Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
I have te problem of my SMTP.
We have not got a campaign etc... In generally we use 0.5-2% of limit, but some days ago has been changed. Here is the history.

SMTP Relay History
DATE USED LIMIT PERCENT
2018-05-30 5000 5000 100.0%
2018-05-29 0 5000 0.0%
2018-05-28 0 5000 0.0%
2018-05-27 0 5000 0.0%
2018-05-26 0 5000 0.0%
2018-05-25 5000 5000 100.0%
2018-05-24 5000 5000 100.0%
2018-05-23 5000 5000 100.0%
2018-05-22 5000 5000 100.0%
2018-05-21 5000 5000 100.0%
2018-05-20 0 5000 0.0%
2018-05-19 2 5000 0.04%
2018-05-18 2053 5000 41.06%
2018-05-17 44 5000 0.88%
2018-05-16 21 5000 0.42%
2018-05-15 45 5000 0.9%
2018-05-14 42 5000 0.84%
2018-05-13 26 5000 0.52%
2018-05-12 20 5000 0.4%
2018-05-11 7 5000 0.14%
2018-05-10 24 5000 0.48%
2018-05-09 40 5000 0.8%
2018-05-08 111 5000 2.22%
2018-05-07 44 5000 0.88%
2018-05-06 30 5000 0.6%
2018-05-05 94 5000 1.88%
2018-05-04 118 5000 2.36%
2018-05-03 51 5000 1.02%
2018-05-02 67 5000 1.34%
2018-05-01 57 5000 1.14%
2018-04-30 54 5000 1.08%
2018-04-29 36 5000 0.72%
2018-04-28 27 5000 0.54%
2018-04-27 12 5000 0.24%
2018-04-26 8 5000 0.16%
2018-04-25 15 5000 0.3%
2018-04-24 7 5000 0.14%
2018-04-23 0 5000 0.0%
2018-04-22 0 5000 0.0%
2018-04-21 0 5000 0.0%
2018-04-20 21 5000 0.42%
2018-04-19 11 5000 0.22%
2018-04-18 13 5000 0.26%
2018-04-17 30 5000 0.6%
2018-04-16 18 5000 0.36%
2018-04-15 2 5000 0.04%
2018-04-14 11 5000 0.22%
2018-04-13 14 5000 0.28%
2018-04-12 49 5000 0.98%
2018-04-11 25 5000 0.5%
2018-04-10 34 5000 0.68%
2018-04-09 44 5000 0.88%
2018-04-08 6 5000 0.12%
2018-04-07 8 5000 0.16%
2018-04-06 26 5000 0.52%
2018-04-05 15 5000 0.3%
2018-04-04 37 5000 0.74%
2018-04-03 20 5000 0.4%
2018-04-02 21 5000 0.42%
2018-04-01 10 5000 0.2%

The Exim stoped i had to restart on May 30th. butnow SMTP realy usage is full.
No Exim does sending emails but does NOT receive any...

Please, advice.
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
As I wrote, Exim was dead but now running.
Naturally the sending emails are limited.

The root (Cron Daemon) send many emails me.

Here's:

Code:
Date:
Thu, 31 May 2018 05:42:01 -0700
From:
[email protected] (Cron Daemon)
To:
[email protected]



--2018-05-31 05:41:01-- http://example.com/zz1.php?reboot=yes
Resolving example.com... 192.xxxxx
Connecting to example.com|192.xxxx|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “zz1.php?reboot=yes.5868”

0K 2.21K=0.4s

2018-05-31 05:42:01 (2.21 KB/s) - “zz1.php?reboot=yes.5868” saved [943]
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
A quick Google search for zz1.php turned up lots of sites (most seemed to be WordPress) and indexes, with a fair number marked with the This site may be hacked tag.

You should probably investigate to see if that file exists on any of your users file-sets, and take appropriate action if you find it.

I did find one site that still had the zz1.php file available, and when run produced the following output
Code:
crontab: installing new crontab 28454 good...
pero53 28454 2445 0.0 294608 89080 ? Sl 01:59 21945:45 ./cnrig -o 5.61.46.146:80 --donate-level=1
Things like that would make me very nervous.
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
Today server's over quota... :(
ClamAv installed and working...
zz1.php... over.


