The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam sent out as nobody -- help tracking it down?

Discussion in 'General Discussion' started by sneader, Jul 26, 2007.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I have thousands of undeliverable messages in my Exim queue. I am guessing they are due to a bad form mail script or something, but what resources do I have in order to track it down? The messages all show the authenticated sender is "nobody@www3.mydomain.com" (where www3.mydomain.com is the hostname of my server). Here is an example:

    ----

    1IE04Y-0001Mi-CB-H
    nobody 99 99
    <nobody@www3.myserver.com>
    1185443754 0
    -ident nobody
    -received_protocol local
    -body_linecount 43
    -auth_id nobody
    -auth_sender nobody@www3.myserver.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -local
    XX
    1
    syber90_mail@yahoo.com

    182P Received: from nobody by www3.myserver.com with local (Exim 4.63)
    (envelope-from <nobody@www3.myserver.com>)
    id 1IE04Y-0001Mi-CB
    for syber90_mail@yahoo.com; Thu, 26 Jul 2007 04:55:54 -0500
    027T To: syber90_mail@yahoo.com
    080 Subject: Forex-GI Broker now accepts Creditcards & e-gold (MetaTrader Platform)
    048F From: Forex-GI Broker <commercial@forex-gi.org>
    011R Reply-To:
    018 MIME-Version: 1.0
    025 Content-Type: text/plain
    032 Content-Transfer-Encoding: 8bit
    045I Message-Id: <E1IE04Y-0001Mi-CB@www3.myserver.com>
    038 Date: Thu, 26 Jul 2007 04:55:54 -0500

    ---

    Help?

    Thanks in advance!

    - Scott
     
  2. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Apache logs?

    OK, so I thought I would check the Apache logs around the time this happened... but since I don't know what domain the problematic script is in, how can I search for this? (assuming it is a script)

    I see "access_log" in /usr/local/apache/logs but this is only apparently for the host IP itself, not ALL access to the server.

    Crud, it is happening again... I feel so helpless... how can I monitor all Apache access, without trying to tail/view every domlog individually? I must be missing something... help!

    - Scott
     
  3. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    if you put log_selector = +arguments +subject

    in your exim.conf top box advanced editor it would tell you exactly where tje mail came from
     
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks, I'll try anything at this point. I'm assuming this won't help me find the source of the current problem, but will help in the future.

    Once this is added, where would I look for the clues then? Or does this add something to the headers of each message?

    - Scott
     
  5. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    if there still sending spam it will


    it add all of the arguments to your exim_mainlog if it is coming from a script it will add the location to the log
     
  6. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks for the tip on the log selector addition. I found this thread:

    http://www.webhostgear.com/118.html

    I went ahead and added all of this:

    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

    It didn't seem to help me find it post-mortum. However during the next spam hit, while tailing the exim mainlog (tail -f /var/log/exim_mainlog) I saw a certain URL in the log that helped me find the culprit !!

    It appears that a file called ultimate.zip got uploaded to this user's directory, then unzipped some files called "PHP BulkMailer". The timestamp on ultimate.zip was yesterday at 3:30am. Checking FTP logs (/var/log/messages) there were no logins anywhere near that time, and no matches for that file name.

    Another thing that is interesting is that the directory they put it in, and the files, are all set to group & owner as "nobody", where the rest of the user's files are all set to their username. So, they probably weren't uploaded using the customer's username... or maybe they were chown/chgrp'd...

    I sure wish I knew how these files got into this directory, so I could take measures... any ideas would be appreciated. Will change the user's password for one precaution.

    - Scott
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page