newbie needs help -- spammers and "nobody" questions

BraveX

Well-Known Member
Apr 8, 2005
155
0
166
Hi. I have a customer that has been getting tons of spam from "[email protected]" (with the later the name of my server). I think a script on his site may be being exploited but I'm not sure how to find it. Which specific logs should I be looking at and what should I be looking for?

Also, in WHM it has this: "Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)"

Should I check the above? And how can I tell if I have phpsuexec and sueexc? And if I don't, should I install them?

Thanks so much in advance for any help!!!

BX
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
31
473
Go on, have a guess
I'd suggest putting in extended logging by adding the following to the first textarea in the advanced mod exim configuration editor:

log_selector = +arguments +subject

Next time the problem occurs, scan /var/log/exim_mainlog for /home to see if there's a pattern:

grep /home /var/log/exim_mainlog

This should show the cwd directory of the process that sent the emails and so narrow down the likely script.