The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel User Spamming

Discussion in 'E-mail Discussions' started by ceh2324, Nov 11, 2013.

  1. ceh2324

    ceh2324 Member

    Joined:
    Nov 5, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    One of the cPanel user is spamming and when ever he is spamming we are receiving mail with subject "Excessive resource usage: User (3386 (Parent PID:3386))" and the mail body is as follows:

    Time: Wed Nov 6 16:52:51 2013 +0300
    Account: user
    Resource: Process Time
    Exceeded: 1849 > 1800 (seconds)
    Executable: /usr/bin/perl
    Command Line: /usr/bin/crond
    PID: 3386 (Parent PID:3386)
    Killed: No

    When I recieve this mail I see spamming as the queue size increases so when I kill this process ID the user stops spamming.

    How can we find what is causing this user to spam.

    Regards,
    CEH
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Check to see if there are any cron jobs configured for this account. Look for any scripts with the ability to send out email. Also, review one of the SPAM messages in the queue to see if you can find any information in the message headers.

    Thank you.
     
  3. ceh2324

    ceh2324 Member

    Joined:
    Nov 5, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob.
    2. How can I check for scripts which are sending mails is there any way to find them.
    3. The mail header shows its generated from the cpanel user.

    from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script
     
  4. mbodamer

    mbodamer Registered

    Joined:
    Apr 4, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    Not sure if this will help you... but I find after a situation like this I run maldet to detect suspicious files. You can check it out here, its free and it works well.

    https://www.rfxn.com/projects/linux-malware-detect/

    Hope it helps.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Have you reviewed the files within the account for any scripts with the ability to send out email? Look for files with the ability to send email, and try contacting the user to see if they are aware of this behavior. You may want to consider suspending the account if you want to prevent additional SPAM from sending out while you investigate.

    Thank you.
     
  6. ceh2324

    ceh2324 Member

    Joined:
    Nov 5, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    As from my first it says that script is using perl but i can't find any .pl file in the users home directory. Is there any way to find the script exactly or any procedure to find the culprit.
     
  7. iserversupport

    iserversupport Well-Known Member

    Joined:
    Nov 4, 2013
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Try ps -aux | grep PID and see more details of that pid

    also you can see all process of that particular user using ps -aux | grep username
     
Loading...

Share This Page