The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Determine if Email account or server hacked

Discussion in 'E-mail Discussions' started by Bestrafung, May 22, 2014.

  1. Bestrafung

    Bestrafung Active Member

    Joined:
    Apr 2, 2012
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    This morning there were a lot of SPAM email messages sent through our server from one of our clients' legitimate email accounts. I'm trying to determine whether it was their email account or the server itself that was hacked. If I go to Mail Delivery Reports > View Relayers I get about 34 pages of details for this account. One of the examples is provided below. It appears that the server is being used as a SMTP relay. As best I understand it this means the email account itself is compromised correct? Or could it be something else? I'm already changing the password while I continue to look into this.

    Code:
    Event: success success
    User: xxxxxxx
    Domain: xxxxx.com
    Sender: vydox@pediting.me
    Sent Time: May 22, 2014 11:07:11 AM
    Sender Host: 03b553ef.pediting.me
    Sender IP: 198.98.122.186
    Authentication: forwarder
    Spam Score:
    Recipient: xxxxxx@xxxxx.com
    Delivered To: xxxxxx@msn.com
    Delivery User: -remote-
    Delivery Domain:
    Router: lookuphost
    Transport: remote_smtp
    Out Time: May 22, 2014 11:07:11 AM
    ID: 1WnUb5-00008h-Et
    Delivery Host: mx2.hotmail.com
    Delivery IP: 65.55.92.136
    Size: 5.59 KB
    Result: Message accepted 
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX:

    Code:
    exigrep user@domain /var/log/exim_mainlog
    Also, if any of the messages are still in the queue, view the headers with a command such as:

    Code:
    exim -Mvh messageID
    Thank you.
     
  3. Bestrafung

    Bestrafung Active Member

    Joined:
    Apr 2, 2012
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks for the response. I changed the password for that account but after 20 minutes or so the spammers were at it again. I'm running a ClamAV scan on the user's home directory now. The client has already run full AV and malware scans on all workstations used to access this account. I'm still not sure what is going on. I'll include a sample output from "exigrep user@domain /var/log/exim_mainlog" as soon as scan finishes and the load returns to acceptable levels.
     
  4. coroy

    coroy Registered

    Joined:
    Aug 20, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Me also encountered this kind of problem. Is there any command determine what file is executing or sending an email?

    Thank you.
     
  5. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hello,

    - To list the folders from which mails can be generated ( will include valid scripts too )

    # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

    - To list which mail account is reporting highest activity :

    # exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n
     
Loading...

Share This Page