The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim seems to hacked

Discussion in 'Security' started by VagrantRonnie, Dec 12, 2013.

  1. VagrantRonnie

    VagrantRonnie Member

    Joined:
    Jun 3, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello guys
    I don't know if I'm the only one facing with this problem. but it's been a week since I can see an account "team@somedomains" in several servers of our company is sending spam emails. None of the domains have any email account like "team@..." so I guess, there is mailing code injected to their website content.
    But I've seen this on several servers and I'm accusing that if there is security lack on my servers or something like this?
    Anyone can help me find this guy?
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Your best bet is to review the log files (/var/log/exim_mainlog) and obtain the message ID file, then look for a message with that message ID and find out if the auth_id is a user on your server. If so, then that account is most likely compromised and you should immediately change the password.

    Feel free to open a ticket using the link in my signature and we can have one of our technical analysts review this for you, and advise accordingly.
     
  3. VagrantRonnie

    VagrantRonnie Member

    Joined:
    Jun 3, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for answer.
    I've figured out that in most of my clients host space which were using the outdated joomla version, there was a file injected named "web-info.php" which were encrypted with base64 and this file was running the required script to send spam emails.
    ClamAV is able to detect and remove these kind of files, but it will be back again.
    Is there any way to prevent these kind of files to be executed?
    Since I cannot force all of my customers to update their Joomla or I cannot disable base64decoder?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You need to get them to update joomla and change their administrator passwords or they WILL be hacked again.

    Your only option to even try to prevent that is a good paid modsec rule set like trustwave or atomicorp. Still, modsec rules can be evaded by skilled hackers.

    Do not let your customers run out-dated and vulnerable software. I Know a lot of people don't want to update, but you should have a ToS that prohibits abuse, and that abuse is their fault if they're running known hackable versions of Joomla or other CMS software.
     
Loading...

Share This Page