The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Running PHP script . no way t stop it

Discussion in 'General Discussion' started by Roy@ENHOST, Oct 18, 2004.

  1. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    Hi guys,

    I am running into a serious problem here.
    There is a script on my server that is using sendmail to send to the same email over and over again non-stop. And there is no way to stop them. Here is what I get when I do a tail -f /var/log/exim_mainlog:

    2004-10-18 05:39:12 1CJWnW-0002v2-43 <= nobody@intel.intelpentium4.com U=nobody P=local S=314
    2004-10-18 05:39:13 1CJWmW-0002kz-G3 => saladino182@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.253.99]
    2004-10-18 05:39:13 1CJWnW-0002v0-18 <= nobody@intel.intelpentium4.com U=nobody P=local S=320
    2004-10-18 05:39:13 1CJWnV-0002uy-Sw <= nobody@intel.intelpentium4.com U=nobody P=local S=314
    2004-10-18 05:39:13 1CJWmW-0002kz-G3 Completed
    2004-10-18 05:39:13 1CJWnW-0002v7-TR <= nobody@intel.intelpentium4.com U=nobody P=local S=314
    2004-10-18 05:39:13 1CJWmY-0002lJ-98 Failed to get write lock for /var/spool/exim/db/wait-remote_smtp.lockfile: timed out
    2004-10-18 05:39:13 1CJWmX-0002lE-QB Failed to get write lock for /var/spool/exim/db/wait-remote_smtp.lockfile: timed out
    2004-10-18 05:39:13 1CJWmY-0002lJ-98 => lcvck19_@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.167.5]
    2004-10-18 05:39:13 1CJWmX-0002lE-QB => lcvck19_@hotmail.com R=lookuphost T=remote_smtp H=mx1.hotmail.com [65.54.252.99]
    2004-10-18 05:39:13 1CJWmX-0002lE-QB Completed
    2004-10-18 05:39:13 1CJWmX-0002l9-DT => lcvck19_@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.253.99]
    2004-10-18 05:39:13 1CJWmY-0002lJ-98 Completed
    2004-10-18 05:39:13 1CJWmX-0002l9-DT Completed
    2004-10-18 05:39:14 1CJWmX-0002lB-Lz => saladino182@hotmail.com R=lookuphost T=remote_smtp H=mx2.hotmail.com [65.54.252.230]
    2004-10-18 05:39:14 1CJWnX-0002vH-Ff <= nobody@intel.intelpentium4.com U=nobody P=local S=314
    2004-10-18 05:39:14 1CJWmX-0002lB-Lz Completed
    2004-10-18 05:39:14 1CJWnX-0002v9-44 <= nobody@intel.intelpentium4.com U=nobody P=local S=320
    2004-10-18 05:39:14 1CJWmZ-0002lV-Ph => lcvck19_@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.167.5]
    2004-10-18 05:39:14 1CJWnX-0002vF-C7 <= nobody@intel.intelpentium4.com U=nobody P=local S=314
    2004-10-18 05:39:14 1CJWmZ-0002lV-Ph Completed
    2004-10-18 05:39:14 1CJWnY-0002vQ-4h <= nobody@intel.intelpentium4.com

    Thanks in advance for taking the time to checkout this problem.
     
  2. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    You sound like you know what script it is... to stop it is easy... remove it. They can't use a script to send mail if it isn't there anymore. ;)

    If you don't know where the script is... take a look at these messages in your mail queue. If you have exim set to do so, it adds several X headers that append info that can help you track down the problem. In fact, it will actually list the script used and its location.

    Then just remove the offending script and contact the owner of the account. Likely they are using an insecure mailing script and a spammer is taking advantage of this.
     
