The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can't track paypal spammer under nobody

Discussion in 'General Discussion' started by Secret Agent, Apr 19, 2005.

  1. Secret Agent

    Secret Agent Guest

    I'm having a difficult time tracking a spammer under what seems to be 'nobody'.

    The spam report is below:

    [ Offending message ]
    Return-Path: <support@paypal.com>
    Delivered-To: spamcop-net-x
    Received: (qmail 6133 invoked from network); 19 Apr 2005 01:23:46 -0000
    Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)
    by blade3.cesmail.net with SMTP; 19 Apr 2005 01:23:46 -0000
    Received: from mailgate.cesmail.net (216.154.195.36)
    by c60.cesmail.net with SMTP; 18 Apr 2005 21:23:48 -0400
    X-IronPort-AV: i="3.92,111,1112587200";
    d="scan'208,217"; a="212384871:sNHT42074820"
    Received: (qmail 24924 invoked from network); 19 Apr 2005 01:23:45 -0000
    Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)
    by mailgate.cesmail.net with SMTP; 19 Apr 2005 01:23:45 -0000
    Envelope-to: x
    Delivery-date: Tue, 19 Apr 2005 02:17:23 +0100
    Received: from mail.force9.net [212.159.10.2]
    by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)
    for x (single-drop); Mon, 18 Apr 2005 21:23:45 -0400 (EDT)
    Received: from ptb-viruscore01.plus.net ([192.168.71.2])
    by pih-mxcore08.plus.net with esmtp (PlusNet MXCore v1.0) id 1DNhMh-0003aQ-2Y
    for x; Tue, 19 Apr 2005 02:17:23 +0100
    Received: from [192.168.101.76] (helo=pih-mxcore10.plus.net)by ptb-viruscore01.plus.net with esmtp (Exim 4.43)id 1DNhMg-0006Ws-SGfor x; Tue, 19 Apr 2005 02:17:22 +0100
    Received: from [xx.x.166.50] (helo=server.myserverdomain.com)by pih-mxcore10.plus.net with esmtp (PlusNet MXCore v1.0) id 1DNhMg-0002o4-FQ for x; Tue, 19 Apr 2005 02:17:22 +0100
    Received: from nobody by server.myserverdomain.com with local (Exim 4.50)id 1DNhMd-0004AP-Ajfor x; Mon, 18 Apr 2005 21:17:19 -0400
    To: x
    Subject: Verify Your PayPal Account.
    From: support@paypal.com <support@paypal.com>
    Reply-To:
    MIME-Version: 1.0
    Content-Type: text/html
    Content-Transfer-Encoding: 8bit
    Message-Id: <E1DN_________P-Aj@server.myserverdomain.com>
    Date: Mon, 18 Apr 2005 21:17:19 -0400
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - server.myserverdomain.com
    X-AntiAbuse: Original Domain - oct65.force9.co.uk
    X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
    X-AntiAbuse: Sender Address Domain - server.myserverdomain.com
    X-Source:
    X-Source-Args:
    X-Source-Dir:
    X-PN-Virus-Scanned: By PlusNet VirusCORE (v3.01b)
    X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade3.cesmail.net
    X-Spam-Level:
    X-Spam-Status: hits=0.2 tests=ALL_TRUSTED,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
    HTML_TAG_EXIST_TBODY,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,REPLY_TO_EMPTY
    version=3.0.0


    This is what I have going:
    Spam Assassin
    "prevent nobody from sending ..." off (for obvious reasons - the general clients do not know how to work around if I enabled this and enabled phpSuExec module
    Exim 4.5x
    "Include a list of Pop before " on

    I tried: grep 192.168.101.76 /var/log/exim_mainlog and grep 192.168.101.76 /var/log/messages I got nothing in return

    Any suggestions? I appreciate this.

    Note: I have "Track the origin of messages sent though...." option off because it seemed as if it causes some major problems for many clients in the past. Anyone else exprerience this and know of a workaround as well? I have installed Exim Dictionary ACL but that is not going to do anything for outgoing spam anyway.
     
  2. Secret Agent

    Secret Agent Guest

    ???
    Email invalid and what is that domain in the end?
     
  3. vcampellone

    vcampellone Registered

    Joined:
    Aug 17, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    i can help

    if you still need help with this issue e-mail me vcampellone@ec. Had the same problem and fixed it in about 20 min-hosting.com
     
  4. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    With that option selected, you would have the location of the script within the email header

    X-Source-Args:
    X-Source-Dir:

    Would tell you where exactly the email was generated from.

    Not sure what problems that has caused you, but I had that selected on all cPanel servers I looked after without issue.

