Exim_mainlog - e-mail account breached

StelarBlack

Member
Dec 7, 2014
7
0
1
cPanel Access Level
Root Administrator
Hi, I have noticed strange behaviour reading my exim_mainlog, but not sure what is actually happening. Mail queue is getting full, when I investigated case, I have change e-mail password for suspicious account, and problem is still presented. I have mail queue full of spam messages, like that:

Code:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [email protected]
    Domain [B]myuserdomain.com[/B] has exceeded the max defers and failures per hour (5/5 (17%)) allowed. Message discarded.

------ This is a copy of the message, including all the headers. ------

Return-path: <[B][email protected][/B]>
Received: from [74.208.64.163] (port=51089)
	by [B]myhostname.example.com[/B] with esmtpa (Exim 4.84)
	(envelope-from <<[B][email protected][/B]>>)
	id 1YBJnJ-0006h0-6n
	for [email protected]; Wed, 14 Jan 2015 09:59:17 +0100
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Subject: Settlement   
To: [email protected]
From: "IMF" <<[B][email protected][/B]>>
Date: Wed, 14 Jan 2015 02:58:45 -0600
Reply-To: [email protected]
And then a lot of similar logs:

Code:
[B]2015-01-14 09:57:50 1YBJlu-0006h0-Lz <= [B][email protected][/B] H=([74.208.64.163]) [74.208.64.163]:51089 P=esmtpa A=dovecot_login:[email protected] S=2057 T="Settlement" for [email protected][/B]
What is concerning me, I am not sure if that mailbox is brached, and sending a lot of spam to random e-mails, how to find out what is actually happening?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

You may want to try running the following command to see if any scripts in your /home directory are sending out email:

Code:
awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
Thank you.