Server Sending Spam Problem

drupalin

Registered
Dec 30, 2016
4
0
1
Madrid
cPanel Access Level
Root Administrator
Hi everyone, i´m kind of desesperate, my server sends spam from email acounts very similar to the real one.

Real Mail Account: [email protected]

Spammers:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
....

After of write this: grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n

I get this details:
Code:
1 /home/biovidrio/public_html

1 /home/meollo/public_html

1 /home/tyd/public_html

1 /home/webes/public_html/base

1 /home/webes/public_html/clinicadental

1 /home/webes/public_html/serviamb

1 /var/log

2 /home/adventurerooms/public_html

2 /home/webes/public_html/tienda

3 /home/enigmabohemia/public_html

3 /home/legionella/public_html

4 /home/ruraly/public_html

4 /home/webes/public_html

4 /home/webtematica/public_html

5 /home/actormania/public_html

5 /home/albertogorgojo/public_html

5 /home/algodonmerlin/public_html

5 /home/antonioaznar/public_html

5 /home/elperiodismo/public_html

5 /home/fisioterapia/public_html

5 /home/fontanerosmadrid/public_html

5 /home/inmobiliaria/public_html

5 /home/kristianboys/public_html

5 /home/serviamb/public_html

6 /home/disenowebmadrid/public_html

7 /home/costurasnontol/public_html

7 /home/cursoderevit/public_html

8 /tmp

14 /home/portalclasico/public_html

78 /

110 /usr/local/apache/domlogs/portalclasico

181 /home

960 /root

6748 /usr/local/cpanel/whostmgr/docroot
So it seems its root user witch sends spam, but i can not find a way to get the spammer script


Thanks very much
 
Last edited by a moderator:

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Hello,

It's seems the mail sending from account using php mail script. I think there is infected file under the account which is sending mails.

Please try to check logs using below command so that you will get account account which is sending mail.

Code:
tail -n2000 /var/log/exim_mainlog|grep /home/
 

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Remember this may not be an infected script, and may not be detected by antivirus or malware detection software.

Check for things like unpatched versions ( eg PHPMailer that has just had 2 critical updates in 3 days, and which may well be being actively exploited.) and any other php scripts that might be installed.
 

drupalin

Registered
Dec 30, 2016
4
0
1
Madrid
cPanel Access Level
Root Administrator
Thanks for the replay, i check with malded and clam, but not show results, about PHPMailer, not know what to do or update

Any ideas, thanks very much in advance and happy new year
 
Last edited by a moderator:

drupalin

Registered
Dec 30, 2016
4
0
1
Madrid
cPanel Access Level
Root Administrator
I repeat the grep cwd /var/log/exim_mainlog|grep -v /var/spool|awk -F"cwd=" '{print $2}'|awk '{print $1}'|sort|uniq -c|sort -n and this is the result

Code:
1
      1 /home/actormania/public_html
      1 /home/albertogorgojo/public_html
      1 /home/algodonmerlin/public_html
      1 /home/antonioaznar/public_html
      1 /home/costurasnontol/public_html
      1 /home/cursoderevit/public_html
      1 /home/disenowebmadrid/public_html
      1 /home/elperiodismo/public_html
      1 /home/enigmabohemia/public_html
      1 /home/fisioterapia/public_html
      1 /home/fontanerosmadrid/public_html
      1 /home/inmobiliaria/public_html
      1 /home/kristianboys/public_html
      1 /home/ruraly/public_html
      1 /home/serviamb/public_html
      1 /home/webes/public_html
      3 /home/webtematica/public_html
    164 /root
    318 /
   3700 /usr/local/cpanel/whostmgr/docroot
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello,

The following document is a good place to start:

How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation

In particular, review the section titled "Experimental: Rewrite From: header to match actual sender":

Experimental: Rewrite From: header to match actual sender
Any local cPanel user can use the 127.0.0.1 IP address to send mail without authentication. This can make it difficult for system administrators to determine which cPanel account sent the mail, especially when a malicious user spoofs an email address to disguise the origin of the email.

To require cPanel & WHM to put the actual sender in the header, enable the Experimental: Rewrite From: header to match actual sender option in WHM's Exim Configuration Manager interface (Home >> Exim Service Configuration >> Exim Configuration Manager).

After you enable this feature, you will see output that is similar to the following in the /var/log/exim_mainlog file:

2014-04-23 08:09:52 1Wcwvu-0000On-Sb From: header (rewritten was: [[email protected]], actual sender is not the same system user) original=[[email protected]] actual_sender=[[email protected]]
The actual_sender portion of the log entry shows that spammer is the cPanel account that sent the email. This information allows the system administrator to take action against the account to prevent additional spam.
Thank you.