The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LocalRelay Issue and WordPress

Discussion in 'E-mail Discussions' started by Solokron, Jul 19, 2015.

  1. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    We have a server where one account is using WordPress and it is constantly being exploited and used for sending spam. It is only this one account on the server which is causing problems. The WordPress installation is constantly updated including themes and plugins not in the WordPress library. It is also running WordFence and AIO WP Security & Firewall plugins. Both are heavily enabled but the spammer files are still showing up from time to time. Tracking down the exploited files used for this is never an issue and it is obvious to me there is a file these are missing in their scans which has been exploited and is the entry point but that is not my concern as this is going to happen with any account over time, especially with the heavy usage of WordPress now days. Methods are already in place to mitigate the spam sending along with CXS which picks up the majority of them.

    My concern is these kiddie spam files are able to send email through the server without authenticating through an email account. They come from the domain but never use a valid email address.


    The server environment:

    2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 #1 SMP Thu Dec 18 06:49:17 EST 2014 x86_64 x86_64 x86_64 GNU/Linux - CloudLinux with CageFS enabled

    WHM 11.50.0 (build 23)

    PHP compiled with RUID2

    PHP 5.4.42 (cli) (built: Jul 1 2015 20:04:33)
    Copyright (c) 1997-2014 The PHP Group
    Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
    with XCache v3.2.0, Copyright (c) 2005-2014, by mOo
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies
    with XCache Cacher v3.2.0, Copyright (c) 2005-2014, by mOo
    with Suhosin v0.9.36, Copyright (c) 2007-2014, by SektionEins GmbH

    WHM Tweak Settings:
    Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): Off (Enabled in Configserver)
    Prevent “nobody” from sending mail : On

    Configserver Firewall settings:
    SMTP_BLOCK = "1"
    SMTP_ALLOWLOCAL = "0"
    SMTP_ALLOWUSER = "cpanel"
    SMTP_ALLOWGROUP = "mail,mailman"
    SMTPAUTH_RESTRICT = "1"

    The following has already been performed:
    /scripts/fixrelayd​
    /etc/init.d/exim restart
    /usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd

    Exim Configuration:
    Query Apache server status to determine the sender of email sent from processes running as nobody: On
    Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody: On
    log_selector=+all -host_lookup_failed -lost_incoming_connection

    Example email from in exim_mainlog:
    cwd=/home/username/public_html/wp-includes/js/tinymce/skins 4 args: /usr/sbin/sendmail -t -i -fdoris_wallace@thedomain.com
    2015-07-19 14:14:04 [59057] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZGvuO-000FMR-1u
    2015-07-19 14:14:04 [59058] 1ZGvuO-000FMY-L7 <= doris_wallace@thedomain.com U=username P=local S=1433 M8S=0 id=c3b48164e058b38dc9b273240d1783a3@thedomain.com T="You have a quick bang request" from <doris_wallace@thedomain.com> for someuser@gmail.com


    My question is this, with email being able to send through the user account without authenticating with a valid email account through sendmail, what methods have you found to remedy this? Is there any way we can lock down sendmail or force it to use a valid email account without disabling it completely?

    Thank you for your thoughts on the matter.
     
    #1 Solokron, Jul 19, 2015
    Last edited by a moderator: Jul 19, 2015
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    You need to disable php mail function on your server. You can update disable_function list in your php.ini file to disable it.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,743
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, as mentioned, have you tried disabling the PHP mail function to see if the issue continues? Note this would force users to send email via SMTP authentication in their PHP scripts.

    Thank you.
     
Loading...

Share This Page