The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam Problem

Discussion in 'General Discussion' started by jmoe2008, Jan 1, 2006.

  1. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I'm currently having a lot of trouble with spam on my server. It doesn't appear to be a weak script, instead it appears exim is behaving as a relay. When the server acts up in the process list are several for exim with smtp_relay and a .br mail server as another part of the argument. If it happens again I'll copy in a set of headers and the process string from WHM. I've tried several spam fixes throughout the forums with no luck. I'm planning to do an OS reload in a couple weeks, as I found a rather suspect set of files in /tmp including a PHP shell script, but I would like to try to get through the next couple weeks before the reload (can't do it now, don't have access). Both rkhunter and chkrootkit come up clean, but the spam problem persists. I can fix it temporarily by purging the mail queue and banning the IP from the exim process, but it comes back with another server and another IP. Suggestions are welcome, and I'm willing to entertain paying someone to help me sort it.
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    I suggest installing Mailscanner or strict RBL/ACL rules to stop spam? Also, did you find and remove the culprit files?
     
  3. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I cleaned up /tmp which seemed to help, and I thought I had this beat last night, but it came back again today. It appears to me that exim is acting as a relay, but I can't see why. I've installed a couple things through the forums that were supposed to help with spam, but they don't seem to have done much. Got a link for MailScanner and the RBL/ACL rules? I've gotten pretty good at dealing with DOS scripts and such, it's the mail config that I have trouble with now. Mostly because until this I've not had any major problems with spam that weren't just malicious scripts.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It won't be exim unless you've messed around with exim.conf. It's almost certainly a script in a user account being exploited. AndyReed's suggestion will be of no help whatsoever. You need to try and identify which scripts are being exploited and used for spamming on the server. Check out the numerous nobody threads on the forums or seek the help of someone who offers a service in tracking such things down for you.
     
  5. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Exim process and header if that helps any. Will have to look into more nobody spam stuff shortly.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, this definitely suggests spam from a php script:
    One idea is to enable extended logging by adding the following to the Advvanced Module Exim Configuration Editor in WHM into the first box:

    log_selector = +all

    Then if it recurs, you can check the exim_mainlog and it can often identofy the directory where the offending php script lives that sent the spam out.
     
  7. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Thanks a ton. I found some rather nasty scripts in a directory that I had found something bad before. Looks like there's either a security hole in IPB 2.01 (a trial version of it) or someone's got a script somewhere else and that just happened to be a good place to shove it. It was in the upload directory of the 2.01 forum.
     
  8. PDW

    PDW Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Im having the same problem, with virtualcards.com - andits on one of my own domains. And there is no bad scripts there. i am so frustrated
     
  9. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Got the same idiot - any luck tracking it down?
     
  10. jmoe2008

    jmoe2008 Member

    Joined:
    Jan 18, 2005
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    My suggestions would be to switch to php_suexec if you aren't using it (can localize it to a domain and often a script), and also to enable the extra logging suggested above. Switching to suexec has its issues (mostly due to the permissions changes needed), but once you get past them it's quite useful. In my case the virtual cards spam was originating from a set of scripts uploaded that provided whoever installed them an online control panel for setting up and sending spam, so when I was "fixing" it I was only attacking the symptoms, not the cause.
     
  11. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Already using phpsuexec and suexec. I did find a way to kill the problem though last night. It looks as if the script "cgiemail" in the /cgi-bin was being exploited (that or one of the other scripts like echo etc).

    I killed all of those and no more spam.

    The extra logging didn't show anything either :( But at least everything is dead and quiet again.
     
  12. Wallaby

    Wallaby Well-Known Member

    Joined:
    Aug 15, 2001
    Messages:
    131
    Likes Received:
    1
    Trophy Points:
    18
    I have found cgiemail being abused also -- how is it possible to disable this script in CPanel?
     
  13. Patiek

    Patiek Active Member

    Joined:
    May 23, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I hate phpsuexec. Instead, I use a PHP wrapper around exim's /usr/sbin/sendmail connector using cPanel's PHP that picks up environmental variables for script and logs them to a file while adding additional headers to outgoing emails (both a unique id for the message to track in my own logs as well as a username to connect to the email). That way I can easily see just exactly who is sending those "nobody" emails (including from which folder they are sending it) AND I don't have to mess with icky phpsuexec garbage. I figure I might implement additional options such as limits on emails/hour, etc, or send warnings to my own email when a certain account exceeds some limit.

    You could implement something similar to the above if you preferred not to use phpsuexec.
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Or you could just switch on extended eixm logging which does the same thing. Be aware that neither method works in tracking spam if you allow local connections by scripts to port 25.
     
  15. jdfcomputers

    jdfcomputers Member

    Joined:
    Apr 12, 2004
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    This is someone exploiting a comments or post section of a BB or blog script.

    Please post entire msg from mail queue it may have more clues.

    Also check apache status in whm while this is happening you may find a post command to a site/script sending a weird string.
     
  16. pcsousa

    pcsousa Well-Known Member

    Joined:
    May 28, 2004
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I have the same problem for days! I've alredy made everything I found here and @ ev1 forums. Still sending email.

    I have exim extended log (log_selector = +all) and this is not resulting on any "path to script", the most near a path/command I can find @ exim_mainlog is:
    2006-08-07 16:01:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GA6bw-00069Y-Fc
    2006-08-07 16:00:45 cwd=/tmp 2 args: /usr/sbin/sendmail -bS

    This does not help.

    Also I setup mod_security with gotroot rules which have spam rules for those who use POST and GET to exploit scripts to send email and problem persists.

    I wonder to found who is spamming and how.

    Here is one header showing "mailnull 47 12" as UID sender (does not help at all)

    Why these guys are so stupid to waste time sending those ridiculous emails? grrrrr
     
  17. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
     
  18. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I also agree. Hire a system admin at this point.
     
Loading...

Share This Page