  3. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Just for the heck of it, add this to your /etc/exim.conf after "hostlist auth_relay_hosts = *"

    log_selector = \
    +address_rewrite \
    +all_parents \
    +arguments \
    +connection_reject \
    +delay_delivery \
    +delivery_size \
    +dnslist_defer \
    +incoming_interface \
    +incoming_port \
    +lost_incoming_connection \
    +queue_run \
    +received_sender \
    +received_recipients \
    +retry_defer \
    +sender_on_delivery \
    +size_reject \
    +skip_delivery \
    +smtp_confirmation \
    +smtp_connection \
    +smtp_protocol_error \
    +smtp_syntax_error \
    +subject \
    +tls_cipher \
    +tls_peerdn

    In my opinion, default Exim 4 doesn't run enough logging. This way, you can see what's going out, from where, sizes, subjects, scripts that execute the mail send, etc.

    Pretty cool! :)

    LMK!
     
  4. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    I just tested this by going to the exim advanced configuration editor in WHM and putting it in the very first text box at the top of the exim configuration file. It seems to work there as well.
     
  5. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Yep!

    I'm just a shell-whoe, so, y'know... ;) I post what works for me. :) Definately though, you're right. I believe cPanel should consider adding an exim "Logging" feature for enhanced logging. It can be VERY handy.

    Like, when you:

    tail -f /var/log/exim_mainlog | grep viagra

    ;)

    You could even create your own spam scanner if you wanted at that point. ;)

    Glad you gave it a whirl. LMK if you think it's handy.

    J
     
  6. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    Yea, I do most from shell, but I figured if it worked through the WHM configuration editor, I wouldn't have to worry about cpanel updates overwriting it. I have sent a few messages from scripts, and the logging is really good. It gives you the complete path to the script and all arguments that were used by that script to execute sendmail.
     
  7. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Sweetness. :)

    Enjoy!

    Wait, are you telling me that editing exim.conf through the WHM prevents over-writes?! EGAD! I never knew that!!!

    Can you confirm this? We have a script copying a ghosted version over after CP updates.

    Let me know.
     
  8. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    That's the point in it. Whatever you put into the WHM Exim text fields will be replaced on upgrades, opposed to what you put directly in the exim.conf which is erased :)
     
  9. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    Kicks major ass.
    This is really good stuff.
    Wonder why Cpanel doesn't make it the default configuration.
     
  10. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hopefully, if this thread makes enough waves, they'll add an option. Frankly, I don't know why they don't add some extensive exim features.

    They could add easy blacklist editing, DNS based SBL's (Spamcop, Spamhaus, SORBS) and others. I don't see why they don't do it.

    Best example, one specific IP is sending lots of mail to my server for "Viagra", why can't I just go into cPanel WHM, add an IP to a Blacklist Hostlist (ACL) and then boom, blocked from sending mail to my machine.

    Bill Gates once commented in an interview saying, "I don't release new versions of my software to fix bugs, but to implement features."

    In my mind, I hope cPanel takes into consideration that Mail/Spam plays a SERIOUS role in everyday internet life and it should be offered some flexibility. :)

    I'm glad I could provide some advanced features for all to see. I might just add a new thread altogether, repeating them. :)

    Warmest regards,

    J
    Kiosk.ws
     
  11. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18

    That's exactly what I was saying, and yes, I can confirm that. As nickn said, that is the whole reason for the editing boxes in WHM.
     
  12. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Adding exim features is one thing, blocking ips is another. Cpanel is a control panel and is present to assist. If you want to block an ip, just put a iptables rule to drop all traffic from an ip.

    You can use the below rule to block complete traffic from any ip

    iptables -I INPUT -s SOURCEIP -j DROP

    Replace SOURCEIP with the ip you want to block traffic from.
     
  13. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    The whole idea of cpanel releasing the WHM exim editor was that any changes a user makes will survive any future cpanel/exim update. Even though the WHM exim editor offers limited changes, it still saves lot of time in checking changes to exim.conf after every exim/cpanel update.
     
  14. Roy@ENHOST

    Roy@ENHOST Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    495
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Los Angeles California
    Right, great my post got stickified. :(

    Now everybody knows how terrible I am at server management.. :(
    But Im a skinner, not an apache prodigy, so I guess its understandable yeah? :D
     
    #14 Roy@ENHOST, Nov 4, 2004
    Last edited: Nov 9, 2004
Loading...

Share This Page