The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HELP! "nobody" sends mailbomb, what next?

Discussion in 'E-mail Discussions' started by NNNils, Jul 23, 2003.

  1. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    One of my users has sent a mail bomb as user nobody.

    How do I find out what user is responsible for it?

    I checked mail logs and find U=nobody P=local S=332

    Maybe I can do something with that number 332 ?

    cPanel.net Support Ticket Number:
     
  2. hostcp3

    hostcp3 Well-Known Member

    Joined:
    Jun 18, 2002
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    First up do a search on your server

    locate bomb.php

    secondly check logs,

    cd /var/log

    make a copy of the log file and then open it and do a ctrl W

    type in

    bomb

    bomb.php

    bomb.*

    and then enter

    see who uploaded it, and or deleted it.

    just a couple of notes, check the size of the log file your working on as it may be quite big and you may need to zip it and download it to your Work Station.

    monitor your logs

    tail logfilename -f

    if it happened only a short time ago,

    tail -2000 logfilename | less


    take care with the commands when working as root
    make copies of all files before even opening them.

    cPanel.net Support Ticket Number:
     
  3. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    From exim_mainlog I know date and time of it happened:

    22-7-2003 22:39

    What log can I check to see what scripts were running at that time?

    cPanel.net Support Ticket Number:
     
  4. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    In the log I also see U=nobody P=local S=332

    Is that number 332 of interest?

    cPanel.net Support Ticket Number:
     
  5. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Anybody have any more help with this? I have a company that is getting hit almost daily at this point.

    240K messages in queue. Yuk.
     
Loading...

Share This Page