The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

comprimised server?

Discussion in 'General Discussion' started by ZeusChicago, Dec 17, 2007.

  1. ZeusChicago

    ZeusChicago Active Member

    Joined:
    Oct 9, 2005
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    I am seeing thosands of outbound emails coming (I think) from my server. I had mailscanner (from Chirpy) installed last night in the hopes of the antvirus finding something. Has anyone see the below or can tell me how to locate on my server what scripting is sending these damn emails out?

    Code:
    1J4GXB-0003jl-JQ-H
    mailnull 47 12
    <>
    1197900089 0
    -ident mailnull
    -received_protocol local
    -body_linecount 37
    -max_received_linelength 77
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -localerror
    XX
    1
    nobody@zeustwo.almightyservices.com
    
    174P Received: from mailnull by zeustwo.almightyservices.com with local (Exim 4.68)
    	id 1J4GXB-0003jl-JQ
    	for nobody@zeustwo.almightyservices.com; Mon, 17 Dec 2007 08:01:29 -0600
    029  Auto-Submitted: auto-replied
    072F From: Mail Delivery System <Mailer-Daemon@zeustwo.almightyservices.com>
    040T To: nobody@zeustwo.almightyservices.com
    052  Subject: Mail failure - malformed recipient address
    061I Message-Id: <E1J4GXB-0003jl-JQ@zeustwo.almightyservices.com>
    038  Date: Mon, 17 Dec 2007 08:01:29 -0600
    
    Data spool file
    
    1J4GXB-0003jl-JQ-D
    A message that you sent contained one or more recipient addresses that were
    incorrectly constructed:
    
      <head> @comcast.net: malformed address: @comcast.net may not follow <head> 
    
    This address has been ignored. There were no other addresses in your
    message, and so no attempt at delivery was possible.
    
    ------ This is a copy of your message, including all the headers. ------
    
    To: <head> @comcast.net
    Subject: Question from eBay member about Item number  ()
    From: eBay Member<bestoffert4you@gmail.com>
    Reply-To: bestoffert4you@gmail.com
    Return-Path: bestoffert4you@gmail.com
    Message-ID: <1197900089 TheSystem@www.hisdoll.com>
    X-Mailer: PHP v5.2.5
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary = PHP-EMAIL476681398e5e1
    Date: Mon, 17 Dec 2007 08:01:29 -0600
    
    This is a MIME encoded message.
    
    --PHP-EMAIL476681398e5e1
    Content-Type: text/html; charset=ISO-8859-1
    Content-Transfer-Encoding: base64
    
    PERJViBpZD15aXYxOTEwNTc4OTI3PkRlYXIgPFNUUk9ORz48aGVhZD4NPC9TVFJPTkc+LCA8L0RJ
    Vj4NCjxESVY+SSBoYXZlIGZvciBzYWxlOiZuYnNwOzxTVFJPTkc+PC9TVFJPTkc+IEl0ZW0gTnVt
    YmVyOiA8U1RST05HPjwvU1RST05HPjwvRElWPg0KPERJVj5NeSBwcmljZSBpcyBuZWdvY2lhYmxl
    LjwvRElWPg0KPERJVj5JZiB5b3UgYXJlIGludGVyZXN0ZWQganVzdCBnaXZlIG1lIGEgZmFzdCBy
    ZXBseSBvbiB0aGlzIGVtYWlsIGFkZHJlc3MgYW5kIHlvdSB3aWxsIGZpbmQgYWxsIHRoZSBpbmZv
    IHRoYXQgeW91IHdhbnQuIDwvRElWPg0KPERJVj5UaGFuayBZb3UgRm9yIHlvdXIgVGltZSA8L0RJ
    Vj4NCg0KDQoNCg==
    
    
    
    
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
  3. acenetryan

    acenetryan Well-Known Member
    PartnerNOC

    Joined:
    Aug 21, 2005
    Messages:
    197
    Likes Received:
    1
    Trophy Points:
    18
    You may also want to consider running your server with PHPSuExec (suPHP) enabled. You can then disable the sending of emails as 'nobody' and track them by username.
     
Loading...

Share This Page