did you checked if the account is infected with malicious script ? .. scan the website data with clamav or maldet and see what you get.
You yourself may want to study up a bit as the answer lies right within the logs he posted, no need to have him go on a wild good chase.
Anytime there is spam coming from the server, there will be 1 of 2 ways, in most cases anyway.
1. Spam coming from someone using SMTP authentication with an actual email account, in most cases this is from a weak password.
2. Someone sending POST requests to a PHP script
How do you distinguish between the two?
Easy..
1. Spam being sent via SMTP authentication, we can use the OPs example.. This line says it all:
2016-11-11 13:18:28 1c5GPE-00061S-2f <=
[email protected] H=(
www.domain.com) [95.173.172.82]:59161 P=esmtpsa X=TLSv1:ECDHE-RSA-AES256-SHA:256 CV=no A=dovecot_login:
[email protected] S=1476
[email protected] T="4 Waiting Quick F#ck Request" for
[email protected]
and more specifically this part "A=dovecot_login:
[email protected]".
This is someone authenticating with the account:
[email protected]
This is a good one liner you can use to check on the amount of authentications used per email:
Code:
head -1 /var/log/exim_mainlog | awk '{print $1}' ; egrep -o 'dovecot_login[^ ]+|dovecot_plain[^ ]+' /var/log/exim_mainlog | cut -f2 -d":" | sort|uniq -c|sort -nk 1 ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
Example output:
You can see between the dates 2016-11-06 and 2016-11-12 the account
[email protected] has auth'd 3383 times and compared to the others, its way above the average so its a good possibility its spamming. You can easily check those outgoing emails by grepping the same log file:
You can easily tell by the subject if they are spamming in most cases.
2. Finding out if the spam is coming from a PHP script, example of an email from a PHP script via the exim_mainlog:
Code:
2016-11-12 19:59:25 cwd=/home/user/public_html 3 args: /usr/sbin/sendmail -t -i
2016-11-12 19:59:25 1c5k4r-003iYa-6K <= [email protected] U=user P=local S=25164 T=Some spam subject" for [email protected]
2016-11-12 19:59:25 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1c5k4r-003iYa-6K
2016-11-12 19:59:25 1c5k4r-003iYa-6K SMTP connection outbound 1479002365 1c5k4r-003iYa-6K poor.soul [email protected]
2016-11-12 19:59:25 SMTP connection from [x.x.x.x]:46374 (TCP/IP connection count = 3)
2016-11-12 19:59:27 1c5k4r-003iYa-6K => [email protected] R=lookuphost T=remote_smtp H=mx.domain.com [x.x.x.x] X=TLSv1.2:AES128-SHA:128 CV=yes C="250 Message received"
2016-11-12 19:59:27 1c5k4r-003iYa-6K Completed
This time around, you can see there is no "A=dovecot_login" anywhere within the log, however the first line you can see it starts off with
Code:
cwd=/home/user/public_html
Although it doesn't tell you the exact script, its telling you the location from where the mail is being sent from.
A good one liner to use to track down spam scripts, this one liner will show you each time the PHP script is posted to and recorded in the log.
Code:
head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
Example:
Code:
[email protected] [~]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
2016-11-06
195674 cwd=/home/someuser99/public_html/wp-content/plugins/wpgform
155601 cwd=/home/someuser99/public_html/blog/wp-admin/network
1945 cwd=/home/someuser662
1665 cwd=/home/someuser233/public_html/charm/forum
969 cwd=/home/someuser1
114 cwd=/home/someuser51/public_html/domain.com/shop
97 cwd=/home/someuser1/public_html/CupOfGossip
42 cwd=/home/someuser23/public_html/blog
40 cwd=/home/someuser2313/public_html/blog
26 cwd=/home/someuser54/public_html
24 cwd=/home/someuser12/public_html/domain.com/shop/wp-admin
2016-11-12
I think its pretty clear here that there is some spam coming from the top 2 directories.
A super easy way to pin point which scripts they are.. example using the above results:
Code:
grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
This will grepo all the POST requests and sort them by the amount of times each PHP script has been hit, example:
Code:
[email protected][~]# grep POST /home/someuser99/access-logs/* | awk '{print $7}' | sort | uniq -c | sort -n
1 /wp-cron.php?doing_wp_cron=1478973503.4872438907623291015625
1 /wp-cron.php?doing_wp_cron=1478975746.5134899616241455078125
2 /wp-content/themes/accesspress-lite/slide-menues.php
3 /wp-admin/
3 /wp-login.php?redirect_to=http%3A%2F%2Fwww.domain.com%2Fwp-admin%2F&reauth=1
8 /xmlrpc.php
650 /wp-content/plugins/wpgform/test44.php
2461 /wp-login.php
The culprit being: /wp-content/plugins/wpgform/test44.php
Hope this helps!
