The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

open relay problem, help please

Discussion in 'General Discussion' started by Secret Agent, Nov 9, 2004.

  1. Secret Agent

    Secret Agent Guest

    I have an open relay on my server :(

    I'm hoping someone will explain how to fix this. Using Exim 4.34 of course, on Fedora Core 2.

    Ran:
    /scripts/exim4
    /scripts/relayd

    No good. I'm obviously not 100% knowing how to fix this. Please help. Thank you.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you are using the default exim installation with no changes in exim.conf or the Exim Configuration Editor by yourself, then it is highly unlikely that you have an open relay. It's more likely that either:

    1. You have a vulnerable CGI or PHP script that is being exploited

    2. The server has been hacked and a mass-emailer has been installed

    Most commonly, it's 1.
     
  3. PDW

    PDW Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    how is the best way to find these scripts or programs to remove them?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    One way is to ensure that you have both SUEXEC and PHPSUEXEC enabled (there are implications) and then set your WHM > Tweak Settings > The maximum each domain can send out per hour to a nice low value (perhaps 50) then watch /var/log/exim_mainlog for a stream of errors that contain the string "has exceeded the max emails per hour". You should then be able to tie the error down to the domain and from there to the account and then script.
     
  5. Secret Agent

    Secret Agent Guest

    When you say PHP Exec are you referring to PHP suEXEC Support found in WHM's Update Apache (last few lines on bottom)?
     
  6. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    If you don't want to run suexec or phpsuexec, you can add this to the top box in the WHM exim advanced configuration editor:

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    This will change the exim logs so that it will actually show you the path to the directory that contains the script (if it is a script) that sent the email. This has helped me track down some vulnerable scripts that spammers were exploiting from time to time. When a script sends an email, you will get a log entry like this:

    2004-11-10 11:32:40 cwd=/home/***/public_html/forums 3 args: /usr/sbin/sendmail -t -i

    I purposely starred out the username in the directory path. It will actually show the complete path.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That's quite nifty. Thanks, Marty.
     
  8. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Your welcome, but I borrowed it from somebody else on the forum, so I can't take credit for it. One nice thing is that it will include the subject line of the email in the exim log, so if you have a copy of the spam you can grep the exim log for the subject line and often find what you are looking for then find the directory that the script is in.
     
Loading...

Share This Page