Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible spam script

Discussion in 'E-mail Discussion' started by amccoy, Jun 7, 2009.

  1. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    56
    I received a warning email today from cpanel to alert me that a client had uploaded a new email cgi script

    This is what the email contained: (note i have replaced the client name with XXXXXXX.


    Code:
    /home/XXXXXXX/public_html/.x.txt/mail.php:63: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:64: 							return mail($to, $subj, $zag.$file, $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:65: 						}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:87: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:88: 							$mailed = $mailed & mail($to, $subj, $fileChunk, $multiHead);
    /home/XXXXXXX/public_html/.x.txt/mail.php:89: 							if (!$mailed) {return false;}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:99: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:100: 							return mail($to, $subj, $zag.chunk_split(base64_encode($fileContents)), $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:101: 						}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:140: 							flush();
    /home/XXXXXXX/public_html/.x.txt/mail.php:141: 							$mailed = $mailed & mail($to, $subj, $addHeads, $head);
    /home/XXXXXXX/public_html/.x.txt/mail.php:142: 							if (!$mailed) {return false;}
    ---
    /home/XXXXXXX/public_html/.x.txt/mail.php:147: 		{
    /home/XXXXXXX/public_html/.x.txt/mail.php:148: 			return mail($to, $subj, $zag.$file, $head) ? TRUE : FALSE;
    /home/XXXXXXX/public_html/.x.txt/mail.php:149: 		}
    ---
    /home/XXXXXXX/public_html/.x.txt/ftp.php:110: 
    /home/XXXXXXX/public_html/.x.txt/ftp.php:111: 	function mail(str, field) {
    /home/XXXXXXX/public_html/.x.txt/ftp.php:112: 	document.getElementById("mailPart." + field).innerHTML = str;
    ---
    /home/XXXXXXX/public_html/.x.txt/http.php:490: 
    /home/XXXXXXX/public_html/.x.txt/http.php:491: function mail(str, field) {
    /home/XXXXXXX/public_html/.x.txt/http.php:492: 	document.getElementById("mailPart." + field).innerHTML = str;
    ---
    /home/XXXXXXX/public_html/.x.txt/http.php:759: 
    /home/XXXXXXX/public_html/.x.txt/http.php:760: function mail(str, field)
    /home/XXXXXXX/public_html/.x.txt/http.php:761: {
    ---
    /home/XXXXXXX/public_html/.x.txt/js.php:158: 
    /home/XXXXXXX/public_html/.x.txt/js.php:159: function mail(str, field)
    /home/XXXXXXX/public_html/.x.txt/js.php:160:   {
    ---
    
    Should i remove this? or is there a way that i can actively monitor any mail this sends? I am a small host with under 100 clients so i keep a close eye on all accounts and this helps me to provide a fair shared hosting enviroment.

    Thanks for any help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,261
    Likes Received:
    390
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you have CSF installed you should be able to monitor this or at least be alerted to it.

    Sure smells funny to me though. Not sure I'd wait.


    Google this:

    Code:
    mail($to, $subj, $zag.chunk_split(base64_encode($fileContents)), $head)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Based on the fact it is in a hidden directory with a very weird name, there is a high probability it is malicious. Go to that directory and investigate the files. Also as Infopro said monitor it closely.

    Personally, I would treat this a malicious directory and files, and do whats required. Generally legit stuff does not go into a directory like ".x.txt"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    56
    Yes those were my thoughts too. I have looked inside the directory and it appears to be some sort of php script that has a lot of parts to it one named mail.php so i am slightly suspicious of it. I have CSF running but i do not know how to get it to monitor that script specifically of if that is even possible.

    Thanks for the help. Would you recommend i question the client about the script? or just plainly remove it as i can do so due to the TOS they signed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. amccoy

    amccoy Active Member

    Joined:
    Dec 7, 2008
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    56
    They uploaded a proxy script so i had to suspend their account anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice