The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible spam script

Discussion in 'E-mail Discussions' started by amccoy, Jun 7, 2009.

  1. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I received a warning email today from cpanel to alert me that a client had uploaded a new email cgi script

    This is what the email contained: (note i have replaced the client name with XXXXXXX.


    Code:
    /home/XXXXXXX/public_html/.x.txt/mail.php:63: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:64: 							return mail($to, $subj, $zag.$file, $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:65: 						}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:87: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:88: 							$mailed = $mailed & mail($to, $subj, $fileChunk, $multiHead);
    /home/XXXXXXX/public_html/.x.txt/mail.php:89: 							if (!$mailed) {return false;}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:99: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:100: 							return mail($to, $subj, $zag.chunk_split(base64_encode($fileContents)), $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:101: 						}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:140: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:141: 							$mailed = $mailed & mail($to, $subj, $addHeads, $head);
    /home/XXXXXXX/public_html/.x.txt/mail.php:142: 							if (!$mailed) {return false;}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:147: 		{
    /home/XXXXXXX/public_html/.x.txt/mail.php:148: 			return mail($to, $subj, $zag.$file, $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:149: 		}
    ---
    /home/XXXXXXX/public_html/.x.txt/ftp.php:110: 
    /home/XXXXXXX/public_html/.x.txt/ftp.php:111: 	function mail(str, field) {
    /home/XXXXXXX/public_html/.x.txt/ftp.php:112: 	document.getElementById("mailPart." + field).innerHTML = str;
    ---
    /home/XXXXXXX/public_html/.x.txt/http.php:490: 
    /home/XXXXXXX/public_html/.x.txt/http.php:491: function mail(str, field) {
    /home/XXXXXXX/public_html/.x.txt/http.php:492: 	document.getElementById("mailPart." + field).innerHTML = str;
    ---
    /home/XXXXXXX/public_html/.x.txt/http.php:759: 
    /home/XXXXXXX/public_html/.x.txt/http.php:760: function mail(str, field)
    /home/XXXXXXX/public_html/.x.txt/http.php:761: {
    ---
    /home/XXXXXXX/public_html/.x.txt/js.php:158: 
    /home/XXXXXXX/public_html/.x.txt/js.php:159: function mail(str, field)
    /home/XXXXXXX/public_html/.x.txt/js.php:160:   {
    ---
    
    Should i remove this? or is there a way that i can actively monitor any mail this sends? I am a small host with under 100 clients so i keep a close eye on all accounts and this helps me to provide a fair shared hosting enviroment.

    Thanks for any help.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you have CSF installed you should be able to monitor this or at least be alerted to it.

    Sure smells funny to me though. Not sure I'd wait.


    Google this:

    Code:
    mail($to, $subj, $zag.chunk_split(base64_encode($fileContents)), $head)
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Based on the fact it is in a hidden directory with a very weird name, there is a high probability it is malicious. Go to that directory and investigate the files. Also as Infopro said monitor it closely.

    Personally, I would treat this a malicious directory and files, and do whats required. Generally legit stuff does not go into a directory like ".x.txt"
     
  4. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Yes those were my thoughts too. I have looked inside the directory and it appears to be some sort of php script that has a lot of parts to it one named mail.php so i am slightly suspicious of it. I have CSF running but i do not know how to get it to monitor that script specifically of if that is even possible.

    Thanks for the help. Would you recommend i question the client about the script? or just plainly remove it as i can do so due to the TOS they signed.
     
  5. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    They uploaded a proxy script so i had to suspend their account anyway.
     
Loading...

Share This Page