fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
One server send emails (unwanted) to many people.

It is fresh install : WHM 58.0 (build 27)

I have Atomicorp/ASL fully installed. Because, ASL doesn’t work properly with Easyapache 4, I use EA3 with Apache 2.4 PHP 5.6. I cannot use mod ruid 2.

On this server, there are two forums (not so busy)m w Xenforo; There are no CMS. There are 4 websites (written in html). Contact form were checked. Everyting are update

So it’s (relatively) easy to check the websites. I didn’t find anything wrong.

During the previous 6 monthes I had to call Cpanel support for many problems including a DNS problem and the last time for a license problem (error c/o cpanel).

The mails are sent from [email protected], about 6/h. I blocked the outgoing mails (1/h).

I can transfert on another server, but i didn’t find the failure. I read the forum. I'm short of idea.

Any suggestion will be appreciated.

N.B mail account s of 4 websites are forwarded to only one
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
The mails are sent from [email protected], about 6/h. I blocked the outgoing mails (1/h).
Have you checked your mail logs of your server for this mail issues ? Please login your server and find your message ID in exim mail logs. Once you find it, then try with the following command to find out the full mail logs of your that mail.

Code:
grep messages-ID  /var/log/exim_mainlog
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
grep messages-ID /var/log/exim_mainlog
Nothing.

However some websites were transferred to another server.

Unwanted outgoing mails occured again (not suprising)
By now we know exactly from which accounts.
This website is for educationnal purpose and has only pages written in html5.php.
Contact.form is not suspicious but now closed.
Probably (not sure) the first supicious event was
defer warning
Sender User: xxxxxxx
Sender Domain: xxxxxxxxxxxxxxxx
Sender : [email protected]
Sent Time: Sep 5, 2016 4:58:16 PM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 0
Recipient: xxxxxxxxxxxx
Delivered To:
Delivery User:
Delivery Domain:
Router: autoreply_lookuphost
Transport: remote_smtp
Out Time: Sep 5, 2016 4:59:16 PM
ID: 1bgvMR-0000K3-3P
Delivery Host: xxxxxxxxxxxxx
Delivery IP: xxxxxxxxx
Size: 1.72 KB
Result: SMTP error from remote mail server after end of data: 451 4.3.2 Please try again later
Received a spam from xxxxxxxxx and the server start to send spam to this adress and so on.
80% of cases no relationship.

When we blocked the outgoing mail we can see:

Sender Domain: xxxxxxxxxx
Sender: [email protected]
Sent Time: Sep 10, 2016 7:35:19 PM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score: 0.2
Recipient: [email protected]
Delivered To:
Delivery User:
Delivery Domain:
Router: enforce_mail_permissions
Transport: remote_smtp
Out Time: Sep 10, 2016 7:35:19 PM
ID: 1bimBT-0003XW-SU
Delivery Host:
Delivery IP:
Size: 2.65 KB
Result: Domain xxxxxx has exceeded the max emails per hour (1/1 (100%)) allowed. Message discarded.
It will take a long time to erase the server and upload everything.
We don't know how it happened.
The best way to get out of this vicious circle?

thks
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
Using exigrep [email protected] /var/log/exim_mainlog I got this :

2016-09-11 16:24:32 1bj5gO-0006el-Pp <= [email protected] U=userxxxxx P=local S=1707 T="Your email requires verification verify#PpjxPCBXKIHM5DdYpasDL-1473603872)" for [email protected]

2016-09-11 16:24:32 1bj5gO-0006el-Pp ** [email protected] R=enforce_mail_permissions: Domain xxxxx has exceeded the max emails per hour (1/1 (100%)) allowed. Message discarded.

2016-09-11 16:24:32 1bj5gO-0006el-Pp Completed


2016-09-11 16:24:32 1bj5gO-0006eq-RU <= <> R=1bj5gO-0006el-Pp U=mailnull P=local S=3138 T="Mail delivery failed: returning message to sender" for [email protected]

2016-09-11 16:24:32 1bj5gO-0006eq-RU => user<[email protected]> R=boxtrapper_localuser T=local_boxtrapper_delivery

2016-09-11 16:24:32 1bj5gO-0006eq-RU Completed


2016-09-11 16:25:00 1bj5gq-0006ft-Jx <= [email protected] U=user P=local S=1794 T="Your email requires verification verify#s8oD_oCSR8xgB_t_8LHRY-1473603900)" for [email protected]

2016-09-11 16:25:00 1bj5gq-0006ft-Jx ** [email protected] R=enforce_mail_permissions: Domain xxxxx has exceeded the max emails per hour (1/1 (100%)) allowed. Message discarded.

2016-09-11 16:25:00 1bj5gq-0006ft-Jx Completed
 

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
What is the output of
Code:
cat /var/log/exim_mainlog | grep "username"
where username is the name of the email account used for authentication.

Do you have a log of the unwanted mail which are going out? You have posted a log of the BoxTrapper mails. If you disable BoxTrapper what do you see?

Which PHP Handler are you using? You should be using either mod_ruid2 or suPHP.

Do you have a firewall like CSF installed?
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
What is the output of
Code:
cat /var/log/exim_mainlog | grep "username"
thousand lines like this:

Code:
2016-09-11 08:05:58 cwd=/tmp 5 args: /usr/sbin/sendmail -t -i -f user

2016-09-11 08:05:58 1bixtu-0000Q4-OQ <= [email protected] U=uder P=local S=1821 T="Your email requires verification verify#qOYP3pQ9GVQhm_R   hDhnEd-1473573958)" for [email protected]

2016-09-11 08:05:58 1bixtu-0000Mg-8X => user <[email protected]> R=boxtr  apper_localuser T=local_boxtrapper_delivery

2016-09-11 08:05:58 1bixtu-0000Q9-Q4 <= <> R=1bixtu-0000Q4-OQ U=mailnull P=local  S=3247 T="Mail delivery failed: returning message to sender" [email protected]

2016-09-11 08:05:58 1bixtu-0000Q9-Q4 => user <[email protected]> R=boxtrapper_localuser T=local_boxtrapper_delivery

2016-09-11 08:12:01 cwd=/tmp 5 args: /usr/sbin/sendmail -t -i -f xxxxxx

2016-09-11 08:12:01 1bixzl-0000wm-D2 <= [email protected] U=user P=local S=1748 T="Your email requires verification verify#SQQDMqIE8AhNkUO  I9I_y8-1473574321)" [email protected]

2016-09-11 08:12:01 1bixzk-0000te-N3 => xxxx <[email protected]> R=bo  xtrapper_localuser T=local_boxtrapper_delivery

2016-09-11 08:12:01 1bixzl-0000wr-Eg <= <> R=1bixzl-0000wm-D2 U=mailnull P=local   S=3144 T="Mail delivery failed: returning message to sender" for [email protected]
Do you have a log of the unwanted mail which are going out? You have posted a log of the BoxTrapper mails. If you disable BoxTrapper what do you see?
Evrything look like as above.
I'm going to disable BoxTrapper to see what happens.



Which PHP Handler are you using? You should be using either mod_ruid2 or suPHP.
suPHP

Do you have a firewall like CSF installed?
Firewal: asl/modsecurity/scan/kernel fully installed (from atomicorp)
 
Last edited by a moderator:

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
2016-09-11 08:05:58 1bixtu-0000Q4-OQ <= [email protected] U=uder P=local S=1821 T="Your email requires verification verify#qOYP3pQ9GVQhm_R hDhnEd-1473573958)" for [email protected]
U=Username is the account that seems compromised.

Can you reset the cPanel password and all the email account passwords on that too?

