The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Email sytem hacked, Mail Queqe manager is in meltdown

Discussion in 'Security' started by CreationsMoody, Nov 8, 2013.

  1. CreationsMoody

    Joined:
    Mar 8, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I found an account on my system that was sending out insane amounts of emails. I changed the passwords on the account and that send the email system into a meltdown. I have emails that are trying to be sent every few seconds and bouncing back cause the password has changed. I could be wrong, but this seems like it is more likely to be a script issue? So how do I find it and remove it? I found this website which I think would help, but The constant attempt of sending email maybe hendering it from working properly. I try to run the first long set of commands and it just seems to sit there.. Here is the site with the commands it is giving me.

    /http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

    Is there a way I can stop the Exim from running long enough to run the commands listed in that site to find my real issue? Or I am open to other suggestions. I have got to get this issue resolved!!!!!
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    How about opening up one of the offending messages in Mail Queue Manager (inside WHM). Then take a look at the information in there.

    By viewing the full message source of one of the messages sent by the script (but not yet delivered to the recipient) it may help you.

    I'd ask you to forward one for me for me to take a look at, but (a) you probably don't have enough posts to PM me yet and (b) you probably don't want me to see any particular details in those messages.

    But if you're desperate and want to shoot me a PM, I'll give you my email address and you can copy/paste a couple of the messages in the outgoing queue and send them to me, and I can let you know what I think.

    Mike
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Try reviewing a message in the mail queue as the previous poster mentioned. You should be able to view the message headers if you confirm it's a SPAM message and the message header should contain more information about the location of the script used to send the email. If you are aware of the specific account, try searching it's public_html directory and subdirectories for files with "email" or "mail" terms.

    Thank you.
     
  4. CreationsMoody

    Joined:
    Mar 8, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The system seems to be in constant flow mode.. I can not even access the mail queue manager in the WHM and when i pull it up in SSH, it is like a cascading list of emails.... going by so fast I can't even tell all the different emails it is trying to send too. I know most are aol accounts, but the one constant is the email on my server. It is the same and I can see it. So how do I search their id for issues or rogue mail sccripts via SSH.
     
  5. CreationsMoody

    Joined:
    Mar 8, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hey if you can help I will give you what I can... Here is a email that came in. If you see anything there that tells you something specific I need to do, by all means let me know please!!?!?!?
     
    #5 CreationsMoody, Nov 8, 2013
    Last edited: Nov 8, 2013
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Why don't you delete that message above (or remove the specific content identifying your server). That's why I asked you to PM me, so that you don't share it publicly.

    1. I know that message is a bounce from AOL, but the original message contained in that bounce -- is it actually spam? Or was a legitimate message?

    I think the example above is a bad one -- that's a legitimate message that got bounced by AOL. I'd like to see an actual piece of outgoing spam that hasn't been delivered yet. That will provide more useful info

    If you can, send me a PM (private message) via the forums.

    Mike

    mike
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can review the last few lines of /var/log/exim_mainlog if you want to avoid the log output continuing to appear. EX:

    Code:
    tail -500 /var/log/exim_mainlog
    Look for the message ID of a specific message you feel may be SPAM and review it's headers with a command such as:

    Code:
    exim -Mvh <messageID>
    Thank you.
     
Loading...

Share This Page