The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail Sent From Hostname

Discussion in 'E-mail Discussions' started by fxs, Sep 10, 2016.

  1. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    One server send emails (unwanted) to many people.

    It is fresh install : WHM 58.0 (build 27)

    I have Atomicorp/ASL fully installed. Because, ASL doesn’t work properly with Easyapache 4, I use EA3 with Apache 2.4 PHP 5.6. I cannot use mod ruid 2.

    On this server, there are two forums (not so busy)m w Xenforo; There are no CMS. There are 4 websites (written in html). Contact form were checked. Everyting are update

    So it’s (relatively) easy to check the websites. I didn’t find anything wrong.

    During the previous 6 monthes I had to call Cpanel support for many problems including a DNS problem and the last time for a license problem (error c/o cpanel).

    The mails are sent from user@name-of.the.server, about 6/h. I blocked the outgoing mails (1/h).

    I can transfert on another server, but i didn’t find the failure. I read the forum. I'm short of idea.

    Any suggestion will be appreciated.

    N.B mail account s of 4 websites are forwarded to only one
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Have you checked your mail logs of your server for this mail issues ? Please login your server and find your message ID in exim mail logs. Once you find it, then try with the following command to find out the full mail logs of your that mail.

    Code:
    grep messages-ID  /var/log/exim_mainlog
     
  3. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Nothing.

    However some websites were transferred to another server.

    Unwanted outgoing mails occured again (not suprising)
    By now we know exactly from which accounts.
    This website is for educationnal purpose and has only pages written in html5.php.
    Contact.form is not suspicious but now closed.
    Probably (not sure) the first supicious event was
    Received a spam from xxxxxxxxx and the server start to send spam to this adress and so on.
    80% of cases no relationship.

    When we blocked the outgoing mail we can see:

    It will take a long time to erase the server and upload everything.
    We don't know how it happened.
    The best way to get out of this vicious circle?

    thks
     
  4. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Using exigrep root@hostname /var/log/exim_mainlog I got this :

     
  5. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What is the output of
    Code:
    cat /var/log/exim_mainlog | grep "username"
    where username is the name of the email account used for authentication.

    Do you have a log of the unwanted mail which are going out? You have posted a log of the BoxTrapper mails. If you disable BoxTrapper what do you see?

    Which PHP Handler are you using? You should be using either mod_ruid2 or suPHP.

    Do you have a firewall like CSF installed?
     
  6. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    thousand lines like this:

    Code:
    2016-09-11 08:05:58 cwd=/tmp 5 args: /usr/sbin/sendmail -t -i -f user
    
    2016-09-11 08:05:58 1bixtu-0000Q4-OQ <= user@nsxxxxx.eu U=uder P=local S=1821 T="Your email requires verification verify#qOYP3pQ9GVQhm_R   hDhnEd-1473573958)" for vvvt@imi.vvvv.ca
    
    2016-09-11 08:05:58 1bixtu-0000Mg-8X => user <hp@xxxxxx> R=boxtr  apper_localuser T=local_boxtrapper_delivery
    
    2016-09-11 08:05:58 1bixtu-0000Q9-Q4 <= <> R=1bixtu-0000Q4-OQ U=mailnull P=local  S=3247 T="Mail delivery failed: returning message to sender" xxxxxx@nsxxxxxxxx
    
    2016-09-11 08:05:58 1bixtu-0000Q9-Q4 => user <user@ns30xxxxxxxx.eu> R=boxtrapper_localuser T=local_boxtrapper_delivery
    
    2016-09-11 08:12:01 cwd=/tmp 5 args: /usr/sbin/sendmail -t -i -f xxxxxx
    
    2016-09-11 08:12:01 1bixzl-0000wm-D2 <= user@xxxxxxxxxx.eu U=user P=local S=1748 T="Your email requires verification verify#SQQDMqIE8AhNkUO  I9I_y8-1473574321)" xxxxxx@xxxxx
    
    2016-09-11 08:12:01 1bixzk-0000te-N3 => xxxx <xxx@yyyyyyy> R=bo  xtrapper_localuser T=local_boxtrapper_delivery
    
    2016-09-11 08:12:01 1bixzl-0000wr-Eg <= <> R=1bixzl-0000wm-D2 U=mailnull P=local   S=3144 T="Mail delivery failed: returning message to sender" for uxxxxx@ns304
    
    
    Evrything look like as above.
    I'm going to disable BoxTrapper to see what happens.



    suPHP

    Firewal: asl/modsecurity/scan/kernel fully installed (from atomicorp)
     
    #6 fxs, Sep 12, 2016
    Last edited by a moderator: Sep 12, 2016
  7. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    U=Username is the account that seems compromised.

    Can you reset the cPanel password and all the email account passwords on that too?

    Can you run "maldet" for that account. Most probably some malware. I was having a similar issue with mails being sent out at the nobody user. It turned out to be a compromised cPanel password and WordPress Plugins
     
  8. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I agree 100%

    yes. anywa ssh access restricted two ip and keys

    There is no CMS, WordPress, Joomla or whatever.
    There is one thousand of pages written in html5, an inclide file for menu, a contact form (seems to me with entries checked) that is off now.
    every password was changed.
    websites were transferred to another server which is protected by atomicorp firewall.
    how is this malware goes here bother me and what to do?

    we already that. today the log:

    Code:
    Policy and auditing events for local system 'ns1':
    
    Outstanding events: 2016 Sep 11 14:48:41 (first time detected: 2016 Sep 10 01:02:10) System Audit: Trojaned version of file '/bin/passwd' detected. Signature used: 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]' (Generic).
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: http://www.ossec.net/ .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL6}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL6}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL6} {PCI_DSS: 2.2.4}. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/secure_redirects. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/log_martians. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/rp_filter. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL6} {PCI_DSS: 4.1}. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}. File: /proc/sys/kernel/randomize_va_space. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .
    