    This option caused issues...

    The add "Include a list of Pop before " on will cause clients to be unhappy, as it adds all their email accounts to the email header. Had a few complaints about that one and I would have that turned off.


    To track the spammer, see if you can catch an apache process sending mail,

    # ps auxf

    and look for an apache process with a child process that is using mail.

    # ls -l /proc/$pid

    Should tell you the location of the script, you may have to ps auxf a lot to catch it, also look in whm at the high process script uses and apache accesses, you may see a script that is being used that may rise suspision, so you can check it out.

    "Track the origin of messages sent though...." having that ON, in whm, will enable you to track the emails to a directory and user, when you are able to view the email header of the mails sent out.
     
  5. Secret Agent

    Secret Agent Guest

    Thank you very much. I will try this out.
     
  6. Secret Agent

    Secret Agent Guest

    part 1

    Results..

    Code:
    root@server [~]# ls -l /proc/$pid
    
    total 917514
    dr-xr-xr-x  261 root     root             0 Apr 16 01:11 ./
    drwxr-xr-x   23 root     root          4096 Apr 16 01:13 ../
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 1/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 10200/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 104/
    dr-xr-xr-x    3 mailnull mailnull         0 Apr 19 14:24 11280/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 19 14:24 11319/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 19 14:24 11321/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 12927/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 12955/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 12956/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 12957/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13013/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13810/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13880/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13883/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13891/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13892/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13895/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13896/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13897/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13898/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13899/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13901/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13902/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13903/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13904/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13905/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13907/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 13961/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:01 17692/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:05 17874/
    dr-xr-xr-x    3 rentals  rentals          0 Apr 20 00:10 18795/
    dr-xr-xr-x    3 rentals  rentals          0 Apr 20 00:10 18799/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 2/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 2152/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:34 21549/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 2156/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:34 21764/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:35 22003/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:35 22013/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:35 22024/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:35 22025/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:35 22035/
    dr-xr-xr-x    3 root     mail             0 Apr 20 00:35 22078/
    dr-xr-xr-x    3 nobody   proftpd          0 Apr 19 14:24 2210/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 2222/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:38 22308/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:38 22365/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:38 22373/
    dr-xr-xr-x    3 freeair  freeair          0 Apr 20 00:38 22385/
    dr-xr-xr-x    3 shonn    shonn            0 Apr 20 00:38 22386/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:38 22440/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:38 22441/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 22818/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 22830/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 22831/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:39 23098/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:39 23110/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:39 23114/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:39 23115/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:39 23116/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23218/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23223/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23224/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23225/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23226/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23227/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23228/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23229/
    dr-xr-xr-x    3 mailman  mailman          0 Apr 20 00:39 23230/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 23250/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 23252/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:39 23257/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 23623/
    dr-xr-xr-x    3 mailnull mail             0 Apr 19 14:24 23629/
    dr-xr-xr-x    3 mailnull mail             0 Apr 19 14:24 23635/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:40 23636/
    dr-xr-xr-x    3 cpanel   cpanel           0 Apr 20 00:40 23655/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:40 23657/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 23670/
    dr-xr-xr-x    3 vns      vns              0 Apr 20 00:40 23687/
    dr-xr-xr-x    3 vns      vns              0 Apr 20 00:40 23688/
    dr-xr-xr-x    3 root     vns              0 Apr 20 00:40 23716/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:40 23720/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:41 23788/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:41 23813/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:42 23962/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 241/
    dr-xr-xr-x    3 nobody   proftpd          0 Apr 20 00:42 24149/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24170/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24171/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24172/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24176/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24177/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24232/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24282/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24285/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24370/
    dr-xr-xr-x    3 eclipse  eclipse          0 Apr 20 00:44 24379/
    dr-xr-xr-x    3 eclipse  eclipse          0 Apr 20 00:44 24382/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24386/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24387/
    dr-xr-xr-x    3 nobody   nobody           0 Apr 20 00:44 24388/
    dr-xr-xr-x    3 mailnull mail             0 Apr 20 00:44 24390/
    dr-xr-xr-x    3 root     mail             0 Apr 20 00:44 24407/
    dr-xr-xr-x    3 mailnull mail             0 Apr 20 00:44 24415/
    dr-xr-xr-x    3 mailnull mail             0 Apr 20 00:44 24416/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:44 24427/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24893/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24926/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24927/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24928/
    
    
    To be honest, not sure what to look for above. How do I tell what is a script that should not be there? I am noob in this particular area :)
     
