The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Open http or socks proxy, or a trojan spam package?

Discussion in 'E-mail Discussions' started by JIKOmetrix, Oct 11, 2009.

  1. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    2 of my shared servers keep getting placed on the CBL block list. CBL says:

    Can anyone shed some light on this. They are saying what domain it was "impersonating". How do I go about "properly configuring my mail server" so I don't get on CBL. The data center could not find any malicious software on the server.

    I'm hoping someone else has been on CBL and successfully investigated their issue with no real data from CBL.

    That's all I've received so far is, "we think your server is broken, but we are not going to share with you the data that makes up think your server is broken."

    Any help or direction would be great. I've only seen this issue on our shared servers not our dedicated servers.

    Thanks,
    Mike
     
  2. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Okay so CBL has been helpful they gave some more info on how to track this down a clearer explanation of what to do.

    I have install wireshark on the on the server:

    yum install wireshark

    I am running this command from a terminal wondow:

    tshark -f "port 25 and src host xx.xx.xx.xx" > smtp-traffic.log

    Then I can:
    grep "EHLO" smtp-traffic.log
    grep "HELO" smtp-traffic.log

    To find all of the outbound SMTP connections.

    Hope this help someone else.

    Mike
     
  3. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    So after reviewing traffic it looks like there something on the box spewing spam to the world.

    I'm running this:

    nohup netstat -c -p | grep -i "smtp"

    Our server is set to allow exim to send from the account IP address. I am seeing a huge amount SMTP activity from a specific IP address. So I thought that suspending the account would stop it. suspending did not stop this SMTP activity. I also moved all of the public HMTL files in to the private root thinking that a script may be the issue that did not stop either.

    Does anyone know how I can determine what process is using a specific IP address to send email?

    Thanks,
    Mike
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Is it a constant thing?

    Are you using SuPHP (so that your individual customer scripts are run under their UID)?

    Do you know if it's being injected into Exim and sent out through there or whether it's being sent directly from a PHP (or other) script directly to the destination mail servers?

    Are the HELOs of the offending traffic the same all the time? If so, grep your Exim log for that the data that it's using in the HELO.

    If it's being passed through Exim you can see what script is sending it by doing this:

    1. Log into WHM
    2. Go to Service Configuration
    3. Select Exim Configuration Editor
    4. Click on Advanced Editor

    In the first box (right under Cpanel Exim 4 Config) make sure you have something like:

    log_selector = +arguments +subject

    5. Save it

    Now, when an email is sent through Exim you'll be able to see what script is sending it (it may be sendmail or it may be a PHP script, etc.)

    Mike
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    What mtindor has suggested is a reasonable path forward. It would help to know if SuPHP and SuExec are both enabled, and if not, to ensure they are activated.

    To check both of these you may use either of the following methods:

    1.) Via root WHM access:
    WHM: Main >> Service Configuration >> Apache Configuration >> PHP and SuExec Configuration

    2.) Via root SSH access:
    Code:
    # /usr/local/cpanel/bin/rebuild_phpconf --current

    The log_selector entry should help as well; for reference, you may find your Exim mainlog at the following path:
    /var/log/exim_mainlog
     
  6. Jtellup

    Jtellup Member

    Joined:
    Dec 11, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Good information, I've employed log_selector = +arguments +subject as well, I'm coming over from Windows server 2003 and have been cramming the Lunix system now for 6 months. I love Lunix ( Centos ) at this point but I'm still such a newb at it however your advise here did help me to identify worldconcepts.cn ( China ) is somehow gotten onto our box and is using it to spam. I am amazed at the ability to configure mod_security as well and have been burning up everything I can find on it to read.

    Thanks Guys
     
Loading...

Share This Page