The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High load, webmaild processes i/O, big queue - discover cause

Discussion in 'Security' started by postcd, Jun 25, 2014.

  1. postcd

    postcd Well-Known Member

    Oct 22, 2010
    Likes Received:
    Trophy Points:

    i discovered my VPS has high load. Normal is 5.0, this was 43.0.
    iostat -a returned there are several webmaild processes so it pointed me to mail issue direction. So i checked mailqueue and found alot of spam mails there going to various russian mailboxes.

    When i examined whole mail headers thru mailqueue manager, i did not found which cpanel account sends it. So my question how i can find it?

    WHM »
    Email »
    View Sent Summary

    gives very good overview, it found that one account has:
    successfull: 6
    deferral: 21
    failures: 894

    i found in that account public_html directory there are various new folders with injected index.php content like:
    when i do stat of one of these injected index.php, it shows:
    Please any idea which commands to do to discover how this file was injected, so i can fix the hole? or which ip did this, which log file to examine by which commands? thanks alot
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    I have moved this thread to the "Security" forum. You should receive more user-feedback here. You may also want to search the "Security" forum for the PHP script you are using (e.g. WordPress, Joomla). There are several results discussing how to handle attacks/exploits on these common PHP applications.

    Thank you.
  3. SS-Maddy

    SS-Maddy Well-Known Member

    Mar 28, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Make sure that extended logging is enabled for exim. This will help you to get details about the mails being delivered. Also install malware detecton tools such as "maldet" so that you can check whether an account is infected or not. Secure your webserver using an effective mod_Sec rule sets too.

Share This Page