  7. Secret Agent

    Secret Agent Guest

    part 2

    Code:
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24929/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24946/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24948/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24949/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 24950/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 25700/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 25701/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 25702/
    dr-xr-xr-x    3 mysql    mysql            0 Apr 19 14:24 25704/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 29/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 3/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 30/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 31/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 32/
    dr-xr-xr-x    3 named    named            0 Apr 19 13:50 3907/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 3926/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 3939/
    dr-xr-xr-x    3 postgres postgres         0 Apr 19 14:24 3979/
    dr-xr-xr-x    3 postgres postgres         0 Apr 19 14:24 3981/
    dr-xr-xr-x    3 postgres postgres         0 Apr 19 14:24 3982/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 4/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 4149/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5454/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5486/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5488/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5489/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5490/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5491/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5492/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5493/
    dr-xr-xr-x    3 tomcat   nobody           0 Apr 19 13:50 5494/
    dr-xr-xr-x    3 root     root             0 Apr 19 13:50 5588/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 5595/
    dr-xr-xr-x    3 root     root             0 Apr 19 13:50 5630/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 6/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 6926/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 7114/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 789/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 790/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 801/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 9114/
    dr-xr-xr-x    3 root     root             0 Apr 19 14:24 9115/
    dr-xr-xr-x    3 mailnull mail             0 Apr 19 14:24 9130/
    -r--r--r--    1 root     root             0 Apr 20 00:44 buddyinfo
    dr-xr-xr-x    5 root     root             0 Apr 16 01:11 bus/
    -r--r--r--    1 root     root             0 Apr 20 00:44 cmdline
    -r--r--r--    1 root     root             0 Apr 20 00:44 cpuinfo
    -r--r--r--    1 root     root             0 Apr 20 00:44 crypto
    -r--r--r--    1 root     root             0 Apr 20 00:44 devices
    -r--r--r--    1 root     root             0 Apr 20 00:44 diskstats
    -r--r--r--    1 root     root             0 Apr 20 00:44 dma
    dr-xr-xr-x    2 root     root             0 Apr 20 00:44 driver/
    -r--r--r--    1 root     root             0 Apr 20 00:44 execdomains
    -r--r--r--    1 root     root             0 Apr 20 00:44 fb
    -r--r--r--    1 root     root             0 Apr 20 00:44 filesystems
    dr-xr-xr-x    3 root     root             0 Apr 20 00:44 fs/
    dr-xr-xr-x    3 root     root             0 Apr 20 00:44 ide/
    -r--r--r--    1 root     root             0 Apr 20 00:44 interrupts
    -r--r--r--    1 root     root             0 Apr 20 00:44 iomem
    -r--r--r--    1 root     root             0 Apr 20 00:44 ioports
    dr-xr-xr-x   18 root     root             0 Apr 20 00:44 irq/
    -r--r--r--    1 root     root             0 Apr 20 00:44 kallsyms
    -r--------    1 root     root     939528192 Apr 20 00:44 kcore
    -r--------    1 root     root             0 Apr 16 01:11 kmsg
    -r--r--r--    1 root     root             0 Apr 20 00:44 loadavg
    -r--r--r--    1 root     root             0 Apr 20 00:44 locks
    -r--r--r--    1 root     root             0 Apr 20 00:44 mdstat
    -r--r--r--    1 root     root             0 Apr 20 00:44 meminfo
    -r--r--r--    1 root     root             0 Apr 20 00:44 misc
    -r--r--r--    1 root     root             0 Apr 20 00:44 modules
    lrwxrwxrwx    1 root     root            11 Apr 20 00:44 mounts -> self/mounts
    -rw-r--r--    1 root     root             0 Apr 20 00:44 mtrr
    dr-xr-xr-x    4 root     root             0 Apr 20 00:44 net/
    -r--r--r--    1 root     root             0 Apr 20 00:44 partitions
    -r--r--r--    1 root     root             0 Apr 20 00:44 pci
    dr-xr-xr-x    3 root     root             0 Apr 20 00:44 scsi/
    lrwxrwxrwx    1 root     root            64 Apr 20 00:38 self -> 24427/
    -rw-r--r--    1 root     root             0 Apr 20 00:44 slabinfo
    -r--r--r--    1 root     root             0 Apr 20 00:44 stat
    -r--r--r--    1 root     root             0 Apr 20 00:44 swaps
    dr-xr-xr-x    9 root     root             0 Apr 16 01:11 sys/
    --w-------    1 root     root             0 Apr 20 00:44 sysrq-trigger
    dr-xr-xr-x    2 root     root             0 Apr 20 00:44 sysvipc/
    dr-xr-xr-x    4 root     root             0 Apr 20 00:44 tty/
    -r--r--r--    1 root     root             0 Apr 20 00:44 uptime
    -r--r--r--    1 root     root             0 Apr 20 00:44 version
    -r--r--r--    1 root     root             0 Apr 20 00:44 vmstat
    
