go to SSH and type in
check for any suspicious IP which is not yours.
Change the root password.
Check your mail queue to see what type of mails are going out.
What are the headers saying? Can you copy-paste the headers here?
I'm with this problem about a 2 weeks, so I found a login suspicious and change the root password and the now ssh access it's via public/private keys pair.
About header of a spam message see here:
exim -Mvh 1SQGKw-0005oh-5p
1SQGKw-0005oh-5p-H
root 0 0
<[email protected]>
1336129570 0
-ident root
-received_protocol local
-body_linecount 371
-max_received_linelength 117
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]
186P Received: from root by server.oratelecom.pt with local (Exim 4.77)
(envelope-from <[email protected]>)
id 1SQGKw-0005oh-5p
for [email protected]; Fri, 04 May 2012 12:06:10 +0100
056F From: Charlotte Bryd <[email protected]>
019T To: [email protected]
059 Subject: Charlotte Bryd ADDED YOU to her Private Wish List
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_67d22543a73e6e3b2a6fa86e0895fddd"
053I Message-Id: <[email protected]>
038 Date: Fri, 04 May 2012 12:06:10 +0100
About header of a spam message see here:
exim -Mvh 1SQGKw-0005oh-5p
1SQGKw-0005oh-5p-H
root 0 0
<[email protected]>
1336129570 0
-ident root
-received_protocol local
-body_linecount 371
-max_received_linelength 117
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
[email protected]
186P Received: from root by server.oratelecom.pt with local (Exim 4.77)
(envelope-from <[email protected]>)
id 1SQGKw-0005oh-5p
for [email protected]; Fri, 04 May 2012 12:06:10 +0100
056F From: Charlotte Bryd <[email protected]>
019T To: [email protected]
059 Subject: Charlotte Bryd ADDED YOU to her Private Wish List
018 MIME-Version: 1.0
080 Content-Type: multipart/related;
boundary="=_67d22543a73e6e3b2a6fa86e0895fddd"
053I Message-Id: <[email protected]>
038 Date: Fri, 04 May 2012 12:06:10 +0100
Your root login seems to have been compromised.
I would strongly recommend you allow a security expert to take a look at the earliest.
You may also want to open a cpanel support ticket.
You may want to stop exim till you have resolved the issue.
Also, did you go to SSH and type in
That should give some clues.
i have some server sent spam email, logs can't found in /var/log/exim_mainlog
our datacenter always report many spam from our server.
Please help....
our datacenter always report many spam from our server.
Please help....
Code:
Received: from mailserver.localhost.com (server.serverxxxxxx.com [67.xxx.xxx.xxx])
by mtain-dd03.r1000.mx.aol.com (Internet Inbound) with ESMTP id 81E8F38000082
for <[email protected]>; Thu, 27 Sep 2012 23:45:39 -0400 (EDT)
Received: by mailserver.localhost.com (PowerMTA(TM) v3.5r16) id hckem80mnfg7 for <[email protected]>; Fri, 28 Sep 2012 07:45:05 +0400 (envelope-from <[email protected]>)
From: Eleanor Burgin <[email protected]>
To: [email][email protected][/email]
Subject: Eleanor Burgin SENT YOU A FRIEND REQUEST
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_822c18d796aa27f13b60b361143309c8"
x-aol-global-disposition: S
X-AOL-VSS-INFO: 5400.1158/84282
X-AOL-VSS-CODE: clean
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d408f50651d636ad8
X-AOL-IP: 67.228.235.51
X-AOL-SPF: domain : eleanor-burgin.us SPF : none
(multipart/related)
(multipart/alternative)
MIME element (text/plain)
Message from Eleanor Burgin:
Hi dear, mind me adding you to friends? ;)
Here is my chatbox: - link removed -
Last edited by a moderator:
This should solve your problems.
Go to the mail queue and check which id is sending them out.
Copy paste the log for any mail here.
Our server was use this article "How to: Prevent Email Abuse"
email spam not found in logs mail /var/log/exim_mainlog
Hello yanayun,
Is the email still in the mail queue that was reported as spam? If it is in WHM > Mail Queue Manager, can we have the full headers listed in that email from the mail queue manager?
Thanks!
Is the email still in the mail queue that was reported as spam? If it is in WHM > Mail Queue Manager, can we have the full headers listed in that email from the mail queue manager?
Thanks!
Hi,
My email server also encountered the same issue. Can someone able to tell me how to resolve this?
My email server also encountered the same issue. Can someone able to tell me how to resolve this?
Code:
1TKjnf-0007S7-A7-H
mailnull 47 12
<>
1349589195 0
-ident mailnull
-received_protocol local
-body_linecount 27
-max_received_linelength 379
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1349589196
-localerror
XX
1
v[email protected]
159P Received: from mailnull by bh.nefusion.com with local (Exim 4.80)
id 1TKjnf-0007S7-A7
for [email protected]; Sun, 07 Oct 2012 13:53:15 +0800
040 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
059F From: Mail Delivery System <[email protected]>
038T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
048I Message-Id: <[email protected]>
038 Date: Sun, 07 Oct 2012 13:53:15 +0800I want to add something to this thread...
I have just finished spending a considerable amount of time working through each of your suggestions, but after no luck, I decided to log in and review the account in question's files.
