The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam being sent from server. Can't trace route

Discussion in 'E-mail Discussions' started by samjsharples, Apr 11, 2015.

  1. samjsharples

    samjsharples Registered

    Joined:
    Apr 10, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi

    I have spam being sent from an email on one of my accounts to a specific email address roughly every 10 minutes. I have changed the passwords etc and now have an exim log but I am unsure whats going on. It doesn't specify that a php script is being run. any ideas?

    - Snipped -
     
    #1 samjsharples, Apr 11, 2015
    Last edited by a moderator: Apr 15, 2015
  2. noahbalboah

    noahbalboah Registered

    Joined:
    Apr 11, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lansing, MI
    cPanel Access Level:
    Root Administrator
    Hello. Run the command below to, it'll tell you where if any directories are sending out spam from a script.

    grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100

    It'll give a number on the left side, the higher the number, the more spam coming from that directory.
     
  3. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    As per the provided logs I can see your mails has been sent from your sales@xxx.co.uk account using the mail account password. So change your this mail account password and update your server setting with Prevent Email Abuse
     
    #3 24x7server, Apr 11, 2015
    Last edited by a moderator: Apr 15, 2015
    madmanmachines likes this.
  4. samjsharples

    samjsharples Registered

    Joined:
    Apr 10, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    I already changed the password to a secure one. would this mean that the computer that has the email account has a virus or something?
     
  5. noahbalboah

    noahbalboah Registered

    Joined:
    Apr 11, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lansing, MI
    cPanel Access Level:
    Root Administrator
    Most likely not. Have you checked for scripts sending out mail using the command I gave you? I'd double check that first. Otherwise, if it's being sent out by a single email account it's usually a compromised password.
     
  6. samjsharples

    samjsharples Registered

    Joined:
    Apr 10, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    i'm pretty new to this stuff. I'm using a mac so I have connected via SSH using terminal, run the script you sent and all I got was this:
    root@server [~]# grep -i cwd /var/log/exim_mainlog | grep home | awk '{print $3}' | sort | uniq -c | sort -n -k1 | tail -100

    1 [17933]

    1 [17934]

    1 [17937]

    1 [17939]

    1 [17949]

    1 [19453]

    1 [19460]

    1 [20490]

    1 [20494]

    1 [20616]

    1 [20621]

    1 [21921]

    1 [21963]

    1 [21972]

    1 [21982]

    1 [21991]

    1 [23123]

    1 [23258]

    1 [23263]

    1 [24124]

    1 [5297]

    1 [5302]

    1 [5734]

    1 [5739]

    root@server [~]#
     
  7. noahbalboah

    noahbalboah Registered

    Joined:
    Apr 11, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lansing, MI
    cPanel Access Level:
    Root Administrator
    Basically, it didn't find a script spamming on the server, so that's good news. Other than a script or a password compromise it might be hard to troubleshoot without knowing more information. Have you opened a cPanel ticket to see if they can login to your server and assist you?
     
  8. madmanmachines

    madmanmachines Well-Known Member

    Joined:
    Nov 28, 2014
    Messages:
    94
    Likes Received:
    3
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    The logs clearly show this was sent via password authentication and not a script.
    Code:
    A=dovecot_login:sales@xxx.co.uk
    A search for scripts sending mail is not needed. Simply update the password. The password may have been guessed or bruteforced by a hacker. I recommend using long 3-character-class passwords. As well, the password may have been obtained from a computer infected with malware. I recommend that you run a scan on all computer's that are used to access this email account. As well, I recommend ensuring that all email clients are using the SSL connection details in their mail client which is provided at cPanel > Email Accounts > More > Configure.

    Thanks,
     
  9. nisamudeen97

    nisamudeen97 Active Member

    Joined:
    Jul 7, 2010
    Messages:
    38
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Cochin
    cPanel Access Level:
    Root Administrator
    Hi,


    The log you have provided it self says all the mails were sent via dovecot with smtp authentication hence no need to check for scripts used. Let me try to explain the log you have provided.

    The above log clearly shows the mail was originated from the mail account "sales@xxx.co.uk". The variable "P=esmtpa" shows the mail account has authentication to sent this particular mail. The variable I shows the public IP from which mail has originated. In your case the mail is originated from the public IP "78.109.xxx.xx" so the user from this public IP has used authentication of "sales@xxx.co.uk" to sent mail. The T denotes the subject of the message, so as per the above log subject is "LAST e-mail for ACCOUNTNAME".

    If the mail is not supposed to be sent without your knowledge, this clearly shows spammer has used got the password of mail account and exploited it. You have to change the password of the mail account with immediate effect. :)
     
    #9 nisamudeen97, Apr 14, 2015
    Last edited by a moderator: Apr 15, 2015
    madmanmachines likes this.
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to update this thread with the outcome after changing the password of the email account, as advised in the previous posts.

    Thank you.
     
Loading...

Share This Page