     
  8. Secret Agent

    Secret Agent Guest

    part 1 (ps auxf)

    Code:
    USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
    root         1  0.0  0.0  2720  460 ?        S    Apr16   0:21 init [3]
    root         2  0.0  0.0     0    0 ?        SWN  Apr16   0:02 [ksoftirqd/0]
    root         3  0.0  0.0     0    0 ?        SW<  Apr16   0:00 [events/0]
    root         4  0.0  0.0     0    0 ?        SW<  Apr16   0:00  \_ [khelper]
    root         5  0.0  0.0     0    0 ?        SW<  Apr16   0:00  \_ [kblockd/0]
    root        29  0.0  0.0     0    0 ?        SW   Apr16   0:56  \_ [pdflush]
    root        30  0.0  0.0     0    0 ?        SW   Apr16   1:03  \_ [pdflush]
    root        32  0.0  0.0     0    0 ?        SW<  Apr16   0:00  \_ [aio/0]
    root         6  0.0  0.0     0    0 ?        SW   Apr16   0:00 [khubd]
    root        31  0.0  0.0     0    0 ?        SW   Apr16   1:43 [kswapd0]
    root       104  0.0  0.0     0    0 ?        SW   Apr16   0:00 [kseriod]
    root       241  0.0  0.0     0    0 ?        SW   Apr16   2:44 [kjournald]
    root       789  0.0  0.0     0    0 ?        SW   Apr16   0:00 [kjournald]
    root       790  0.0  0.0     0    0 ?        SW   Apr16   1:19 [kjournald]
    root       801  0.0  0.0     0    0 ?        SW<  Apr16   0:04 [loop0]
    root      2152  0.0  0.0  2328  572 ?        S    Apr16   1:28 syslogd -m 0
    root      2156  0.0  0.0  3372  444 ?        S    Apr16   0:04 klogd -x
    nobody    2210  0.0  0.1  5768 2596 ?        SL   Apr16   0:02 proftpd: (accepting connections)
    nobody   24149  0.0  0.1  5768 2740 ?        SL   00:42   0:00  \_ proftpd: connected: 127.0.0.1 (127.0.0.1:32944)
    root      2222  0.0  0.0  2116  744 ?        S    Apr16   0:00 /usr/sbin/smartd
    named     3907  0.0  0.3 42140 6568 ?        S    Apr16   0:00 /usr/sbin/named -u named
    root      3926  0.0  0.0  5180 1424 ?        S    Apr16   0:19 /usr/sbin/sshd
    root     23657  0.0  0.0  8844 2068 ?        S    00:40   0:00  \_ sshd: vns [priv]
    vns      23687  0.0  0.1  8988 2284 ?        S    00:40   0:00      \_ sshd: vns@pts/0
    vns      23688  0.0  0.0  6016 1340 pts/0    S    00:40   0:00          \_ -bash
    root     23716  0.0  0.0  5560 1060 pts/0    S    00:40   0:00              \_ su -
    root     23720  0.0  0.0  5988 1388 pts/0    S    00:40   0:00                  \_ -bash
    root     24590  0.0  0.0  4284  788 pts/0    R    00:45   0:00                      \_ ps auxf
    root      3939  0.0  0.0  2924  828 ?        S    Apr16   0:02 xinetd -stayalive -pidfile /var/run/xinetd.pid
    rentals  18795  0.0  0.0  2528 1076 ?        S    00:10   0:00  \_ imapd
    freeair  22385  0.0  0.0  2528 1056 ?        S    00:36   0:00  \_ imapd
    shonn    22386  0.0  0.0  2528 1068 ?        S    00:36   0:00  \_ imapd
    postgres  3979  0.0  0.0 21184 2020 ?        S    Apr16   0:02 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
    postgres  3981  0.0  0.0 11984 1936 ?        S    Apr16   0:00  \_ postgres: stats buffer process
    postgres  3982  0.0  0.0 10992 1848 ?        S    Apr16   0:00      \_ postgres: stats collector process
    root      4149  0.0  0.0  2288  652 ?        S    Apr16   0:00 crond
    root      9114  0.0  0.0  2292  656 ?        S    Apr19   0:00  \_ CROND
    root      9115  0.0  0.0     0    0 ?        Z    Apr19   0:00      \_ [upcp] <defunct>
    mailnull  9130  0.0  0.0     0    0 ?        Z    Apr19   0:00      \_ [exim] <defunct>
    root      5454  0.0  0.0  1420  468 ?        S    Apr16   0:00 /usr/sbin/portsentry -tcp
