Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How can I prevent a user to send emails

Discussion in 'E-mail Discussion' started by Alain Bensimon, Mar 18, 2019.

  1. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    On my Server, a lot of emails are being sent using the cpanel default user account of a domain.
    I would like to:
    1. prevent this account from sending any emails.
    2. Understand how and why it happens.

    thank you.
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,485
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Those are typically coming from php scripts. It would be unlikely that you would want to completely disable that functionality but you could add the mail() function to the disabled functions list but if you do not php script could send mail that way which most people would consider a problem.

    If you are getting an excessive number of them you should check to see if they are spam and if so find the problem account and deal with it that way.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I do get a lot of alerts like this one on my server, and even from domains that don't have a website attached to it.

    Time: Mon Mar 18 11:23:29 2019 -0400

    Account: someusr

    Resource: Virtual Memory Size

    Exceeded: 474 > 400 (MB)

    Executable: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

    Command Line: /opt/cpanel/ea-php72/root/usr/bin/php-cgi

    PID: 16483 (Parent PID:14428)

    Killed: No
     
    #3 Alain Bensimon, Mar 18, 2019
    Last edited by a moderator: Mar 18, 2019
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,485
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    That is most likely not related.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I've tried to disable the mail function, but ofcourse then the users of that domains cannot receive and send emails anymore.
    What can I do?
     
    #5 Alain Bensimon, Mar 19, 2019
    Last edited: Mar 19, 2019
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello

    You can hold outgoing mail for an email account through the UI by going to cPanel >> Email >> Email Accounts -> Manage (next to the email account) and suspend outgoing mail.

    Ultimately you'd need to know if it's occurring because of a password compromise or a php script this is usually able to be determined in the exim mail logs. You might also want to read through the documentation here: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I have created an ACL here: acl_smtp_rcpt:
    Code:
    deny condition = ${lookup{$sender_address}nwildlsearch{/path/to/the/restricted_sender}   {yes}}
      domains = !+local_domains
    And have created a file named restricted_sender as as following:
    upload_2019-3-22_9-0-37.png

    The ACL works because when I go to webmail and try to send an email from one of the restricted senders's mailbox, I'm denied.
    But despite that, emails are still sent from these users. I don't know how to stop it.

    upload_2019-3-22_8-59-44.png
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    You'd need to determine if the mail is being sent via script. If so then really the best thing to do in this case would be to identify/remove the script.

    The following is an internal script we use sometimes to help customers find the offending script/account causing an issue with mail. It's by no means official but very useful:
    Code:
    perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Emails by user:

    144 : root
    66 : lapaixadmin
    51 : mailnull
    40 : liellesinvestmen
    2 : pitadmin


    ===================
    Total: 303
    ===================

    Email accounts sending out mail:

    2 : [email protected]
    1 : [email protected]

    ===================
    Total: 3
    ===================

    Directories mail is originating from:


    66 : /home/lapaixadmin/public_html
    39 : /home/liellesinvestmen/public_html
    2 : /home/pitadmin/public_html
    1 : /home/liellesinvestmen/public_html/administrator

    ===================
    Total: 107
    ===================

    Top 20 Email Titles:


    65 : [Wordfence Alert] lapaix.eu User login blocked for insecure password
    44 : Mail delivery failed: returning message to sender
    5 : lfd on host.abscomputer.net: WHM/cPanel root access alert from 207.96.147.218 (CA/Canada/-)
    5 : lfd on host.abscomputer.net: Suspicious process running under user abscompadmin
    4 : lfd on host.abscomputer.net: Suspicious process running under user casheradmin
    3 : rkhunter Daily Run on host.abscomputer.net
    2 : lfd on host.abscomputer.net: System Integrity checking detected a modified system file
    2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (27322 (Parent PID:27160))
    2 : lfd on host.abscomputer.net: Excessive resource usage: casheradmin (10084 (Parent PID:27160))
    2 : lfd on host.abscomputer.net: Excessive resource usage: abscompadmin (6189 (Parent PID:27160))
    2 : lfd on host.abscomputer.net: blocked distributed cpanel attack on account [belexcha]
    2 : lfd on host.abscomputer.net: Suspicious process running under user cpaneleximscanner
    2 : Nouveau message de votre site internet
    2 : Cron <[email protected]> (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
    1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (32673 (Parent PID:2642))
    1 : Account Details for Esther tried to contact you 6 times [REMOVED]
    1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (28243 (Parent PID:2642))
    1 : lfd on host.abscomputer.net: Excessive resource usage: businessadmin (28305 (Parent PID:2642))
    1 : Account Details for Nancy tried to contact you 2 times Εστιατοριο γαληνη χανια
    1 : lfd on host.abscomputer.net: Excessive resource usage: lapaixadmin (12669 (Parent PID:2642))