Can you run "maldet" for that account. Most probably some malware. I was having a similar issue with mails being sent out at the nobody user. It turned out to be a compromised cPanel password and WordPress Plugins
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
U=Username is the account that seems compromised.
I agree 100%

Can you reset the cPanel password and all the email account passwords on that too?
yes. anywa ssh access restricted two ip and keys

Most probably some malware. I was having a similar issue with mails being sent out at the nobody user. It turned out to be a compromised cPanel password and WordPress Plugins
There is no CMS, WordPress, Joomla or whatever.
There is one thousand of pages written in html5, an inclide file for menu, a contact form (seems to me with entries checked) that is off now.
every password was changed.
websites were transferred to another server which is protected by atomicorp firewall.
how is this malware goes here bother me and what to do?

Can you run "maldet" for that account.
we already that. today the log:

Code:
Policy and auditing events for local system 'ns1':

Outstanding events: 2016 Sep 11 14:48:41 (first time detected: 2016 Sep 10 01:02:10) System Audit: Trojaned version of file '/bin/passwd' detected. Signature used: 'bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]' (Generic).

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: http://www.ossec.net/ .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL6}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL6}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL6} {PCI_DSS: 2.2.4}. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 1.5.3 - GRUB Password not set {CIS: 1.5.3 RHEL6} {PCI_DSS: 2.2.4}. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.3 - Network parameters - ICMP secure redirects accepted {CIS: 4.2.3 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/secure_redirects. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.4 - Network parameters - martians not logged {CIS: 4.2.4 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/log_martians. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.5 - Network parameters - ICMP broadcasts accepted {CIS: 4.2.5 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.6 - Network parameters - Bad error message protection not enabled {CIS: 4.2.6 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 4.2.7 - Network parameters - RFC Source route validation not enabled {CIS: 4.2.7 RHEL6} {PCI_DSS: 2.2.4}. File: /proc/sys/net/ipv4/conf/all/rp_filter. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL6 - 6.2.8 - SSH Configuration - Root login allowed {CIS: 6.2.8 RHEL6} {PCI_DSS: 4.1}. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /var is not on its own partition {CIS: 1.1.5 RHEL7}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - Build considerations - Robust partition scheme - /var/tmp is bound to /tmp {CIS: 1.1.6 RHEL7}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.10 - Partition /home without 'nodev' set {CIS: 1.1.10 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.14 - /dev/shm without 'nodev' set {CIS: 1.1.14 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.15 - /dev/shm without 'nosuid' set {CIS: 1.1.15 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.1.16 - /dev/shm without 'noexec' set {CIS: 1.1.16 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.4.3 - SELinux policy not set to targeted {CIS: 1.4.3 RHEL7} {PCI_DSS: 2.2.4}. File: /etc/selinux/config. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: System Audit: CIS - RHEL7 - 1.6.1 - Randomized Virtua Memory Region Placement not enabled {CIS: 1.6.3 RHEL7}. File: /proc/sys/kernel/randomize_va_space. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL7 - .

2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/dev/md/autorebuild.pid' present on /dev. Possible hidden file. 2016 Sep 11 14:48:43 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/dev/md/md-device-map' present on /dev. Possible hidden file.

2016 Sep 11 14:48:44 (first time detected: 2016 Sep 10 01:02:12) System Audit: File '/etc/mime.types' is owned by root and has written permissions to anyone.
 
Last edited by a moderator:

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
Why are your logs not showing a hostname or IP address?

Can you enable Verbose logging in Exim?

Reading and Understanding the exim main_log

The first thing we need to do is to get a better output from our log. By default, exim is not set to log every piece of information. To do this, we first need to login to your WHM interface and navigate to Home »Service Configuration »Exim Configuration Manager »Advanced Editor. Find the section "log_selector" and replace it with one of the following.

Code:
log_selector = +all
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
Why are your logs not showing a hostname or IP address?
Perhaps i don't want more problems (hackers read also this forum)

Code:
log_selector = +all
Does it give you more information???