    root      5486  0.0  0.0  1904  528 ?        S    Apr16   0:00 jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed -debug -outfile ../logs/catalina.out -errfile ../log
    tomcat    5494  0.0  1.7 294396 36676 ?      S    Apr16   0:02  \_ jsvc.exec -user tomcat -cp ./bootstrap.jar -Djava.endorsed.dirs=../common/endorsed -debug -outfile ../logs/catalina.out -errfile ..
    root      5488  0.0  0.0  2336  344 tty1     S    Apr16   0:00 /sbin/mingetty tty1
    root      5489  0.0  0.0  2552  344 tty2     S    Apr16   0:00 /sbin/mingetty tty2
    root      5490  0.0  0.0  1768  344 tty3     S    Apr16   0:00 /sbin/mingetty tty3
    root      5491  0.0  0.0  1848  344 tty4     S    Apr16   0:00 /sbin/mingetty tty4
    root      5492  0.0  0.0  2056  344 tty5     S    Apr16   0:00 /sbin/mingetty tty5
    root      5493  0.0  0.0  2036  340 tty6     S    Apr16   0:00 /sbin/mingetty tty6
    root      5588  0.0  4.3 349288 89968 ?      S    Apr16   0:07 /usr/local/jdk/bin/java -Xmx128M -Djava.awt.headless=true psoft.imaker.ImageMakerServer 1922
    root      5595  0.0  0.0  4768 1116 ?        S    Apr16   0:01 sh imaker.sh monitor
    root     23813  0.0  0.0  5248  492 ?        S    00:41   0:00  \_ sleep 300
    root      5630  0.0  3.6 351204 76520 ?      S    Apr16   0:02 /usr/local/jdk/bin/java -Xmx128M -Djava.awt.headless=true -Djava.endorsed.dirs=/home/SiteStudio/jakarta/common/endorsed -classpath /usr
    root      6926  0.0  0.1  8904 3240 ?        S    Apr16   0:08 chkservd
    root      7114  0.0  0.8 24192 16860 ?       S    Apr16   1:29 /usr/local/apache/bin/httpd -DSSL
    root     17692  0.0  0.2  6572 4208 ?        S    00:01   0:00  \_ /usr/bin/perl /usr/local/cpanel/bin/leechprotect
    nobody   21549  0.0  0.9 26580 19696 ?       S    00:32   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   21764  0.4  0.9 26164 19256 ?       S    00:33   0:03  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22003  0.0  0.9 26608 19848 ?       S    00:34   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22013  0.1  0.9 26284 19400 ?       S    00:34   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22024  0.0  0.9 26168 19452 ?       S    00:34   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22025  0.1  0.9 26684 19796 ?       S    00:34   0:01  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22035  0.0  0.8 25032 18344 ?       S    00:34   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22308  0.1  0.9 26168 19424 ?       S    00:36   0:01  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22365  0.0  0.9 28472 19620 ?       S    00:36   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22373  0.0  0.9 26328 19412 ?       S    00:36   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22440  0.0  0.9 26940 20000 ?       S    00:36   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   22441  0.2  0.9 26564 19732 ?       S    00:36   0:01  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23098  0.8  1.0 29840 20764 ?       S    00:38   0:03  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23110  0.1  0.9 29504 20584 ?       S    00:38   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23114  0.1  0.9 26656 19824 ?       S    00:38   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23115  0.0  0.8 24364 17424 ?       S    00:38   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23116  0.0  0.8 24272 17296 ?       S    00:38   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23788  0.2  0.9 26592 19724 ?       S    00:40   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   23962  0.0  0.9 27844 18764 ?       S    00:41   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    
    