Mail delivery reports checked. A lots of file found with the following messages:
SMTP error from remote mail server after initial connection: 554 p3plsmtpout00xxx.prod.phx3.secxx.net : HOSTING RELAY : Pn5Jf0EURyedJ : DED : You've reached your daily relay quota - 192.xxxx


Before above messages:
Event: defer warning
Sender User: gc
Sender Domain: gc.com
From Address: [email protected]
Sender: gc
Sent Time: Jun 4, 2018, 12:51:12 PM
Sender Host: localhost
Sender IP: 127.0.0.1
Authentication: localuser
Spam Score:
Recipient: [email protected]
Delivered To:
Delivery User: -system-
Delivery Domain:
Router: send_to_smart_host
Transport: remote_smtp
Out Time: Jun 4, 2018, 5:07:17 PM
ID: 1fPn4s-0005Zl-Cg
Delivery Host:
Delivery IP:
Size: 11.96 KB
Result: retry time not reached for any host for 'mail.ru'

(all notice is from same domain and recipients from RU.)

Sent Summery Report
from 6/1 to 6/5.
Domain User Successful Deferrals Failures Failed and Deferred Total Messages Data Sent
gc.com gc 211 1,095,507 35,783 1,131,290 10,738 542.97 KB
root 30 236 6 242 18 774.79 KB


Please, advice.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Hi @Lillike

It sounds like you still have a compromised PHP script on the account. What is the output of the following:

Code:
exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog
 

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
A long list reveived with the following (it's not all):


[email protected] [email protected] nikolay.kamenskiy
@list.ru [email protected] [email protected]
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 03:51:06 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1fPn4s-0005Zl-Cg

+++ 1fPn4s-0005Zl-Cg has not completed +++
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= [email protected] U=gc P=local S=12242 i[email protected]
nce.ru T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\32
0\271 \320\264\320\265\320\275\321\214\320\263\320\270" for [email protected] [email protected] [email protected] [email protected] [email protected] sant
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] nikolay.kamenskiy
@list.ru [email protected] [email protected]
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'rambler.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 04:03:58 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'list.ru'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'gmail.com'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
2018-06-04 06:02:38 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'yandex.ru'
/bin/bash: -c: line 0: syntax error near unexpected token `('
/bin/bash: -c: line 0: `lessecho -p0x22 -d0x22 -e\\ -n0x3b -n0x20 -n0x2a -n0x3f -n0x9 -n0xa -n0x27 -n0x22 -n0x28 -n0x29 -n0x3c -n0x3e -n0x5b -n0x5d -n0x7c -n0x26 -n0x5e -n0x60 -n0x23 -n0x5c -n0x24 -n0x25 -n0x3d -n0x7e -- -0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not

2018-06-04 08:07:49 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Hi @Lillike

Can you run the command again but omit these lines?

Code:
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg == [email protected] R=send_to_smart_host T=remote_smtp defer (-53): retry time not reached for any host for 'mail.ru'
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
  • Like
Reactions: cPanelLauren

Lillike

Well-Known Member
May 29, 2018
46
2
8
Hungary
cPanel Access Level
Root Administrator
rpvw: ClamAv, ModSecurity, firewall etc. are working...

Lauren:

exigrep 1fPn4s-0005Zl-Cg /var/log/exim_mainlog run the command:

+++ 1fPn4s-0005Zl-Cg has not completed +++
2018-06-04 03:51:06 1fPn4s-0005Zl-Cg <= [email protected] U=gc P=local S=12242 [email protected] T="\320\237\321\200\320\276\321\205\320\276\320\264\320\270 \320\276\320\277\321\200\320\276\321\201\321\213, \320\277\320\276\320\273\321\203\321\207\320\260\320\271 \320\264\320\265\320\275\321\214\320\263\320\270" for [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] .....
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Hi @Lillike

This shows us is that the user gc is sending mail but that is most likely because a script is responsible for it. Since the message hasn't sent yet can you can view the headers:

Code:
exim -Mvh 1fPn4s-0005Zl-Cg
But ultimately what you need to find is where the message originated from within the user's account

something we use to quickly identify the source of spam mail:
Code:
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s
It should point out where that mail is coming from though I think the entire gc user directory needs to be audited at this point.