How can I prevent a user to send emails

[Alain Bensimon]

On my Server, a lot of emails are being sent using the cpanel default user account of a domain.
I would like to:
1. prevent this account from sending any emails.
2. Understand how and why it happens.

thank you.

 

[GOT]

Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem.

If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.

 

[Alain Bensimon]

Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem.

If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.

I do get a lot of alerts like this one on my server, and even from domains that don't have a website attached to it.

Time: Mon Mar 18 11:23:29 2019 -0400

Account: someusr

Resource: Virtual Memory Size

Exceeded: 474 > 400 (MB)

Executable: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

Command Line: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

PID: 16483 (Parent PID:14428)

Killed: No

 

[GOT]

That is most likely not related.

 

[Alain Bensimon]

That is most likely not related.

I've tried to disable the mail function, but ofcourse then the users of that domains cannot receive and send emails anymore.
What can I do?

 

[cPanelLauren]

Hello

1. prevent this account from sending any emails.

You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.

2. Understand how and why it happens.

Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation


Thanks!

 

[Alain Bensimon]

Hello



You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.



Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation


Thanks!

I have created an ACL here: acl_smtp_rcpt:

deny condition = ${lookup{$sender_address}nwildlsearch{/path/to/the/restricted_sender}   {yes}}
  domains = !+local_domains

And have created a file named restricted_sender as as following:


The ACL works because when I go to webmail and try to send an email from one of the restricted senders's mailbox, I'm denied.
But despite that, emails are still sent from these users. I don't know how to stop it.

 

[cPanelLauren]

You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script.

The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

 

[Alain Bensimon]

You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script.

The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Emails by user:

144 : root
66 : lapaixadmin
51 : mailnull
40 : liellesinvestmen
2 : pitadmin


===================
Total: 303
===================

Email accounts sending out mail:

2 : [email protected]
1 : [email protected]

===================
Total: 3
===================

Directories mail is originating from:


66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html
2 : /home/pitadmin/public_html
1 : /home/liellesinvestmen/public_html/administrator

===================
Total: 107
===================

Top 20 Email Titles:


65 : [Wordfence Alert] lapaix.eu User login blocked for insecure password
44 : Mail delivery failed: returning message to sender
5 : lfd on host.abscomputer.net: WHM/cPanel root access alert from 207.96.147.218 (CA/Canada/-)
5 : lfd on host.abscomputer.net: Suspicious process running under user abscompadmin
4 : lfd on host.abscomputer.net: Suspicious process running under user casheradmin
3 : rkhunter Daily Run on host.abscomputer.net
2 : lfd on host.abscomputer.net: System Integrity checking detected a modified system file
2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (27322 (Parent PID:27160))
2 : lfd on host.abscomputer.net: Excessive resource usage: casheradmin (10084 (Parent PID:27160))
2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (6189 (Parent PID:27160))
2 : lfd on host.abscomputer.net: blocked distributed cpanel attack on account [belexcha]
2 : lfd on host.abscomputer.net: Suspicious process running under user cpaneleximscanner
2 : Nouveau message de votre site internet
2 : Cron <[email protected]> (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (32673 (Parent PID:2642))
1 : Account Details for Esther tried to contact you 6 times [REMOVED]
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (28243 (Parent PID:2642))
1 : lfd on host.abscomputer.net: Excessive resource usage: businessadmin (28305 (Parent PID:2642))
1 : Account Details for Nancy tried to contact you 2 times Εστιατοριο γαληνη χανια
1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (12669 (Parent PID:2642))


===================
Total: 304
===================

 

[cPanelLauren]

This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:

66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html

I'd check the scripts present in the public_html for both of these accounts.


Thanks!

 

[Alain Bensimon]

This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:

66 : /home/lapaixadmin/public_html
39 : /home/liellesinvestmen/public_html

I'd check the scripts present in the public_html for both of these accounts.


Thanks!

I can't see any.
Could it be in subfolders?
How can I track them?

 

[cPanelLauren]

Hello @Alain Bensimon

Based on that output no, it'd be coming from a script in the public_html. Keep in mind it could be a legitimate script as well - or could look like one. This is something that would be best suited to a system administrator to assist with further. If you don't have one you might find one here: System Administration Services | cPanel Forums


Thanks!

 

[Alain Bensimon]

I know that it's a non legitimate one because one of the email sender (lielleinvestment) was sending spams. I went to Joomla and have disabled the php mail for that website within Joomla.
Then it has stopped of course.
I want to find the script, but I only see scripts that looks legitimate to me as you can see in the print capture below.
I really want to find by myself.
Can you help me with that.
Thanks.

 

[cPanelLauren]

When you look at the scripts present such as the index.php do you see anything that looks potentially abnormal?

 

[Alain Bensimon]

This is the content of index.php

<?php
/**
 * @package    Joomla.Site
 *
 * @copyright  Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

/**
 * Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
 */
define('JOOMLA_MINIMUM_PHP', '5.3.10');

if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
{
    die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');
}

// Saves the start time and memory usage.
$startTime = microtime(1);
$startMem  = memory_get_usage();

/**
 * Constant that is checked in included files to prevent direct access.
 * define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
 */
define('_JEXEC', 1);

if (file_exists(__DIR__ . '/defines.php'))
{
    include_once __DIR__ . '/defines.php';
}

if (!defined('_JDEFINES'))
{
    define('JPATH_BASE', __DIR__);
    require_once JPATH_BASE . '/includes/defines.php';
}

require_once JPATH_BASE . '/includes/framework.php';

// Set profiler start time and memory usage and mark afterLoad in the profiler.
JDEBUG ? JProfiler::getInstance('Application')->setStart($startTime, $startMem)->mark('afterLoad') : null;

// Instantiate the application.
$app = JFactory::getApplication('site');

// Execute the application.
$app->execute();

 

[cPanelLauren]

Hi @Alain Bensimon

There's no need to post the index.php here but I would suggest looking through all the files present there - including txt files.

But again, this is something that you need to address with your system administrator for further assistance.

 

[Alain Bensimon]

I did check every file, even the hidden ones, and I didn't see anything suspicious.
What I need is to find a way to locate a malware script.
You can probably advise me some tools for that?

 

[cPanelLauren]

malware scanners such as Linux Malware Detect, ClamAV etc. should be able to do this for you for most compromises, unfortunately they can't and don't claim to be able to catch everything.

 

[Alain Bensimon]

I have ClamAv installed, and I also have run Maldet multiple times.
Maldet always find malwares, and put them in quarantine, and then I purge the quarantine.
But they always come back.

 

[cPanelMichael]

Hello @Alain Bensimon,

1. A third-party solution to consider is to use the LF_SCRIPT_LIMIT option included with CSF:

https://download.configserver.com/csf/readme.txt

Search the above document for "LF_SCRIPT_LIMIT" for information about how this feature can notify you when messages are sent from the server through scripts.

2. As far as finding out how the script was exploited, it's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your server or websites. One could speculate on common methods, but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. Here's a thread with some helpful discussion on this topic:

Log Files To Check After Account Hacked

Thank you.