The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

being spammed, looks like Cpanel exploit ?

Discussion in 'E-mail Discussions' started by mtindor, Oct 27, 2007.

  1. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    What's in exim_outgoing.conf? That's nothing I recognize as a Cpanel file.

    Mike


     
  2. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    I am newbie to the tracking down of Spam source

    but from a little research it appears one of our servers has been the subject of a spam attack outbound sending out phishing emails

    now the attack started 11pmish yesterday evening, and looking through the exim_mainlog are the following lines

    2007-10-27 23:28:35 [15481] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007fw-6T
    2007-10-27 23:28:35 [15482] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNw9-0007g1-An
    2007-10-27 23:28:35 [15483] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gK-DI
    2007-10-27 23:28:35 [15484] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwA-0007gM-CZ
    2007-10-27 23:28:35 [15485] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007go-21
    2007-10-27 23:28:35 [15486] cwd=/usr/local/cpanel/whostmgr/docroot 5 args: exim -C /etc/exim_outgoing.conf -Mvh 1IjNwB-0007h9-EZ


    and 1000s more

    all the emails are under the nobody account and cannot find any trace of any php files for any of the accounts on the server being used nor any of them having more than standard emails dispatched.

    Is there some form of loophole being used here in our cpanel config to send email ?

    any suggestions on digging deeper ?

    We are on the following:
    WHM 11.11.0 cPanel 11.15.0-R17665
    CENTOS Enterprise 4.5 i686 on standard - WHM X v3.1.0
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    What does one of those 'spam' messages look like? Certainly with that volume you should have some sitting in your mail queue waiting to be delivered, which you could look at via Mail Queue Manager in WHM.

    Also, i did some searching and I'm guessing you are using Mailscanner?

    Mike
     
  4. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    exim_outgoing.conf looks like a standard exim file

    y using MailScanner
     
  5. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    sample email headers with some info stripped ;)

    1IjNOv-0001oW-B6-H
    mailnull 47 12
    <>
    1192921597 0
    -ident mailnull
    -received_protocol local
    -body_linecount 126
    -max_received_linelength 259
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1192921598
    -localerror
    XX
    1
    online.security@visa.com

    160P Received: from mailnull by xxx.xxxxx.com with local (Exim 4.68)
    id 1IjNOv-0001oW-B6
    for online.security@visa.com; Sun, 21 Oct 2007 00:06:37 +0100
    044 X-Failed-Recipients: user@comcast.net
    029 Auto-Submitted: auto-replied
    069F From: Mail Delivery System <Mailer-Daemon@xxx.xxxxx.com>
    029T To: online.security@visa.com
    059 Subject: Mail delivery failed: returning message to sender
    058I Message-Id: <E1IjNOv-0001oW-B6@xxx.xxxxx.com>
    038 Date: Sun, 21 Oct 2007 00:06:37 +0100
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This looks like a returned message. You will need to read the body of the message to find out the true culprit.

    exim -Mvb 1IjNOv-0001oW-B6

    The body should contain the original headers in the return message.
     
  7. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    I have done that and i get no such file or directory

    I have gone through a few bounces that are in the delivery queue and get the same when i check the id on them all ?
     
Loading...

Share This Page