ceh2324

Member
Nov 5, 2013
9
0
1
cPanel Access Level
Root Administrator
Hello,

One of the cPanel user is spamming and when ever he is spamming we are receiving mail with subject "Excessive resource usage: User (3386 (Parent PID:3386))" and the mail body is as follows:

Time: Wed Nov 6 16:52:51 2013 +0300
Account: user
Resource: Process Time
Exceeded: 1849 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: /usr/bin/crond
PID: 3386 (Parent PID:3386)
Killed: No

When I recieve this mail I see spamming as the queue size increases so when I kill this process ID the user stops spamming.

How can we find what is causing this user to spam.

Regards,
CEH
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Check to see if there are any cron jobs configured for this account. Look for any scripts with the ability to send out email. Also, review one of the SPAM messages in the queue to see if you can find any information in the message headers.

Thank you.
 

ceh2324

Member
Nov 5, 2013
9
0
1
cPanel Access Level
Root Administrator
Hello,

1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob.
2. How can I check for scripts which are sending mails is there any way to find them.
3. The mail header shows its generated from the cpanel user.

from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script
 

mbodamer

Registered
Apr 4, 2007
2
0
151
Hello,

1.There used to be a cronjob running in the path "/var/spool/cron/user" but it was pointing a tmp file which does not exist at all any ways I removed the cronjob.
2. How can I check for scripts which are sending mails is there any way to find them.
3. The mail header shows its generated from the cpanel user.

from my first comment its says "Executable: /usr/bin/perl" and "Command Line: /usr/bin/crond" does it mean its running perl script
Hi,
Not sure if this will help you... but I find after a situation like this I run maldet to detect suspicious files. You can check it out here, its free and it works well.

https://www.rfxn.com/projects/linux-malware-detect/

Hope it helps.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Have you reviewed the files within the account for any scripts with the ability to send out email? Look for files with the ability to send email, and try contacting the user to see if they are aware of this behavior. You may want to consider suspending the account if you want to prevent additional SPAM from sending out while you investigate.

Thank you.
 

ceh2324

Member
Nov 5, 2013
9
0
1
cPanel Access Level
Root Administrator
As from my first it says that script is using perl but i can't find any .pl file in the users home directory. Is there any way to find the script exactly or any procedure to find the culprit.