Mince

Registered
May 1, 2021
1
0
1
South Africa
cPanel Access Level
Website Owner
I hope someone can push me in the right direction.
I have a hosted domain with A2hosting and about a month ago i started sending out some kind of mail that looks like its from me but with some zip file attach i guess a virus or trojan. I contacted the hosting company was told change the password so i did. But then about a week ago i started getting thousands of bounce backs and i knew there was a bigger issue. Contacted them again and there answer was change the password. So i started doing some tests myself and found out that when i suspend my outgoing mails the issue stops but as soon as i reactivate it starts again. I went back to them gave them the findings and they told me theres malicious code on my wordpress i need to update and find the code. so i went in checked everything got some funny time stamps deleted those but the issue still went on.

Last night i scanned the site using quttera scanner.
Added a mail log system which picked up nothing so i though my side is clean.
But the hosting company still went on its my side.

So today i had enough took down the website scanned locally with composer using another malware scanner.
There is no malicious code. So my mail issue should be sorted.
NOPE still there i dunno wheres the origin and my hosting company nows less than me.

IS there anyway i can somehow trace back to where a mailscript is running or something cause im out of ideas.
The mail headers have different IP's so i cant even go and block a IP but this is coming from my email somehow.

* I dont have the account on my machine i deleted it.
* Website down
* Scanned my pc aswell
* Ftp Password changed
* Cpanel Password changed

Anyone now where i can start?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Hey there! With the account deleted, it will be very hard, if not impossible, to get any useful details.

The one place you could still check would be the main Exim log at /var/log/exim_mainlog to see if you can find the directory location where one of the messages was sent from. I would start with our guide here:


which will help you search the logs. Specifically, running this command on the system:

Code:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
will show you the top directories that have sent messages. Be sure to ignore messages from root, WHM, or tools like CSF, but others would indicate mail sent from user areas on the machine.