Then, it all became clear to me.... I believe this might be a supplemental resolution to others who have had issues but not an actual root compromised.
Here goes....
1. In my example here, my customer was running a Wordpress website on his account. This account had been sending a ton of spammy email for a very long time and so I finally addressed it here.
2. After trying everything from your threads with no luck, I decided to log into their account via FTP and literally take a look at some of the PHP files used by Wordpress. First, I checked the main /public_html directory files, but they didn't appear to have any changes to their structure...
3. So, here is where it gets tricky. If you browse via FTP to the actual WORDPRESS THEME files for the active theme, you will come across another actual index.php file. Open that file and see if it contains any odd or malicious code. In my example, I noticed that some weird script was running at the load of each page. The injection applied to almost every single file in their theme's folder... so you must go through each of them and remove the malicious code before you can ensure you have rid the account of this mess. I have attached a screenshot of the code highlighted which is calling a bot / script that is somehow manipulating the mail accounts on this account - even though they do not use their server based mail at all and are entirely routing through Google apps mail.
Hopefully this helps someone who tried the previous steps like I did, with no luck. It's a tricky one, and ya gotta think outside the normal sys admin box to catch these scum.
It's also worth noting that some Wordpress themes that are applied to sites have been infected from the start, so this likely did not even have any bearing on your server whatsoever... it was the theme files that needed cleaned up.
Here is a link to a better quality / higher resolution screenshot on Droplr: /http://d.pr/i/6kef
I have just finished spending a considerable amount of time working through each of your suggestions, but after no luck, I decided to log in and review the account in question's files.
Then, it all became clear to me.... I believe this might be a supplemental resolution to others who have had issues but not an actual root compromised.
Here goes....
1. In my example here, my customer was running a Wordpress website on his account. This account had been sending a ton of spammy email for a very long time and so I finally addressed it here.
2. After trying everything from your threads with no luck, I decided to log into their account via FTP and literally take a look at some of the PHP files used by Wordpress. First, I checked the main /public_html directory files, but they didn't appear to have any changes to their structure...
3. So, here is where it gets tricky. If you browse via FTP to the actual WORDPRESS THEME files for the active theme, you will come across another actual index.php file. Open that file and see if it contains any odd or malicious code. In my example, I noticed that some weird script was running at the load of each page. The injection applied to almost every single file in their theme's folder... so you must go through each of them and remove the malicious code before you can ensure you have rid the account of this mess. I have attached a screenshot of the code highlighted which is calling a bot / script that is somehow manipulating the mail accounts on this account - even though they do not use their server based mail at all and are entirely routing through Google apps mail.
Hopefully this helps someone who tried the previous steps like I did, with no luck. It's a tricky one, and ya gotta think outside the normal sys admin box to catch these scum.
It's also worth noting that some Wordpress themes that are applied to sites have been infected from the start, so this likely did not even have any bearing on your server whatsoever... it was the theme files that needed cleaned up.
Here is a link to a better quality / higher resolution screenshot on Droplr: /http://d.pr/i/6kef
Last edited:
Gaaah. How would I be able to tell what process keeps sending the spam? I need to figure out and kill the process that keeps adding these emails to my queue.
Is there a way to simply reset the whole danged server and start over? I mean.. finding this thing seems to be impossible.
I figured it out. They had hacked some user email accounts, I changed passwords on them and boom. Nada.
One question left. Now that they keep trying to log in I'm getting the 'blocked ip" messages at a rate of 22 per minute due to their unsuccessful logins. Does anybody have any idea how I can just kill those?
Hello,
Try to find out which user is sending the mails through scripts. You an find out through following command
grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c
Also, the following document is helpful for preventing email abuse:
cPanel - Prevent Email Abuse
Thank you.
Try to find out which user is sending the mails through scripts. You an find out through following command
grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c
Also, the following document is helpful for preventing email abuse:
cPanel - Prevent Email Abuse
Thank you.
sahostking
Well-Known Member
Hi I Know this is a log ago Quote but what i found when this happened to me was i set max emails to 150 per hour and i also found the user who was sending out spam and blocked his email account
i this went to MXtoolbox and removed my ip from all the blacklists
i found that a clients PC had no antivirus on what so ever and had hacked the email box using scripts to send out 6000 email an hour
of porn spam
i this went to MXtoolbox and removed my ip from all the blacklists
i found that a clients PC had no antivirus on what so ever and had hacked the email box using scripts to send out 6000 email an hour
of porn spam
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| S | Urgent - Need help to stop email SPAM! | 1 | ||
| A | spamd failed - Need help stopping this email coming to me | 4 | ||
| F | EXIM - I need help to to set filters that stops on-line phamacy offerings | 6 | ||
| N | I need help to stop this spam | 8 | ||
| D | Help! I need to stop SPAM | 2 |