Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Server Sending Spam Problem

Discussion in 'E-mail Discussion' started by drupalin, Dec 30, 2016.

Tags:
  1. drupalin

    drupalin Registered

    Joined:
    Dec 30, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Madrid
    cPanel Access Level:
    Root Administrator
    Hi everyone, i´m kind of desesperate, my server sends spam from email acounts very similar to the real one.

    Real Mail Account: info@example.com

    Spammers:
    info115@example.com
    info116@example.com
    info117@example.com
    info118@example.com
    info119@example.com
    ....

    After of write this: grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

    I get this details:
    Code:
    1 /home/biovidrio/public_html

1 /home/meollo/public_html

1 /home/tyd/public_html

1 /home/webes/public_html/base

1 /home/webes/public_html/clinicadental

1 /home/webes/public_html/serviamb

1 /var/log

2 /home/adventurerooms/public_html

2 /home/webes/public_html/tienda

3 /home/enigmabohemia/public_html

3 /home/legionella/public_html

4 /home/ruraly/public_html

4 /home/webes/public_html

4 /home/webtematica/public_html

5 /home/actormania/public_html

5 /home/albertogorgojo/public_html

5 /home/algodonmerlin/public_html

5 /home/antonioaznar/public_html

5 /home/elperiodismo/public_html

5 /home/fisioterapia/public_html

5 /home/fontanerosmadrid/public_html

5 /home/inmobiliaria/public_html

5 /home/kristianboys/public_html

5 /home/serviamb/public_html

6 /home/disenowebmadrid/public_html

7 /home/costurasnontol/public_html

7 /home/cursoderevit/public_html

8 /tmp

14 /home/portalclasico/public_html

78 /

110 /usr/local/apache/domlogs/portalclasico

181 /home

960 /root

6748 /usr/local/cpanel/whostmgr/docroot
    So it seems its root user witch sends spam, but i can not find a way to get the spammer script


    Thanks very much
     
    #1 drupalin, Dec 30, 2016
    Last edited by a moderator: Dec 30, 2016
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    604
    Likes Received:
    43
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    It's seems the mail sending from account using php mail script. I think there is infected file under the account which is sending mails.

    Please try to check logs using below command so that you will get account account which is sending mail.

    Code:
    tail -n2000 /var/log/exim_mainlog|grep /home/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 SysSachin, Dec 30, 2016
  3. drupalin

    drupalin Registered

    Joined:
    Dec 30, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Madrid
    cPanel Access Level:
    Root Administrator
    Thanks for the replay, i´m only get this details:

    Code:
    2016-12-30 11:42:37 [3507] cwd=/home/someusr/public_html 4 args: /usr/sbin/sendmail -t -i -finfo@example.com
     
    #3 drupalin, Dec 30, 2016
    Last edited by a moderator: Dec 30, 2016
  4. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    604
    Likes Received:
    43
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 SysSachin, Dec 30, 2016
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    779
    Likes Received:
    274
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Remember this may not be an infected script, and may not be detected by antivirus or malware detection software.

    Check for things like unpatched versions ( eg PHPMailer that has just had 2 critical updates in 3 days, and which may well be being actively exploited.) and any other php scripts that might be installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 rpvw, Dec 30, 2016
  6. drupalin

    drupalin Registered

    Joined:
    Dec 30, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Madrid
    cPanel Access Level:
    Root Administrator
    Thanks for the replay, i check with malded and clam, but not show results, about PHPMailer, not know what to do or update

    Any ideas, thanks very much in advance and happy new year
     
    #6 drupalin, Dec 30, 2016
    Last edited by a moderator: Dec 31, 2016
  7. drupalin

    drupalin Registered

    Joined:
    Dec 30, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Madrid
    cPanel Access Level:
    Root Administrator
    I repeat the grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n and this is the result

    Code:
    1
      1 /home/actormania/public_html
      1 /home/albertogorgojo/public_html
      1 /home/algodonmerlin/public_html
      1 /home/antonioaznar/public_html
      1 /home/costurasnontol/public_html
      1 /home/cursoderevit/public_html
      1 /home/disenowebmadrid/public_html
      1 /home/elperiodismo/public_html
      1 /home/enigmabohemia/public_html
      1 /home/fisioterapia/public_html
      1 /home/fontanerosmadrid/public_html
      1 /home/inmobiliaria/public_html
      1 /home/kristianboys/public_html
      1 /home/ruraly/public_html
      1 /home/serviamb/public_html
      1 /home/webes/public_html
      3 /home/webtematica/public_html
    164 /root
    318 /
   3700 /usr/local/cpanel/whostmgr/docroot
     
    #7 drupalin, Jan 1, 2017
  8. NOC_Serverpoint

    NOC_Serverpoint Well-Known Member

    Joined:
    Jul 3, 2016
    Messages:
    102
    Likes Received:
    6
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hi,

    Following command that will show you the script which is using script to send the email. If it is from php then use


    # egrep -R "X-PHP-Script" /var/spool/exim/input/*

    Thanks,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 NOC_Serverpoint, Jan 3, 2017
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The following document is a good place to start:

    How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

    In particular, review the section titled "Experimental: Rewrite From: header to match actual sender":

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 cPanelMichael, Jan 6, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Server Sending Spam
  1. sarwhost

    Server is sending spam

    sarwhost, Jul 1, 2017, in forum: E-mail Discussion
    Replies:
    5
    Views:
    1,341
    cPanelMichael
    Jul 3, 2017
  2. Shood

    Prevent users from sending emails that gets server IP blocked?

    Shood, Sep 14, 2018, in forum: E-mail Discussion
    Replies:
    8
    Views:
    128
    Shood
    Sep 21, 2018 at 3:49 AM
  3. Kyle Eadie

    Server gets no return TCP packets when sending to cPanel server

    Kyle Eadie, Dec 5, 2017, in forum: Security
    Replies:
    7
    Views:
    312
    Kyle Eadie
    Dec 6, 2017
  4. greatwitenorth

    SOLVED DNS only server sending email about backups

    greatwitenorth, Nov 9, 2017, in forum: Data Protection
    Replies:
    7
    Views:
    479
    cPanelMichael
    Nov 20, 2017
  5. David_spm

    Mail not working on server (sending and receiving)

    David_spm, Oct 13, 2017, in forum: E-mail Discussion
    Replies:
    6
    Views:
    933
    cPWilliamL
    Oct 18, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice