Search the forums - there's a nice thread around that covers how to track nobody senders if you don't have phpsuexec enabled.
Alternatively, enable phpsuexec.
Alternatively, enable phpsuexec.
Enabled Exim Extended Logging...
One solution I've found... Enabled extended logging in Exim...
P.S. In the instructions you will see the line below referenced... this should be a SINGLE line in the config... for more information see http://www.webhostgear.com/118.html
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
----------------------------------------------------------------
1. Open exim.conf
pico /etc/exim.conf
2) Find this;
Ctrl + W: hostlist auth_relay_hosts = *
#########################
Runtime configuration file for Exim #
#########################
3) After hostlist auth_relay_hosts = *
add the following
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
4) The final result should look like this
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
WARNING CPANEL USERS:
Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following
chattr +i /etc/exim.conf
One solution I've found... Enabled extended logging in Exim...
P.S. In the instructions you will see the line below referenced... this should be a SINGLE line in the config... for more information see http://www.webhostgear.com/118.html
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
----------------------------------------------------------------
1. Open exim.conf
pico /etc/exim.conf
2) Find this;
Ctrl + W: hostlist auth_relay_hosts = *
#########################
Runtime configuration file for Exim #
#########################
3) After hostlist auth_relay_hosts = *
add the following
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
4) The final result should look like this
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
WARNING CPANEL USERS:
Cpanel/WHM updates will over-ride these changes. You can prevent Cpanel from deleting your changes by doing the following
chattr +i /etc/exim.conf
That is completely unnecessary and you should not edit and chattr exim.conf in that way 
If you want to enable extended logging use the Exim Configuration Editor in WHM and simply add the following to the first text area in Advanced Mode:
log_selector = +all
Or if you want less output and just the essentials, this will usually do instead:
log_selector = +arguments
If you want to enable extended logging use the Exim Configuration Editor in WHM and simply add the following to the first text area in Advanced Mode:
log_selector = +all
Or if you want less output and just the essentials, this will usually do instead:
log_selector = +arguments
So if I add log_selector = +arguments to the exim config I will be able to
tail -f /var/log/exim_mainlog and determine what user has setup this spam script?
Thank you very much
tail -f /var/log/exim_mainlog and determine what user has setup this spam script?
Thank you very much
What it does is provide the context within which a request was made to exim (i.e. CWD) so it usually provides the directory from where the script runs that starts the mail connection. If that is present, you can then go to that folder and track down the PHP script within that directory.
Shorter/Quicker/Easier always works best for me... *noted*
Though I do recommend the log_selector = +all because then you don't have to sit there watching the tail -f and if you miss some spam you can seach the log for say... the subject of the email etc etc. Or just pick out which variables you think would be useful and use those.
Though I do recommend the log_selector = +all because then you don't have to sit there watching the tail -f and if you miss some spam you can seach the log for say... the subject of the email etc etc. Or just pick out which variables you think would be useful and use those.
I edit exim.conf is erros = /
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
Pls help
[email protected] [~]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [FAILED]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim-26: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim-smtps: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting antirelayd: [ OK ]
Starting spamd: [ OK ]
[email protected] [~]#
hostlist auth_relay_hosts = *
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
#######################################
# Runtime configuration file for Exim #
#######################################
5) Save and restart exim DONE!
ctrl + X then Y
/etc/init.d/exim restart
Now tail your log and watch the show!
tail -f /var/log/exim_mainlog
Pls help
[email protected] [~]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [FAILED]
Shutting down antirelayd: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim-26: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting exim-smtps: 2006-08-15 20:51:05 Exim configuration error in line 4 of /etc/exim.conf:
"log_selector" option set for the second time
[FAILED]
Starting antirelayd: [ OK ]
Starting spamd: [ OK ]
[email protected] [~]#
Looks like you already had a log_selector line in your conf file. Look for the other one and remove one of the two...deksite said:
It's probably happening if you edited exim.conf which I warned against in my post following that.
Is ok script tks
I verified all directory cwd=/home/fenix/public and I did not find none script that he can send Spam, alguem helps many sendings me of email.
2006-08-16 13:54:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1GDOf0-0001mr-SD
2006-08-16 13:54:31 1GDOf1-0001n2-4y <= [email protected] U=nobody P=local S=5704 T="Atualiza\347\343o cr\355tica do windows" from <[email protected]> for [email protected] [email protected] [email protected]
2006-08-16 13:54:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GDOf1-0001n2-4y
2006-08-16 13:54:31 cwd=/home/fenix/public_html 3 args: /usr/sbin/sendmail -t -i
I verified all directory cwd=/home/fenix/public and I did not find none script that he can send Spam, alguem helps many sendings me of email. 2006-08-16 13:54:31 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1GDOf0-0001mr-SD
2006-08-16 13:54:31 1GDOf1-0001n2-4y <= [email protected] U=nobody P=local S=5704 T="Atualiza\347\343o cr\355tica do windows" from <[email protected]> for [email protected] [email protected] [email protected]
2006-08-16 13:54:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GDOf1-0001n2-4y
2006-08-16 13:54:31 cwd=/home/fenix/public_html 3 args: /usr/sbin/sendmail -t -i
Then you'll need to ask someone who understands PHP to check for you, since it's clearly from a script in that directory (unless it has deleted itself).
I'm seeing a lot of entries with "/tmp" being the CWD that sendmail is being executed.
Is there anyway to find out more information from that? I have already checked /tmp and there are no scripts (infact I emptied it all but the mysql.sock file).
Is there anyway to find out more information from that? I have already checked /tmp and there are no scripts (infact I emptied it all but the mysql.sock file).
That's all the information you're going to get. If there are definitely no scripts in /tmp then they've probably been deleted after they've been used. If it's ongoing (i.e. spam is still going out but nothing in /tmp) then you might get lucky with:
lsof | grep /tmp
lsof | grep /tmp
Would you happen to have an example of what you mean? I don't see any lines above it pertaining to this message that has a path.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| H | Find when forward was added | 1 | ||
| N | Where to find reason for 554 5.7.1 rejection | 2 | ||
|
Help me find a nobody sender | 6 | ||
| C | User "nobody" blocked at upgrade, how to find lost form submits? | 0 | ||
| N | Hunt Spammers - Find who sent spam by nobody ?!!! | 25 |