     
  9. Secret Agent

    Secret Agent Guest

    part 2 (ps aux)

    Code:
    nobody   24170  0.0  0.8 24236 17232 ?       S    00:42   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24176  0.3  0.9 26980 20112 ?       S    00:42   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24370  0.0  0.8 24400 17428 ?       S    00:43   0:00  
    nobody   24530  0.0  0.8 24232 17208 ?       S    00:44   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24531  0.0  0.8 24236 17200 ?       S    00:44   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24532  0.0  0.8 24192 17184 ?       S    00:44   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24533  1.1  1.0 31064 22060 ?       S    00:44   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    nobody   24571  0.1  0.8 24192 16968 ?       S    00:45   0:00  \_ /usr/local/apache/bin/httpd -DSSL
    root     12927  0.0  0.0  2060 1040 ?        S    Apr16   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/server.hostdomain.com.pid
    mysql    12955  0.0  5.4 228392 113220 ?     S    Apr16   1:07  \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.com.pid --
    mysql    12956  0.0  5.4 228392 113220 ?     S    Apr16   0:00      \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.com.pi
    mysql    12957  0.0  5.4 228392 113220 ?     S    Apr16   0:21          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13013  0.1  5.4 228392 113220 ?     S    Apr16   6:39          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13961  0.1  5.4 228392 113220 ?     S    Apr16   6:29          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    10200  0.1  5.4 228392 113220 ?     S    Apr16   6:00          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    25700  0.0  5.4 228392 113220 ?     S    Apr16   3:27          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    25701  0.0  5.4 228392 113220 ?     S    Apr16   3:15          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    25702  0.0  5.4 228392 113220 ?     S    Apr16   3:30          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    25704  0.0  5.4 228392 113220 ?     S    Apr16   3:17          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13810  0.0  5.4 228392 113220 ?     S    Apr17   2:49          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13880  0.0  5.4 228392 113220 ?     S    Apr17   3:06          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    file=/var/lib/mysql/server.hostdomain.co
    mysql    13902  0.0  5.4 228392 113220 ?     S    Apr17   3:06          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13903  0.0  5.4 228392 113220 ?     S    Apr17   3:12          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13904  0.0  5.4 228392 113220 ?     S    Apr17   2:59          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13905  0.0  5.4 228392 113220 ?     S    Apr17   2:56          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    13907  0.0  5.4 228392 113220 ?     S    Apr17   2:54          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24893  0.0  5.4 228392 113220 ?     S    Apr18   2:06          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24926  0.0  5.4 228392 113220 ?     S    Apr18   1:49          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24927  0.0  5.4 228392 113220 ?     S    Apr18   1:56          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24948  0.0  5.4 228392 113220 ?     S    Apr18   1:32          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24949  0.0  5.4 228392 113220 ?     S    Apr18   1:56          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mysql    24950  0.0  5.4 228392 113220 ?     S    Apr18   1:59          \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/server.hostdomain.co
    mailnull 11280  0.0  0.2  7708 5040 ?        S    Apr19   0:05 /usr/bin/perl /usr/local/cpanel/bin/eximstats
    nobody   11319  0.0  0.0  1620  588 ?        S    Apr19   0:00 /usr/local/cpanel/bin/startmelange
    nobody   11321  0.0  0.1  5040 2512 ?        S    Apr19   0:00 entropychat
    root     23623  0.0  0.3 20808 7536 ?        S    Apr19   0:01 /usr/sbin/clamd
    mailnull 23629  0.0  0.0  8484 1688 ?        S    Apr19   0:03 /usr/sbin/exim -bd -q60m
    root     22078  0.0  0.0  8260 1628 ?        S    00:35   0:00  \_ /usr/sbin/exim -q
    root     24574  0.2  0.1  9220 3856 ?        S    00:45   0:00  |   \_ /usr/sbin/exim -q
    mailnull 24575  0.0  0.2  9220 4268 ?        S    00:45   0:00  |       \_ /usr/sbin/exim -q
    mailnull 24437  0.0  0.1  9420 3624 ?        S    00:44   0:00  \_ /usr/sbin/exim -bd -q60m
    mailnull 24578  0.7  0.1  9420 3644 ?        S    00:45   0:00  \_ /usr/sbin/exim -bd -q60m
    root     24581  1.5  0.1  7588 3652 ?        S    00:45   0:00      \_ /usr/sbin/exim -Mc 1DO75M-0006OQ-26
    rivey1   24585  0.0  0.1  7588 3684 ?        S    00:45   0:00          \_ /usr/sbin/exim -Mc 1DO75M-0006OQ-26
    rivey1   24586  0.0  0.0  2456  756 ?        S    00:45   0:00              \_ /bin/bash /home/rivey1/fwd.sh [email]one@rumbledev.mirror1123.info[/email]
    rivey1   24587 53.5  1.0 24360 21156 ?       S    00:45   0:01              |   \_ /usr/bin/perl -T -w /usr/bin/spamassassin
    mailnull 24588  0.0  0.0  7508 1580 ?        S    00:45   0:00              |   \_ /usr/sbin/sendmail [email]one@rumbledev.mirror1123.info[/email]
    rivey1   24589  0.0  0.1  7588 3664 ?        S    00:45   0:00              \_ /usr/sbin/exim -Mc 1DO75M-0006OQ-26
    mailnull 23635  0.0  0.0  6732 1612 ?        S    Apr19   0:00 /usr/sbin/exim -tls-on-connect -bd -oX 465
    root     23670  0.3  0.0  3532 1680 ?        S    Apr19   2:40 antirelayd
    root     17874  0.0  0.0  2644  596 ?        S    00:02   0:00 /sbin/mgetty -r -x0 -s 115200 ttyS0
    root     22818  0.1  1.1 24988 22864 ?       S    00:38   0:00 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=2
    root     22830  0.5  1.2 27964 25876 ?       S    00:38   0:02  \_ spamd child
    root     22831  0.8  1.2 28136 26132 ?       S    00:38   0:03  \_ spamd child
    mailman  23218  0.0  0.2  7940 5428 ?        S    00:39   0:00 /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start
    mailman  23223  0.0  0.2  7884 5304 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
    mailman  23224  0.0  0.2  8208 5328 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
    mailman  23225  0.0  0.2  7860 5312 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
    mailman  23226  0.0  0.2  7940 5304 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
    mailman  23227  0.0  0.2  8152 5344 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
    mailman  23228  0.0  0.2  8192 5400 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
    mailman  23229  0.0  0.2  7884 5304 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
    mailman  23230  0.0  0.2  7884 5304 ?        S    00:39   0:00  \_ /usr/bin/python2 /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
    root     23250  0.0  0.3  9008 6516 ?        SN   00:39   0:00 cpanellogd - sleeping for logs
    root     23252  0.0  0.3  9008 6516 ?        SN   00:39   0:00 cpanellogd - sleeping for logs
    root     23257  0.0  0.3  8064 6732 ?        S    00:39   0:00 cppop - accepting on port 110
    denron   24510  0.2  0.3  8084 6788 ?        S    00:44   0:00  \_ cppop - serving 61.7.137.148 - TRANSACTION - [email]def1nfu@denronz2.com[/email]
    root     23636  0.0  0.3  9424 8080 ?        S    00:40   0:00 cpsrvd - waiting for connections
    cpanel   23655  0.0  0.0 25076 1876 ?        S    00:40   0:00 /usr/bin/stunnel-4.04local /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf
    