    2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/dev/md/autorebuild.pid' present on /dev. Possible hidden file. 2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/dev/md/md-device-map' present on /dev. Possible hidden file.
    
    2016 Sep 11 14:48:44 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/etc/mime.types' is owned by root and has written permissions to anyone.
    
    
    
     
    #8 fxs, Sep 12, 2016
    Last edited by a moderator: Sep 12, 2016
  9. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Why are your logs not showing a hostname or IP address?

    Can you enable Verbose logging in Exim?

    Reading and Understanding the exim main_log

    The first thing we need to do is to get a better output from our log. By default, exim is not set to log every piece of information. To do this, we first need to login to your WHM interface and navigate to Home »Service Configuration »Exim Configuration Manager »Advanced Editor. Find the section "log_selector" and replace it with one of the following.

    Code:
    log_selector = +all
     
  10. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Perhaps i don't want more problems (hackers read also this forum)

    Does it give you more information???

    Code:
    
    2016-09-11 04:05:06 1biu8o-0001qo-8c <= user  [EMAIL]xxxxxxx@xxxxxxxxx.eu[/EMAIL] U=xxxx P=local S=1772 T="Your email requires verification verify#FSqbwfvIPRiLXWkogXzm1-1473559506)" for [EMAIL]takagi@hbc.co.jp[/EMAIL]
    
    2016-09-11 04:05:06 1biu8o-0001qo-8c SMTP connection outbound 1473559506 1biu8o-0001qo-8c xxxxxxxx.ch [EMAIL]takagi@example.co.jp[/EMAIL]
    
    2016-09-11 04:05:11 1biu8o-0001qo-8c => [EMAIL]takagi@exampleco.jp[/EMAIL] R=autoreply_lookuphost T=remote_smtp H=mx.domain.jp [210.130.xxx.xxx] X=TLSv1.2:AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 u8B257uk007189 Message accepted for delivery"
    
    2016-09-11 04:05:11 1biu8o-0001qo-8c Completed
    
    
    
    2016-09-11 04:08:07 1biuBj-0001wQ-SG <= [EMAIL]xxxx@xxxxx.eu[/EMAIL] U=xxxxx P=local S=1837 T="Your email requires verification verify#obdCTnky8vrc_4JxEZkLs-1473559687)" for [EMAIL]read@domain.com[/EMAIL]
    
    2016-09-11 04:08:07 1biuBj-0001wQ-SG ** [EMAIL]read@domain.com[/EMAIL] R=enforce_mail_permissions: Domain xxxxxx.ch has exceeded the max emails per hour (1/1 (100%)) allowed.  Message discarded.
    
    2016-09-11 04:08:07 1biuBj-0001wQ-SG Completed
    
    
    
    2016-09-11 04:08:07 1biuBj-0001wV-Tv <= <> R=1biuBj-0001wQ-SG U=mailnull P=local S=3224 T="Mail delivery failed: returning message to sender" for [EMAIL]xxxxx@xxxxxxxx.eu[/EMAIL]
    
    2016-09-11 04:08:07 1biuBj-0001wV-Tv => user  <xxxxx@xxxxxxx.eu> R=boxtrapper_localuser T=local_boxtrapper_delivery
    
    2016-09-11 04:08:07 1biuBj-0001wV-Tv Completed
    
    
    
    2016-09-11 04:19:59 1biuND-0002D7-83 <= [EMAIL]xxxxx@xxxxx.eu[/EMAIL] U=xxxxx P=local S=1798 T="Your email requires verification verify#ZCbCgpc6DnQaB5L2jesKu-1473560399)" for [EMAIL]ikj@exampletoo.co.uk[/EMAIL]
    
    2016-09-11 04:19:59 1biuND-0002D7-83 ** [EMAIL]ikj@caleb-roberts.co.uk[/EMAIL] R=enforce_mail_permissions: Domain xxxxxxxx.ch has exceeded the max emails per hour (1/1 (100%)) allowed.  Message discarded.
    
    2016-09-11 04:19:59 1biuND-0002D7-83 Completed
    
    
    
    2016-09-11 04:19:59 1biuND-0002DC-9s <= <> R=1biuND-0002D7-83 U=mailnull P=local S=3196 T="Mail delivery failed: returning message to sender" for [EMAIL]xxxxx@xxxxxxx.eu[/EMAIL]
    
    2016-09-11 04:19:59 1biuND-0002DC-9s => xxxxx <xxxxxx@nsxxxxxxxx.eu> R=boxtrapper_localuser T=local_boxtrapper_delivery
    
    2016-09-11 04:19:59 1biuND-0002DC-9s Completed
    
    
     
  11. fxs

    fxs Active Member

    Joined:
    Mar 5, 2014
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Boxtrapper is disabled and and outgoing unwanted mails seems have to stop.
    I didnt find the malware or other wrong thing
    I cannot use transfer tool from whm or backup.
    I would like to erase this account and keeping information like statiscs, etc and re-upload to another server.?
    How to easily achieve this goal? is it a bad idea?

    thkx
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The BoxTrapper verification emails are sent out when an email account with BoxTrapper enabled receives an email from an unknown sender. Thus, if several emails are sent to that email account, BoxTrapper is going to reply to them all to request verification. You may want to enable additional Spam filtering options (e.g. RBL blocking) to prevent these messages from coming through:

    Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

    Thank you.
     
Loading...

Share This Page