Code:
2016-09-11 04:05:06 1biu8o-0001qo-8c <= user  [EMAIL][email protected][/EMAIL] U=xxxx P=local S=1772 T="Your email requires verification verify#FSqbwfvIPRiLXWkogXzm1-1473559506)" for [EMAIL][email protected][/EMAIL]

2016-09-11 04:05:06 1biu8o-0001qo-8c SMTP connection outbound 1473559506 1biu8o-0001qo-8c xxxxxxxx.ch [EMAIL][email protected][/EMAIL]

2016-09-11 04:05:11 1biu8o-0001qo-8c => [EMAIL][email protected][/EMAIL] R=autoreply_lookuphost T=remote_smtp H=mx.domain.jp [210.130.xxx.xxx] X=TLSv1.2:AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 u8B257uk007189 Message accepted for delivery"

2016-09-11 04:05:11 1biu8o-0001qo-8c Completed



2016-09-11 04:08:07 1biuBj-0001wQ-SG <= [EMAIL][email protected][/EMAIL] U=xxxxx P=local S=1837 T="Your email requires verification verify#obdCTnky8vrc_4JxEZkLs-1473559687)" for [EMAIL][email protected][/EMAIL]

2016-09-11 04:08:07 1biuBj-0001wQ-SG ** [EMAIL][email protected][/EMAIL] R=enforce_mail_permissions: Domain xxxxxx.ch has exceeded the max emails per hour (1/1 (100%)) allowed.  Message discarded.

2016-09-11 04:08:07 1biuBj-0001wQ-SG Completed



2016-09-11 04:08:07 1biuBj-0001wV-Tv <= <> R=1biuBj-0001wQ-SG U=mailnull P=local S=3224 T="Mail delivery failed: returning message to sender" for [EMAIL][email protected][/EMAIL]

2016-09-11 04:08:07 1biuBj-0001wV-Tv => user  <[email protected]> R=boxtrapper_localuser T=local_boxtrapper_delivery

2016-09-11 04:08:07 1biuBj-0001wV-Tv Completed



2016-09-11 04:19:59 1biuND-0002D7-83 <= [EMAIL][email protected][/EMAIL] U=xxxxx P=local S=1798 T="Your email requires verification verify#ZCbCgpc6DnQaB5L2jesKu-1473560399)" for [EMAIL][email protected][/EMAIL]

2016-09-11 04:19:59 1biuND-0002D7-83 ** [EMAIL][email protected][/EMAIL] R=enforce_mail_permissions: Domain xxxxxxxx.ch has exceeded the max emails per hour (1/1 (100%)) allowed.  Message discarded.

2016-09-11 04:19:59 1biuND-0002D7-83 Completed



2016-09-11 04:19:59 1biuND-0002DC-9s <= <> R=1biuND-0002D7-83 U=mailnull P=local S=3196 T="Mail delivery failed: returning message to sender" for [EMAIL][email protected][/EMAIL]

2016-09-11 04:19:59 1biuND-0002DC-9s => xxxxx <[email protected]> R=boxtrapper_localuser T=local_boxtrapper_delivery

2016-09-11 04:19:59 1biuND-0002DC-9s Completed
 

fxs

Active Member
Mar 5, 2014
41
0
6
cPanel Access Level
Root Administrator
Boxtrapper is disabled and and outgoing unwanted mails seems have to stop.
I didnt find the malware or other wrong thing
I cannot use transfer tool from whm or backup.
I would like to erase this account and keeping information like statiscs, etc and re-upload to another server.?
How to easily achieve this goal? is it a bad idea?

thkx
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

The BoxTrapper verification emails are sent out when an email account with BoxTrapper enabled receives an email from an unknown sender. Thus, if several emails are sent to that email account, BoxTrapper is going to reply to them all to request verification. You may want to enable additional Spam filtering options (e.g. RBL blocking) to prevent these messages from coming through:

Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

Thank you.