     
  10. ISNScott

    ISNScott Member

    Joined:
    Jul 16, 2004
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Paste the output of
    cat /home/rivey1/fwd.sh
    and
    netstat -npl
     
  11. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    When a script is sending mail out, you would usually see a child process under one of the apache processes

    /usr/sbin/sendmail -t

    It can be hard to catch, depends on how many emails they are sending and if they are sending right at the time you do ps.

    You would then get the PID of that sendmail/apache process and

    # ls -l /proc/123 (123 is the actual PID of the process displayed in ps)

    The netstat idea is also good if the mail is currently being sent out.


    Usually spammers use known script problems (libmail.php, free webmail accounts or upload their own scripts, yours looks like a uploaded script. They vary what they call them, some I know fro memory are c.php , p.php, , you could try a wild locate on those, you never know.

    Try searching for *.txt files, they usually contain email addresses.

    # locate *.txt

    or create a script that will search all /home/$user directories for files containing the words in your email that you have an example of. Sometimes they use templates, txt files to send various email spam out. "Verify Your PayPal Account." in the subject header could be a good one to search, no hard and fast rule though.

    I would add the header option in whm as mentioned before and carry on searching until you find the account.

    Did anything show up as using high resources over the past 24 hours? (Look in whm under the process/load monitoring history, check anything suspicious.)
     
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    We wrote a script that will detect the Php or cgi script sending out email as "nobody." This will help you find the exploited script and stop SPAMMERS from using them to funnel their email. Just in case you have this problem, PM me and we'll be more than happy to help.
     
  13. rgripoll

    rgripoll Active Member

    Joined:
    Mar 19, 2003
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Be aware that such scripts can break mail delivery (I see it happen on a regular basis), they are good tools for tracking spammers, but only use them when needed and don't leave them in place all the time.
     
  15. Secret Agent

    Secret Agent Guest

    Ok, here are some results

    root@server [~]# cat /home/rivey1/fwd.sh
    #! /bin/bash
    /usr/bin/spamassassin |/usr/sbin/sendmail $1


    netstat -npl (too much on screen, dont' know how to capture all, can't scroll back far enough in Putty)

    last portion of results..

    Code:
    3907/named
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node PID/Program name    Pat
    h
    unix  2      [ ACC ]     STREAM     LISTENING     12959645 23623/clamd         /
    var/clamd
    unix  2      [ ACC ]     STREAM     LISTENING     6340   3979/postmaster     /tm
    p/.s.PGSQL.5432
    unix  2      [ ACC ]     STREAM     LISTENING     65908  12955/mysqld        /va
    r/lib/mysql/mysql.sock
    

    DigitalN...you said "or create a script that will search all /home/$user directories for files containing the words in your email that you have an example of. Sometimes they use templates, txt files to send various email spam out. "Verify Your PayPal Account." in the subject header could be a good one to search, no hard and fast rule though."

