First, I have already dug around the forums, and I am unable to find the answer to this question. Second, I have looked through the /scripts/ folder for a solution, and I am still unable to find what I need. Which is what brings me here.
I will try to make this as quick and to the point as possible:
I have been hosting cPanel based servers for some number of years. Throughout the years, script kiddies and administrators have been having this "back and forth" game of chase. They win a few, we fix the hole. They find a new one, we respond. Most of the time all the different protections have kept the little turds at bay; but lately, they have been getting the best of my servers by somehow getting a hold of a users email address and password. I can only assume by means of virus or something on their local computer. Either way, they are sending out SPAM authenticated as that user. The problem isn't tracking down the SPAMMER, that is easy. It's not figuring out what user account has been compromised. That is easy too.
I have a script that every hour looks through the exim log file, finds all email that has been sent through the server, and based on a scoring system that looks at number of emails the user has sent, number of IP addresses the user has sent email from, geographical location of each IP address the user has used to send mail from, and subject that the user is sending, can accurately tell me when an account has been compromised. Once it has that information, it will create a ticket in my ticketing system, and my support people will disable that account, or reset the password to that email address.
If there was a way that I could reset the email address password from command line, I could completely automate my email sentry system. Script runs, finds offending turds, bans their IP addresses, resets their passwords, and opens a ticket in my ticketing system letting me know what it has done. Shaving off 5 hours from these SPAMMERS free rein on my server, would be AWESOME.
I also have the same type of system setup for FTP users. I have seen too many sites get their username and password stollen, only to have their account used for a file repo, virus repository, or scamming station.
Any help would be great.
I will try to make this as quick and to the point as possible:
I have been hosting cPanel based servers for some number of years. Throughout the years, script kiddies and administrators have been having this "back and forth" game of chase. They win a few, we fix the hole. They find a new one, we respond. Most of the time all the different protections have kept the little turds at bay; but lately, they have been getting the best of my servers by somehow getting a hold of a users email address and password. I can only assume by means of virus or something on their local computer. Either way, they are sending out SPAM authenticated as that user. The problem isn't tracking down the SPAMMER, that is easy. It's not figuring out what user account has been compromised. That is easy too.
I have a script that every hour looks through the exim log file, finds all email that has been sent through the server, and based on a scoring system that looks at number of emails the user has sent, number of IP addresses the user has sent email from, geographical location of each IP address the user has used to send mail from, and subject that the user is sending, can accurately tell me when an account has been compromised. Once it has that information, it will create a ticket in my ticketing system, and my support people will disable that account, or reset the password to that email address.
If there was a way that I could reset the email address password from command line, I could completely automate my email sentry system. Script runs, finds offending turds, bans their IP addresses, resets their passwords, and opens a ticket in my ticketing system letting me know what it has done. Shaving off 5 hours from these SPAMMERS free rein on my server, would be AWESOME.
I also have the same type of system setup for FTP users. I have seen too many sites get their username and password stollen, only to have their account used for a file repo, virus repository, or scamming station.
Any help would be great.