo, even if you clean the file, the you find the hole by which the file came in?
     
  3. superdmon

    superdmon Member

    Joined:
    Mar 4, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ohio
    cPanel Access Level:
    Root Administrator
    I'll take a look at that. I have turned on some additional headers on the exim messages. I can even see the X-Script header, but all it says is *domain*/ and does not give the location of the script that launched it. Will configServer MailQueue provide more information?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The following document is also helpful:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    Note the lack of a specific path from the "cwd" line is a known issue stemming from the recent Exim security patch:

    CVE-2016-1531 Exim - cPanel Knowledge Base - cPanel Documentation

    Internal case CPANEL-4597 addresses the issue and restores the previous functionality related to the "cwd" entry in Exim logs. You can monitor our change log to see when the resolution is released:

    Change Logs - Documentation - cPanel Documentation

    Thank you.
     
  5. superdmon

    superdmon Member

    Joined:
    Mar 4, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ohio
    cPanel Access Level:
    Root Administrator
    Thanks for the links to the very helpful documentation. I'm still reading over some of them and this will definitely help me armor the mail server. As of right now, I've stopped all malicious activity on the server, Yay!

    I tracked down some additional scripts and put in some ip geolocation blocks from obvious offenders. I also turned on a bunch of notifications so I can keep close tabs on what is happening on the server. So far, so good.

    Thanks for jumping in, I'm somewhat a n00b when it comes to sysadmin type stuff. I'm a front-end developer with a client who has a unmanaged VPS, so it's trial by fire! :)


     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I'm happy to see we were able to provide you with some helpful information. That's what we are here for. :)

    Also, the patch to restore the functionality of the "cwd" entry in /var/log/exim_mainlog should be available later today on the "Current" and "Release" build tiers:

    Fixed case CPANEL-4597: Emit cwd=/path/to/caller to logs when exim is called from command line.

    Thank you.
     

Share This Page