The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam issue in Centos 5.2 Server

Discussion in 'E-mail Discussions' started by inertz, Apr 30, 2009.

  1. inertz

    inertz Member

    Joined:
    Nov 24, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Oklahoma City, Oklahoma, United States
    Recently one of my server have a SPAM issue.

    I suspect due to the cgi script. It is because the script cause high load and on a sudden there are a lot of SPAM email going out from the server. From the email source, i cannot determine the email come from where but for sure it is from the server ip.

    Command line trace from whm is;

    /usr/bin/perl -w ./check.cgi

    Using grep and locate cannot find the file.

    Hope anybody can helps.
     
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    updatedb
    locate check.cgi

    find / -name check.cgi

    That should help you locate it. If the script is sending mail out via a connection to Exim,you should be able to see references to the script in /var/log/exim_mainlog IF you have the appropriate Exim logging turned on:

    In WHM / Exim Configuration Editor / Advanced Editor
    - in the first box, you should have:

    log_selector = +arguments +subject

    If it is direct spam to the recipient mailservers bypassing exim (using a PERL library to talk directly to the remote server), then it's more difficult to track down. This is where a firewall such as CSF would help you since you could set it so that outbound SMTP connections can't be made by regular users.

    There is a lot more involved than this, but this is just a briefer starter.

    Hopefully someone else will chime in with other ideas on how to find the file / identify how the site or server was exploited (insecure PHP script, FTP access, etc).

    mike
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The SMTP Tweak in WHM's Security Center can also disable this. I recommend reviewing the options available in the Security Center if you are concerned about the security of your server.
     
Loading...

Share This Page