cPanel User Spamming

ceh2324 · Nov 11, 2013

Hello,

One of the cPanel user is spamming and when ever he is spamming we are receiving mail with subject "Excessive resource usage: User (3386 (Parent PID:3386))" and the mail body is as follows:

Time: Wed Nov 6 16:52:51 2013 +0300
Account: user
Resource: Process Time
Exceeded: 1849 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: /usr/bin/crond
PID: 3386 (Parent PID:3386)
Killed: No

When I recieve this mail I see spamming as the queue size increases so when I kill this process ID the user stops spamming.

How can we find what is causing this user to spam.

Regards,
CEH

cPanelMichael · Nov 11, 2013

Hello

Check to see if there are any cron jobs configured for this account. Look for any scripts with the ability to send out email. Also, review one of the SPAM messages in the queue to see if you can find any information in the message headers.

Thank you.

ceh2324 · Nov 12, 2013

Hello,

1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob.
2. How can I check for scripts which are sending mails is there any way to find them.
3. The mail header shows its generated from the cpanel user.

from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script

mbodamer · Nov 12, 2013

ceh2324 said:
Hello,

1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob.
2. How can I check for scripts which are sending mails is there any way to find them.
3. The mail header shows its generated from the cpanel user.

from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script

Hi,
Not sure if this will help you... but I find after a situation like this I run maldet to detect suspicious files. You can check it out here, its free and it works well.

https://www.rfxn.com/projects/linux-malware-detect/

Hope it helps.

cPanelMichael · Nov 13, 2013

Have you reviewed the files within the account for any scripts with the ability to send out email? Look for files with the ability to send email, and try contacting the user to see if they are aware of this behavior. You may want to consider suspending the account if you want to prevent additional SPAM from sending out while you investigate.

Thank you.

ceh2324 · Nov 16, 2013

As from my first it says that script is using perl but i can't find any .pl file in the users home directory. Is there any way to find the script exactly or any procedure to find the culprit.

iserversupport · Nov 16, 2013

Try ps -aux | grep PID and see more details of that pid

also you can see all process of that particular user using ps -aux | grep username

Thread starter	Similar threads	Forum	Replies	Date
I	In Progress CPANEL-42511 - email exim defer ( R=virtual_user T=dovecot_virtual_delivery defer (-1))	Email	15	Mar 6, 2023
L	In Progress CPANEL-40668 - Case sensitivity for usernames in webmail password reset	Email	4	May 19, 2022
E	Best practice for DMARC if cPanel user has migrated DNS to Cloudflare	Email	10	Feb 11, 2022
M	PHP Script spamming using Cpanel User	Email	5	Oct 29, 2013
R	Preventing cPanel users from spamming	Email	3	Sep 2, 2009

Search

Search

cPanel User Spamming

ceh2324

Member

cPanelMichael

Administrator

ceh2324

Member

mbodamer

Registered

cPanelMichael

Administrator

ceh2324

Member

iserversupport

Well-Known Member