The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

email failed due to suspicious file activity

Discussion in 'E-mail Discussions' started by keat63, Feb 9, 2016.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I saw an failed email mesaage in my logs this morning, which would indicate that the root account had tried to send an email to a user on one of my domains.
    I know without doubt that this wasn't initiated by me or anyone else for that matter, so I'm guessing some sort of hack or email security bypass.

    Could someone take a look and see if they can decipher it please.

    Code:
    Return-path: <www@localhost.localdomain>
    Received: from [101.251.xxx.xx] (port=58643 helo=example.com)
        by my.servers.co.uk with esmtp (Exim 4.86)
        (envelope-from <www@localhost.localdomain>)
        id 1aT1UB-0007Cf-Bd
        for email@oneofmydomains.co.uk; Tue, 09 Feb 2016 06:09:18 +0000
    Received: from localhost.localdomain (localhost [127.0.0.1])
        by example.com (Postfix) with ESMTP id 242C46946E
        for <email@oneofmydomains.co.uk>; Tue,  9 Feb 2016 12:46:50 +0800 (CST)
    Received: (from www@localhost)
        by localhost.localdomain (8.14.4/8.14.4/Submit) id u194knea002948;
        Tue, 9 Feb 2016 12:46:49 +0800
    To: email@oneofmydomains.co.uk
    X-PHP-Originating-Script: 501:rripp1.php
    Date: Tue, 9 Feb 2016 12:46:49 +0800
    From: "DHL DeliverNow Network" <eulnmcyil@blog.example.com>
    Message-ID: <9951138358.20160209124649@>
    To: email@oneofmydomains.co.uk
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----------505939FD9C2C326F7"
    X-Spam-Status: Yes, score=6.4
    X-Spam-Score: 64
    X-Spam-Bar: ++++++
    X-Spam-Report: Spam detection software, running on the system "my.servers.co.uk",
    has identified this incoming email as possible spam.  The original
    message has been attached to this so you can view it or label
    similar future email.  If you have any questions, see
    root\@localhost for details.
    
     
    #1 keat63, Feb 9, 2016
    Last edited by a moderator: Feb 9, 2016
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    I can see your this mail has been sent from your rripp1.php file, which is present under your one of the user (USER id :
    501). Please check this account and remove unwanted files this account and secure it.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I just looked and dont have an account under 501.
    Not that I can see anyway

    Incidentally, the IP 101.251.x.x is not my server

    I've googled this a few times, but cannot find anything definitive. Lots of posts mentioning hosts files.

    This is mine

    Code:
    
    127.0.0.1        localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1        localhost localhost.localdomain localhost6 localhost6.localdomain6
    
    213.xxx.xxx.xx        my.server.co.uk my server213-xxx-xxx-xxx.hosts-servers.net server213-xxx-xxx-xx
    
    Could there be some sort of bypass where the hacker, spammer, etc sends an email as localhost, and then my server interprets this as it'self, and that's why I recieved the failure notification ??
     
    #3 keat63, Feb 9, 2016
    Last edited: Feb 9, 2016
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'd say search your filesystem for the file: rripp1.php

    find / -name rripp1.php -type -f | xargs ls -alt

    Might take a long time if you have a lot of files.

    501 is usually clamav user on many of my machines, but on other machines its my first hosting account user. Look for 501 in your /etc/passwd and /etc/group

    M
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I found an entry for 501 in the group file.
    It's saying Mailtrap

    Is there a syntax error in that find command as I get a message pop up about " Arguments to -type should contain only one letter", then a whole host of files and folders appear, but I don't see rripp1.php amongst them
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have CSF explorer installed and didn't realise that this had a search facility.
    It's coming back and saying no results for rripp1.php
     
    #6 keat63, Feb 9, 2016
    Last edited: Feb 9, 2016
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Is the "mlocate" package installed on your system? If so, you can try searching the file via a command such as:

    Code:
    locate rripp1.php
    The database is cached, so as long as it has not updated recently, it should show you if that file existed in the past and was recently deleted.

    Thank you.
     
Loading...

Share This Page