The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to find nobody scripts sending mail

Discussion in 'E-mail Discussions' started by salvatore333, Feb 22, 2006.

  1. salvatore333

    salvatore333 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    how do i find a user sending spam using nobody as the sender?
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Search the forums - there's a nice thread around that covers how to track nobody senders if you don't have phpsuexec enabled.

    Alternatively, enable phpsuexec.
     
  3. z3usy

    z3usy Member

    Joined:
    Apr 12, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Enabled Exim Extended Logging...

    One solution I've found... Enabled extended logging in Exim...

    P.S. In the instructions you will see the line below referenced... this should be a SINGLE line in the config... for more information see http://www.webhostgear.com/118.html

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    ----------------------------------------------------------------

    1. Open exim.conf
    pico /etc/exim.conf

    2) Find this;
    Ctrl + W: hostlist auth_relay_hosts = *

    #########################
    Runtime configuration file for Exim #
    #########################

    3) After hostlist auth_relay_hosts = *

    add the following

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn


    4) The final result should look like this

    hostlist auth_relay_hosts = *

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    #######################################
    # Runtime configuration file for Exim #
    #######################################

    5) Save and restart exim DONE!
    ctrl + X then Y
    /etc/init.d/exim restart

    Now tail your log and watch the show!
    tail -f /var/log/exim_mainlog

    WARNING CPANEL USERS:
    Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following

    chattr +i /etc/exim.conf
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That is completely unnecessary and you should not edit and chattr exim.conf in that way :)

    If you want to enable extended logging use the Exim Configuration Editor in WHM and simply add the following to the first text area in Advanced Mode:

    log_selector = +all

    Or if you want less output and just the essentials, this will usually do instead:

    log_selector = +arguments
     
  5. salvatore333

    salvatore333 Well-Known Member

    Joined:
    Mar 27, 2003
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    So if I add log_selector = +arguments to the exim config I will be able to
    tail -f /var/log/exim_mainlog and determine what user has setup this spam script?

    Thank you very much
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    What it does is provide the context within which a request was made to exim (i.e. CWD) so it usually provides the directory from where the script runs that starts the mail connection. If that is present, you can then go to that folder and track down the PHP script within that directory.
     
  7. z3usy

    z3usy Member

    Joined:
    Apr 12, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Shorter/Quicker/Easier always works best for me... *noted*

    Though I do recommend the log_selector = +all because then you don't have to sit there watching the tail -f and if you miss some spam you can seach the log for say... the subject of the email etc etc. Or just pick out which variables you think would be useful and use those.
     
  8. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    perfect !

    Hello z3usy

    Thank you !!! Is perfect. I found all hackers in my servers ! :p

    but the best way to look is

    grep sendmail exim_mainlog


    Konrath













     
  9. deksite

    deksite Member

    Joined:
    Oct 4, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I edit exim.conf is erros = /

    hostlist auth_relay_hosts = *

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    #######################################
    # Runtime configuration file for Exim #
    #######################################

    5) Save and restart exim DONE!
    ctrl + X then Y
    /etc/init.d/exim restart

    Now tail your log and watch the show!
    tail -f /var/log/exim_mainlog


    Pls help



    root@deksite [~]# /etc/init.d/exim restart
    Shutting down clamd: [ OK ]
    Shutting down exim: [FAILED]
    Shutting down antirelayd: [ OK ]
    Shutting down spamd: [ OK ]
    Starting clamd: [ OK ]
    Starting exim-26: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
    "log_selector" option set for the second time
    [FAILED]
    Starting exim: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
    "log_selector" option set for the second time
    [FAILED]
    Starting exim-smtps: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
    "log_selector" option set for the second time
    [FAILED]
    Starting antirelayd: [ OK ]
    Starting spamd: [ OK ]
    root@deksite [~]#
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Looks like you already had a log_selector line in your conf file. Look for the other one and remove one of the two...
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's probably happening if you edited exim.conf which I warned against in my post following that.
     
  12. deksite

    deksite Member

    Joined:
    Oct 4, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Is ok script tks

    :mad: I verified all directory cwd=/home/fenix/public and I did not find none script that he can send Spam, alguem helps many sendings me of email.

    2006-08-16 13:54:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1GDOf0-0001mr-SD
    2006-08-16 13:54:31 1GDOf1-0001n2-4y <= nobody@fenix.deksite.com.br U=nobody P=local S=5704 T="Atualiza\347\343o cr\355tica do windows" from <nobody@fenix.deksite.com.br> for boyw@hotmail.com Microsoft@windowsupdate.com eMicrosoft@windowsupdate.com
    2006-08-16 13:54:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GDOf1-0001n2-4y
    2006-08-16 13:54:31 cwd=/home/fenix/public_html 3 args: /usr/sbin/sendmail -t -i
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then you've missed the script that is doing it.
     
  14. deksite

    deksite Member

    Joined:
    Oct 4, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Help = (

    I do not obtain to locate the script or IP or the person that is making this
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Then you'll need to ask someone who understands PHP to check for you, since it's clearly from a script in that directory (unless it has deleted itself).
     
  16. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I would suggesting hiring someone to review your server.
     
  17. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I'm seeing a lot of entries with "/tmp" being the CWD that sendmail is being executed.

    Is there anyway to find out more information from that? I have already checked /tmp and there are no scripts (infact I emptied it all but the mysql.sock file).
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's all the information you're going to get. If there are definitely no scripts in /tmp then they've probably been deleted after they've been used. If it's ongoing (i.e. spam is still going out but nothing in /tmp) then you might get lucky with:

    lsof | grep /tmp
     
  19. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    When a PHP script sends out a message the cwd logs it as being from /tmp which is normal. You need to grep a few lines above that and in the /home/user path of the script.
     
  20. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Would you happen to have an example of what you mean? I don't see any lines above it pertaining to this message that has a path.
     
Loading...

Share This Page