Need help to stop outgoing email SPAM!

Apr 30, 2012
7
0
51
cPanel Access Level
Root Administrator
I'm with this problem about a 2 weeks, so I found a login suspicious and change the root password and the now ssh access it's via public/private keys pair.

About header of a spam message see here:

exim -Mvh 1SQGKw-0005oh-5p
1SQGKw-0005oh-5p-H
root 0 0
<[email protected]>
1336129570 0
-ident root
-received_protocol local
-body_linecount 371
-max_received_linelength 117
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

186P Received: from root by server.oratelecom.pt with local (Exim 4.77)
(envelope-from <[email protected]>)
id 1SQGKw-0005oh-5p
for [email protected]; Fri, 04 May 2012 12:06:10 +0100
056F From: Charlotte Bryd <[email protected]>
019T To: [email protected]
059 Subject: Charlotte Bryd ADDED YOU to her Private Wish List
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_67d22543a73e6e3b2a6fa86e0895fddd"
053I Message-Id: <[email protected]>
038 Date: Fri, 04 May 2012 12:06:10 +0100
 

ruzbehraja

Well-Known Member
May 19, 2011
392
11
68
cPanel Access Level
Root Administrator
I'm with this problem about a 2 weeks, so I found a login suspicious and change the root password and the now ssh access it's via public/private keys pair.

About header of a spam message see here:

exim -Mvh 1SQGKw-0005oh-5p
1SQGKw-0005oh-5p-H
root 0 0
<[email protected]>
1336129570 0
-ident root
-received_protocol local
-body_linecount 371
-max_received_linelength 117
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]

186P Received: from root by server.oratelecom.pt with local (Exim 4.77)
(envelope-from <[email protected]>)
id 1SQGKw-0005oh-5p
for [email protected]; Fri, 04 May 2012 12:06:10 +0100
056F From: Charlotte Bryd <[email protected]>
019T To: [email protected]
059 Subject: Charlotte Bryd ADDED YOU to her Private Wish List
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_67d22543a73e6e3b2a6fa86e0895fddd"
053I Message-Id: <[email protected]>
038 Date: Fri, 04 May 2012 12:06:10 +0100
Your root login seems to have been compromised.

I would strongly recommend you allow a security expert to take a look at the earliest.

You may also want to open a cpanel support ticket.

You may want to stop exim till you have resolved the issue.

Also, did you go to SSH and type in

last -n 20
That should give some clues.
 

yanayun

Member
May 14, 2005
23
0
151
i have some server sent spam email, logs can't found in /var/log/exim_mainlog
our datacenter always report many spam from our server.
Please help....


Code:
Received: from mailserver.localhost.com (server.serverxxxxxx.com [67.xxx.xxx.xxx])
by mtain-dd03.r1000.mx.aol.com (Internet Inbound) with ESMTP id 81E8F38000082
for <[email protected]>; Thu, 27 Sep 2012 23:45:39 -0400 (EDT)
Received: by mailserver.localhost.com (PowerMTA(TM) v3.5r16) id hckem80mnfg7 for <[email protected]>; Fri, 28 Sep 2012 07:45:05 +0400 (envelope-from <[email protected]>)
From: Eleanor Burgin <[email protected]>
To: [email][email protected][/email]
Subject: Eleanor Burgin SENT YOU A FRIEND REQUEST
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_822c18d796aa27f13b60b361143309c8"
x-aol-global-disposition: S
X-AOL-VSS-INFO: 5400.1158/84282
X-AOL-VSS-CODE: clean
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d408f50651d636ad8
X-AOL-IP: 67.228.235.51
X-AOL-SPF: domain : eleanor-burgin.us SPF : none

(multipart/related)
(multipart/alternative)
MIME element (text/plain)
Message from Eleanor Burgin:

Hi dear, mind me adding you to friends? ;)

Here is my chatbox: - link removed -
 
Last edited by a moderator:

yanayun

Member
May 14, 2005
23
0
151
This should solve your problems.

Go to the mail queue and check which id is sending them out.

