Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

LocalRelay Issue and WordPress

Discussion in 'E-mail Discussion' started by Solokron, Jul 19, 2015.

  1. Solokron

    Solokron Well-Known Member

    Aug 8, 2003
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    We have a server where one account is using WordPress and it is constantly being exploited and used for sending spam. It is only this one account on the server which is causing problems. The WordPress installation is constantly updated including themes and plugins not in the WordPress library. It is also running WordFence and AIO WP Security & Firewall plugins. Both are heavily enabled but the spammer files are still showing up from time to time. Tracking down the exploited files used for this is never an issue and it is obvious to me there is a file these are missing in their scans which has been exploited and is the entry point but that is not my concern as this is going to happen with any account over time, especially with the heavy usage of WordPress now days. Methods are already in place to mitigate the spam sending along with CXS which picks up the majority of them.

    My concern is these kiddie spam files are able to send email through the server without authenticating through an email account. They come from the domain but never use a valid email address.

    The server environment:

    2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 #1 SMP Thu Dec 18 06:49:17 EST 2014 x86_64 x86_64 x86_64 GNU/Linux - CloudLinux with CageFS enabled

    WHM 11.50.0 (build 23)

    PHP compiled with RUID2

    PHP 5.4.42 (cli) (built: Jul 1 2015 20:04:33)
    Copyright (c) 1997-2014 The PHP Group
    Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with XCache v3.2.0, Copyright (c) 2005-2014, by mOo
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies
    with XCache Cacher v3.2.0, Copyright (c) 2005-2014, by mOo
    with Suhosin v0.9.36, Copyright (c) 2007-2014, by SektionEins GmbH

    WHM Tweak Settings:
    Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): Off (Enabled in Configserver)
    Prevent “nobody” from sending mail : On

    Configserver Firewall settings:
    SMTP_BLOCK = "1"
    SMTP_ALLOWUSER = "cpanel"
    SMTP_ALLOWGROUP = "mail,mailman"

    The following has already been performed:
    /etc/init.d/exim restart
    /usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd

    Exim Configuration:
    Query Apache server status to determine the sender of email sent from processes running as nobody: On
    Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody: On
    log_selector=+all -host_lookup_failed -lost_incoming_connection

    Example email from in exim_mainlog:
    cwd=/home/username/public_html/wp-includes/js/tinymce/skins 4 args: /usr/sbin/sendmail -t -i
    2015-07-19 14:14:04 [59057] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZGvuO-000FMR-1u
    2015-07-19 14:14:04 [59058] 1ZGvuO-000FMY-L7 <= U=username P=local S=1433 M8S=0 T="You have a quick bang request" from <> for

    My question is this, with email being able to send through the user account without authenticating with a valid email account through sendmail, what methods have you found to remedy this? Is there any way we can lock down sendmail or force it to use a valid email account without disabling it completely?

    Thank you for your thoughts on the matter.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 Solokron, Jul 19, 2015
    Last edited by a moderator: Jul 19, 2015
  2. 24x7server

    24x7server Well-Known Member

    Apr 17, 2013
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    You need to disable php mail function on your server. You can update disable_function list in your php.ini file to disable it.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as mentioned, have you tried disabling the PHP mail function to see if the issue continues? Note this would force users to send email via SMTP authentication in their PHP scripts.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice