The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potentially compromised account

Discussion in 'E-mail Discussions' started by Paul Ward, Jul 31, 2017.

Tags:
  1. Paul Ward

    Paul Ward Member

    Joined:
    Nov 30, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hi Guys,

    Can someone give me some pointer on dealing with an account that is constantly sending mail. I'd like to understand what is happening and how to stop it.

    The account is an account from a re-seller, I have reset the password twice in the last few days to a 10 char strong password, but this has not helped. I have emptied the queue, and removed the emails, still not stopped it.

    ------------------------
    Currently I can see 43 mails in the queue:
    43 <dbstudios@domain.tld>

    -------------------------
    Emails Alerts received:
    The following users sent mail with SMTP auth over 100 times in the past hour (Jul 31 14:00):
    dbstudios@domain.tld 263

    The following users sent mail with SMTP auth from more than 3 hosts in the past hour:
    dbstudios@domain.tld 8

    They are potentially compromised accounts being used for spamming. Please check and suspend if required.

    [Removed - Please Exclude Real Domain Names and IP Addresses When Pasting Logs]

    Thanks
    Paul
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,393
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    The information you gave tell that the mails are send through SMTP auth, so you have to check which script in the account is exactly triggering it. Check the logs:
    # cat /var/log/exim_mainlog | grep <account username> | grep public_
     
  3. Paul Ward

    Paul Ward Member

    Joined:
    Nov 30, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Hello,

    I have grepped the maillog files but have no entries for this client. Also this account does not have a web or php directory when using find in the resellers directory I can only see entries for mail.

    Interestingly this morning I have no warning emails, the last one was last night at 17:00
    This mornings log looks like below.
    I can see imap-login: Login: user=<dbstudios@example.net> however since I change the password is this a successful connection? I am also seeing spam being sent is this perhaps spoofed mails that are returning to me?

    - Removed -
     
    #3 Paul Ward, Aug 1, 2017
    Last edited by a moderator: Aug 1, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,958
    Likes Received:
    1,274
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you review the link below and verify if any of the solutions on those threads help in your case?

    outgoingspam | cPanel Forums

    Thank you.
     
Loading...

Share This Page