High load, webmaild processes i/O, big queue - discover cause


Well-Known Member
Oct 22, 2010

i discovered my VPS has high load. Normal is 5.0, this was 43.0.
iostat -a returned there are several webmaild processes so it pointed me to mail issue direction. So i checked mailqueue and found alot of spam mails there going to various russian mailboxes.

When i examined whole mail headers thru mailqueue manager, i did not found which cpanel account sends it. So my question how i can find it?

Email »
View Sent Summary

gives very good overview, it found that one account has:
successfull: 6
deferral: 21
failures: 894

i found in that account public_html directory there are various new folders with injected index.php content like:
<?php header("Location: http://[I]somecrapdomainhere[/I].net/space.php?a=***&c=wl_iw&s=d***"); ?>
when i do stat of one of these injected index.php, it shows:
File: `/home/accname/public_html/is/index.php'
Size: 83 Blocks: 8 IO Block: 4096 regular file
Device: 9eh/158d Inode: 42861096 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 538/ accname) Gid: ( 546/ accname)
Access: 2014-06-24 10:32:48.000000000 -0400
Modify: 2014-06-24 05:42:40.000000000 -0400
Change: 2014-06-24 05:42:40.000000000 -0400
root@host [~]# date
Wed Jun 25 05:38:04 EDT 2014
Please any idea which commands to do to discover how this file was injected, so i can fix the hole? or which ip did this, which log file to examine by which commands? thanks alot


Staff member
Apr 11, 2011
Hello :)

I have moved this thread to the "Security" forum. You should receive more user-feedback here. You may also want to search the "Security" forum for the PHP script you are using (e.g. WordPress, Joomla). There are several results discussing how to handle attacks/exploits on these common PHP applications.

Thank you.


Well-Known Member
Mar 28, 2009
cPanel Access Level
Root Administrator
Make sure that extended logging is enabled for exim. This will help you to get details about the mails being delivered. Also install malware detecton tools such as "maldet" so that you can check whether an account is infected or not. Secure your webserver using an effective mod_Sec rule sets too.