Copy paste the log for any mail here.
Our server was use this article "How to: Prevent Email Abuse"

email spam not found in logs mail /var/log/exim_mainlog
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello yanayun,

Is the email still in the mail queue that was reported as spam? If it is in WHM > Mail Queue Manager, can we have the full headers listed in that email from the mail queue manager?

Thanks!
 

william9pm

Registered
Mar 19, 2009
1
0
51
Hi,

My email server also encountered the same issue. Can someone able to tell me how to resolve this?


Code:
1TKjnf-0007S7-A7-H
mailnull 47 12
<>
1349589195 0
-ident mailnull
-received_protocol local
-body_linecount 27
-max_received_linelength 379
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1349589196
-localerror
XX
1
v[email protected]

159P Received: from mailnull by bh.nefusion.com with local (Exim 4.80)
id 1TKjnf-0007S7-A7
for [email protected]; Sun, 07 Oct 2012 13:53:15 +0800
040 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
059F From: Mail Delivery System <[email protected]>
038T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
048I Message-Id: <[email protected]>
038 Date: Sun, 07 Oct 2012 13:53:15 +0800
 

dr00t

Member
Dec 13, 2007
8
0
51
I want to add something to this thread...

I have just finished spending a considerable amount of time working through each of your suggestions, but after no luck, I decided to log in and review the account in question's files.

Then, it all became clear to me.... I believe this might be a supplemental resolution to others who have had issues but not an actual root compromised.

Here goes....

1. In my example here, my customer was running a Wordpress website on his account. This account had been sending a ton of spammy email for a very long time and so I finally addressed it here.

2. After trying everything from your threads with no luck, I decided to log into their account via FTP and literally take a look at some of the PHP files used by Wordpress. First, I checked the main /public_html directory files, but they didn't appear to have any changes to their structure...

3. So, here is where it gets tricky. If you browse via FTP to the actual WORDPRESS THEME files for the active theme, you will come across another actual index.php file. Open that file and see if it contains any odd or malicious code. In my example, I noticed that some weird script was running at the load of each page. The injection applied to almost every single file in their theme's folder... so you must go through each of them and remove the malicious code before you can ensure you have rid the account of this mess. I have attached a screenshot of the code highlighted which is calling a bot / script that is somehow manipulating the mail accounts on this account - even though they do not use their server based mail at all and are entirely routing through Google apps mail.

Hopefully this helps someone who tried the previous steps like I did, with no luck. It's a tricky one, and ya gotta think outside the normal sys admin box to catch these scum.

It's also worth noting that some Wordpress themes that are applied to sites have been infected from the start, so this likely did not even have any bearing on your server whatsoever... it was the theme files that needed cleaned up.

Here is a link to a better quality / higher resolution screenshot on Droplr: /http://d.pr/i/6kef

php-wordpress-injection.jpg
 
Last edited:

Tarfiel

Member
Dec 28, 2013
5
0
1
cPanel Access Level
Website Owner
Gaaah. How would I be able to tell what process keeps sending the spam? I need to figure out and kill the process that keeps adding these emails to my queue.
 

Tarfiel

Member
Dec 28, 2013
5
0
1
cPanel Access Level
Website Owner
One question left. Now that they keep trying to log in I'm getting the 'blocked ip" messages at a rate of 22 per minute due to their unsuccessful logins. Does anybody have any idea how I can just kill those?
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
98
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Try to find out which user is sending the mails through scripts. You an find out through following command

grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c


Also, the following document is helpful for preventing email abuse:

cPanel - Prevent Email Abuse


Thank you.
 

DamienGilson

Registered
Sep 19, 2014
1
0
1
Amanzimtoti, KwaZulu-Natal, South Africa
cPanel Access Level
Reseller Owner
Hi I Know this is a log ago Quote but what i found when this happened to me was i set max emails to 150 per hour and i also found the user who was sending out spam and blocked his email account
i this went to MXtoolbox and removed my ip from all the blacklists
i found that a clients PC had no antivirus on what so ever and had hacked the email box using scripts to send out 6000 email an hour
of porn spam