The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam Server

Discussion in 'General Discussion' started by markerpower, Jan 22, 2008.

  1. markerpower

    markerpower Member

    Joined:
    Mar 16, 2005
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I've been notfied that my server is sending spam email. My server runs Linux, WHM, Cpanel, and I have no clue where to start to search for where on my server is sending the spam, and how to stop it.

    Can anyone give me some tips?

    Thanks
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I'd recommend start by checking the Exim mainlog at /var/log/exim_mainlog
     
  3. nabuhonodozor

    nabuhonodozor Member

    Joined:
    Jun 22, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Yes, check /var/log/exim_mainlog
    You should find there sender account or a sender "nobody"
    Tell us what You find there.
    Also if You use discussion forum it propably was hacked. Check if You have phpbb - this its the most common cause.
    Check other scripts - php or cgi.
    Tell us more info from your exim_mainlog
    best,piort
     
    #3 nabuhonodozor, Jan 24, 2008
    Last edited: Jan 24, 2008
  4. markerpower

    markerpower Member

    Joined:
    Mar 16, 2005
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Thanks. What exactly from nobody should I be looking for? I also followed this article http://support.theplanet.com/knowledgebase/users/kb.php?id=10224&category_id=10&sid2= , and something is suppose to be written to sendmail or formmail or both?
     
  5. nabuhonodozor

    nabuhonodozor Member

    Joined:
    Jun 22, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    Please read this article about finding spamers using php: http://www.webhostgear.com/232.html

    Theres more about securing php :http://www.webhostgear.com/319.html

    When I had problems with spammers on my server Ive tried many things but finally Ive buy a services from Jonathan at http://www.configserver.com/cp/cpanel.html
    He finally secured my server and found that one of users used nonpatched , old phpbb installation. It was hacked and used to send spam.
    I think it was very well spend money and additionally security of my server gained because of installation of such scripts like CSF firewall and mailscanner.
    It was back then whan I dont have any idea whats going on and openrelay therm was similar to opensource to me. Now I finally know the difference ;-)
    BTW - firstly check if Your server dont act as openrelay.

    You can try find cause for Yourself and basically there are 2 area where spammers reach your server:

    I would call it "standard" way - they use legitimate password either stolen from users or gained by bruteforce attack.
    In that case I would change all user/mail passwords along whole server (yes!).

    Second common way is by using hacked/abused php scripts. In this case check all installations of cms and other scripts using php/mySQL or CGI on your server.
    Unpatched scripts are quite vulnerable to sql injections and other forms of hacking attempts.
    In this case patch all scripts to newest versions. Check them against hacked ones. Consider using mod_security as a way to mitigate most of such hacking attempts (dont forget then to use decent rulesets because w/o them mod_security dont work at all - more http://gotroot.com/)

    Its just a tip in the iceberg but I hope it will give You start point where You can research it more and get more tips/hints during this.

    Best regards,
    piotr
     
    #5 nabuhonodozor, Jan 25, 2008
    Last edited: Jan 25, 2008
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Worth mentioning that mod_security, correctly setup, will block most exploits even if you have unpatched software on your server.
     
Loading...

Share This Page