The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need Help Finding Email Virus

Discussion in 'E-mail Discussions' started by Worsin, Mar 27, 2012.

  1. Worsin

    Worsin Member

    Joined:
    Jan 16, 2008
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Salt Lake City, Utah
    I have been told by this link that i have an email virus.

    CBL Lookup for 205.204.32.194

    I am having trouble locating the account that this originated on.

    Can someone please instruct me on how to locate the problem account?

    I have like 80 of them on this server.
     
  2. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Have you tried following these directions.

    Code:
    Check your FTP logs to find uploads of Darkmailer scripts. Forward to us a copy of the FTP log records that you find. These logs will often be in /var/log/messages, but this depends on your system configuration.
    Identify, kill and remove all Darkmailer scripts currently on the web server. NOTE: Many Darkmailer operators cause the Darkmailer scripts to be removed either after they're used, or even during their use. If you cannot find the scripts, this does NOT mean that the CBL is in error in this listing NOR does it mean that you are not presently vulnerable to anotherDarkmailer infection.
    Change the passwords of every userid identified as performing FTP uploads, and warn these users that their passwords had been compromised by a keylogger infection. They need to run anti-virus software on their computers.
    NEW WARNING: we're getting indications that once initially compromised by FTP, the attackers are uploading alternate file transfer programs that do not rely on the user's password. See below under "r57shell"
    Implement port 25 blocking so that only your mail server software userid can make outbound port 25 connections from this machine.
    It says your not listed anymore as of 6 hours ago

    Take a look at this post
    http://forums.cpanel.net/f43/help-tracking-spammer-221692.html
     
  3. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Do you see any mails in the mail queue?

    You can see which username they are using to send out the mail.
    Open the mail and search for a line that says:
    auth-

    Do you have the WHM Tweak to:
    Once you identify the account, suspend it and take further action.

    Also, set the hourly email limit per domain to something like 200 or 300 in WHM Tweak Settings.

    Also check your exim logs through SSH:
     
  4. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    You can also go to WHM >> View sent summary >> check which domain is sending out the maximum mail.

    Also, a new feature in WHM Tweak Settings can be used:
    Set this to about 20%
     
  5. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Duplicate Post.
     
    #5 ruzbehraja, Mar 28, 2012
    Last edited: Mar 28, 2012
Loading...

Share This Page