sylar2013

Registered
Mar 29, 2013
1
0
1
cPanel Access Level
Root Administrator
Hello Everyone.. I'm new to the forum.. hope I can get some help here.

I checked my cloud server today and discovered a massive spam/security issue. I'm currently running Cpanel WHM 11.360(Build 18).

1. The problem: thousands and thousands of outgoing spam emails from my domain.
2. All outgoing emails are from fictitious senders from my domain..
Example: [email protected], [email protected], [email protected] (there are more then i can count!)
3. None of the above email accounts are email accounts that i setup. They are all made up!
4. All Emails are being since from the cpanel username(the admin account).

I viewed one of the emails in the mail que manager then i clicked on Show Control Data and here's what it revealed:

admin90 502 500
<[email protected]>
1364589255 0
-ident admin90
-received_protocol local
-body_linecount 7
-max_received_linelength 294
-auth_id admin90
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
-sender_set_untrusted
XX
1

-------------------------------------------

It appears all these spam emails are being sent with the admin account.

I changed the admin password.. then I deleted all emails that were in the Mail Que but more keep going out. I can't stop it!

How do I fix this? Any help would be greatly appreciated.
 

arunsv84

Well-Known Member
Oct 20, 2008
373
1
68
127.0.0.1
cPanel Access Level
Root Administrator
You need to enable detailed logging in exim config file. It seems some script is sending emails. Once detailed logging is enabled, use the following command to trace the exact location of script.

grep cwd=/home /var/log/exim_mainlog
Detailed steps are available at the following url.

/http://linuxadministrator.pro/blog/?p=139
Tracing a Spammer in Exim | .:Welcome to Linux Administrator.Pro:. | .:Welcome to Linux Administrator.Pro:.

Thanks!
 

bluepine

Active Member
Dec 17, 2001
37
0
306
I am having the same issue as well, it started 3/4 days ago. As far as I can tell it's not connected to any script, sending out email (also because they seem to generate from a high amount of different domains on the same server, all belonging to different customers).