Determine if Email account or server hacked

Bestrafung

Active Member
Apr 2, 2012
42
0
56
cPanel Access Level
Root Administrator
This morning there were a lot of SPAM email messages sent through our server from one of our clients' legitimate email accounts. I'm trying to determine whether it was their email account or the server itself that was hacked. If I go to Mail Delivery Reports > View Relayers I get about 34 pages of details for this account. One of the examples is provided below. It appears that the server is being used as a SMTP relay. As best I understand it this means the email account itself is compromised correct? Or could it be something else? I'm already changing the password while I continue to look into this.

Code:
Event: success success
User: xxxxxxx
Domain: xxxxx.com
Sender: [email protected]
Sent Time: May 22, 2014 11:07:11 AM
Sender Host: 03b553ef.pediting.me
Sender IP: 198.98.122.186
Authentication: forwarder
Spam Score:
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: lookuphost
Transport: remote_smtp
Out Time: May 22, 2014 11:07:11 AM
ID: 1WnUb5-00008h-Et
Delivery Host: mx2.hotmail.com
Delivery IP: 65.55.92.136
Size: 5.59 KB
Result: Message accepted
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX:

Code:
exigrep [email protected] /var/log/exim_mainlog
Also, if any of the messages are still in the queue, view the headers with a command such as:

Code:
exim -Mvh messageID
Thank you.
 

Bestrafung

Active Member
Apr 2, 2012
42
0
56
cPanel Access Level
Root Administrator
Hello :)

Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX:

Code:
exigrep [email protected] /var/log/exim_mainlog
Also, if any of the messages are still in the queue, view the headers with a command such as:

Code:
exim -Mvh messageID
Thank you.
Thanks for the response. I changed the password for that account but after 20 minutes or so the spammers were at it again. I'm running a ClamAV scan on the user's home directory now. The client has already run full AV and malware scans on all workstations used to access this account. I'm still not sure what is going on. I'll include a sample output from "exigrep [email protected] /var/log/exim_mainlog" as soon as scan finishes and the load returns to acceptable levels.
 

coroy

Registered
Aug 20, 2014
1
0
1
cPanel Access Level
Root Administrator
Me also encountered this kind of problem. Is there any command determine what file is executing or sending an email?

Thank you.
 

triantech

Well-Known Member
Jul 1, 2014
143
1
18
Kochi, India, India
cPanel Access Level
Root Administrator
Hello,

- To list the folders from which mails can be generated ( will include valid scripts too )

# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

- To list which mail account is reporting highest activity :

# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n