Help me find a nobody sender

[benito]

I think one of my users has been compromised by a phishing hack. I get those emails on my nobody inbox

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mail server after RCPT TO:<[email protected]>:
host mx0.gmx.com [74.208.5.90]: 550 5.1.1 <[email protected]>... User is unknown {mx-us006}

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from nobody by MYSERVER with local (Exim 4.69)
(envelope-from <[email protected]>)
id 1LlnfJ-0001Av-J2
for [email protected]; Mon, 23 Mar 2009 14:10:21 -0300
To: [email protected]
Subject: egg 81.151.189.214
Message-Id: <[email protected]>
From: Nobody <[email protected]>
Date: Mon, 23 Mar 2009 14:10:21 -0300

---------------Created By FATA-----------------
First Name.: sarah
Last Name.: williams
DOB Day.: 12
DOB Month.: 03
DOB Year.: 1975
Postcode.: sn25 1rb
MMN.: wombill
Pass.: astra1
Email.: [email protected]
IP: 81.151.189.214
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
---------------Created By FATA-----------------

I try everything, including recompile apache to enable suphp, but still cant find where those mails comes from.

 

[benito]

Use extended exim logging. You can then find the directory the email script sent from:
http://configserver.com/free/spammers.html#outbound

Yes, today i was on configserver reading that, that why i enabled suphp. But still cant find the sender filed. This is what i got from mainlog.

[[email protected]]# grep 1LlnfJ-0001Av-J2 /var/log/exim_mainlog

2009-03-23 14:10:21 1LlnfJ-0001Av-J2 <= [email][email protected][/email] U=nobody P=local S=780 T="egg 81.151.189.214"
2009-03-23 14:10:21 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1LlnfJ-0001Av-J2
2009-03-23 14:10:22 1LlnfJ-0001Av-J2 ** [email][email protected][/email] R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mx0.gmx.com [74.208.5.90]: 550 5.1.1 <[email protected]>... User is unknown {mx-us006}
2009-03-23 14:10:22 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1LlnfJ-0001Av-J2
2009-03-23 14:10:23 1LlnfK-0001D6-Hw <= <> R=1LlnfJ-0001Av-J2 U=mailnull P=local S=1750 T="Mail delivery failed: returning message to sender"
2009-03-23 14:10:23 1LlnfJ-0001Av-J2 Completed
[[email protected]]#

 

[chirpy]

Use extended exim logging. You can then find the directory the email script sent from:
http://configserver.com/free/spammers.html#outbound

 

[chirpy]

That looks like an email that is already in the mail queue. I'd suggest emptying the mail queue first. Subsequent email should then be logged fully. With suPHP enabled (if you've enabled it in WHM after recompiling using easyapache) will mean that no email should be sent out from the nobody user anymore from web-based scripts.

 

[benito]

That looks like an email that is already in the mail queue. I'd suggest emptying the mail queue first. Subsequent email should then be logged fully. With suPHP enabled (if you've enabled it in WHM after recompiling using easyapache) will mean that no email should be sent out from the nobody user anymore from web-based scripts.

Found it! Thank you very much dude! Btw, now that its compiled, there is any way to disable suphp and just re enable it when its needed?

 

[rhenderson]

Hi,

Suphp is something you should consider leaving enabled. But either way there is a script to add a line to the email to tell what script it is coming from located at http://scriptmantra.info/sendmail_logger.html

 

[cPanelNick]

cPanel </3 SPAM | cPanel Releases