    Could you please elaborate on how I can setup such a script? This sounds interesting and makes sense. I am new to setting up such custom scripts, so please bare with me :)

    I appreicate everyone's help. I have enabled "track header...." option in whm now.
     
  16. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    A simple example of a script to search all files looking for a particular string, be careful not to make it too generic, or you will have a large output.

    Code:
    #!/bin/sh
    SPAMWORDS="Verify Your PayPal Account"
    for SPAMMER in `ls /home`
    do
    echo "Checking $SPAMMER for $SPAMWORDS"
    /bin/grep -r "$SPAMWORDS" /home/$SPAMMER >> spamcheck.txt
    done
    echo "Check spamcheck.txt for output of check"
    You coould make it a bit nicer, but that should do the intended and check all files in /home/* for files containing the words "Verify Your PayPal Account"
    You may want to be more selective and only check /home/$SPAMMER/public_html to avoid any logs of emails that your customers migt have received etc, but then again that could lead to further helping catch them, email times can be tracked to apache or domlog accessess... lots of ways to do it, you will get them :)
     
  17. Secret Agent

    Secret Agent Guest

    Thank you very much for your reply. Pardon me for asking but
    I pasted

    #!/bin/sh
    SPAMWORDS="Verify Your PayPal Account"
    for SPAMMER in `ls /home`
    do
    echo "Checking $SPAMMER for $SPAMWORDS"
    /bin/grep -r "$SPAMWORDS" /home/$SPAMMER >> spamcheck.txt
    done
    echo "Check spamcheck.txt for output of check"

    into a new file and called it "spamcheck". I ran "spamcheck" and got bad command. I also tried saving it as "spamcheck.sh" and same issue. Clearly I'm not doing something right.

    What did I do wrong? Thanks again
     
  18. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Code:
    #!/bin/sh
    SPAMWORDS="Verify Your PayPal Account"
    for SPAMMER in `ls /home`
    do
    echo "Checking $SPAMMER for $SPAMWORDS"
    /bin/grep -r "$SPAMWORDS" /home/$SPAMMER >> spamcheck.txt
    done
    echo "Check spamcheck.txt for output of check"
    Works just fine, try chmod 700 ./spamcheck or sh spamcheck
     
  19. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    It worth to try above script. But I don't think it will do help. There is possibility that someone which is not your user exploit the form mail hole. If it is a case, your user will even notice that.

    The easiest way is adding log_selector in EXIM, it will show you who is the exploited user. Go to WHM/Exim configurtaion editor, click switch to advance mode. At the first textarea box, add

    log_selector = +arguments +subject

    Save, and watch your exim_mainlog. Every email sent will show 'Subject of that email' and where is the location of form mail script that was executed to invoke sendmail.

    Let's it run for a couple hours and back to check your Exim again.

    grep 'Verify Your PayPal Account' /var/log/exim_mainlog

    And also try this:

    grep 'cwd=/home' /var/log/exim_mainlog
     
  20. robjs

    robjs Registered
    PartnerNOC

    Joined:
    Oct 16, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Here's a solution for tracking spammers in the future.

    The script below is a wrapper for sendmail through PHP, change the PHP mail program to this, and you can catch and log all the messages that are sent as nobody. Set the script on a rotation nightly, and keep backups and you can find the spammers pretty easily. You get logs like this:

    Code:
    #!/usr/bin/php -q
    <?php
    # Script written by Rob Shakir (rob@catalyst2.com), please leave this message intact
    $get='';
    $arg='';
    error_reporting(0);
    
    $fp = fopen("php://stdin", "r");
    while(!feof($fp)) $get .= fgets($fp,1094);
    fclose($fp);
    
    for($i=0; $i<$argc; $i++)   $arg .=' '.$argv[$i];
    
    ### AntiAbuse
    $log="\n===>".date('Y-m-d-H:i:s - ').$GLOBALS['PWD']."\n"."----------------------------------"."\n";
    ### End
    $pm=fopen('/var/log/phpmaillog','a');
    fwrite($pm,$log);
    fwrite($pm, $get);
    fwrite($pm,"\n----------------------------------\n");
    fclose($pm);
    $fp = popen("/usr/sbin/sendmail -t -i $arg",'w');
    fputs($pm,$get);
    pclose($pm);
    ?>
    

    Hope this helps,
    Rob
     
Loading...

Share This Page