    ===================
    Total: 304
    ===================
     
    #9 Alain Bensimon, Mar 26, 2019
    Last edited by a moderator: Mar 27, 2019
  10. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    This clearly shows that out of the mail that's present in the exim_mainlog currently the following two accounts seem to be sending mail from the directories listed:

    Code:
    66 : /home/lapaixadmin/public_html
    39 : /home/liellesinvestmen/public_html
    I'd check the scripts present in the public_html for both of these accounts.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I can't see any.
    Could it be in subfolders?
    How can I track them?
     
  12. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Alain Bensimon

    Based on that output no, it'd be coming from a script in the public_html. Keep in mind it could be a legitimate script as well - or could look like one. This is something that would be best suited to a system administrator to assist with further. If you don't have one you might find one here: System Administration Services | cPanel Forums


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I know that it's a non legitimate one because one of the email sender (lielleinvestment) was sending spams. I went to Joomla and have disabled the php mail for that website within Joomla.
    Then it has stopped of course.
    I want to find the script, but I only see scripts that looks legitimate to me as you can see in the print capture below.
    I really want to find by myself.
    Can you help me with that.
    Thanks.
    upload_2019-3-26_14-4-25.png
     

    Attached Files:

  14. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    When you look at the scripts present such as the index.php do you see anything that looks potentially abnormal?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    This is the content of index.php
    Code:
    <?php
    /**
     * @package    Joomla.Site
     *
     * @copyright  Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
     * @license    GNU General Public License version 2 or later; see LICENSE.txt
     */
    
    /**
     * Define the application's minimum supported PHP version as a constant so it can be referenced within the application.
     */
    define('JOOMLA_MINIMUM_PHP', '5.3.10');
    
    if (version_compare(PHP_VERSION, JOOMLA_MINIMUM_PHP, '<'))
    {
        die('Your host needs to use PHP ' . JOOMLA_MINIMUM_PHP . ' or higher to run this version of Joomla!');
    }
    
    // Saves the start time and memory usage.
    $startTime = microtime(1);
    $startMem  = memory_get_usage();
    
    /**
     * Constant that is checked in included files to prevent direct access.
     * define() is used in the installation folder rather than "const" to not error for PHP 5.2 and lower
     */
    define('_JEXEC', 1);
    
    if (file_exists(__DIR__ . '/defines.php'))
    {
        include_once __DIR__ . '/defines.php';
    }
    
    if (!defined('_JDEFINES'))
    {
        define('JPATH_BASE', __DIR__);
        require_once JPATH_BASE . '/includes/defines.php';
    }
    
    require_once JPATH_BASE . '/includes/framework.php';
    
    // Set profiler start time and memory usage and mark afterLoad in the profiler.
    JDEBUG ? JProfiler::getInstance('Application')->setStart($startTime, $startMem)->mark('afterLoad') : null;
    
    // Instantiate the application.
    $app = JFactory::getApplication('site');
    
    // Execute the application.
    $app->execute();
     
  16. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Alain Bensimon

    There's no need to post the index.php here but I would suggest looking through all the files present there - including txt files.

    But again, this is something that you need to address with your system administrator for further assistance.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I did check every file, even the hidden ones, and I didn't see anything suspicious.
    What I need is to find a way to locate a malware script.
    You can probably advise me some tools for that?
     
  18. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    506
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    malware scanners such as Linux Malware Detect, ClamAV etc. should be able to do this for you for most compromises, unfortunately they can't and don't claim to be able to catch everything.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Alain Bensimon

    Alain Bensimon Member

    Joined:
    Apr 23, 2017
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I have ClamAv installed, and I also have run Maldet multiple times.
    Maldet always find malwares, and put them in quarantine, and then I purge the quarantine.
    But they always come back.
     
  20. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,548
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Alain Bensimon,

    1. A third-party solution to consider is to use the LF_SCRIPT_LIMIT option included with CSF:

    https://download.configserver.com/csf/readme.txt

    Search the above document for "LF_SCRIPT_LIMIT" for information about how this feature can notify you when messages are sent from the server through scripts.

    2. As far as finding out how the script was exploited, it's difficult to pinpoint the specific vulnerability or exploit used by an attacker to hack your server or websites. One could speculate on common methods, but it really requires a qualified system administrator to investigate the logs on your server and determine the source of the attack. Here's a thread with some helpful discussion on this topic:

    Log Files To Check After Account Hacked

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice