Spam

You should hire a server admin to look into it. Try efeito he does really good work.

 

Since this is a high priority for you, I agree with the advice to hire somebody. The type of question that you're asking would be quickly answered by somebody who has the right type of experience.

However...
There's nothing wrong with learning how to do this for yourself, if you have the time. The first thing you could do is check the exim log, located in /var/log/exim_mainlog. If you happen to have a copy of the message that was sent, all the better. You can get the message id from the headers of that message. Then just track that message through the log. It'll tell you when, where, and "how" the message was submitted, and also tell you where it went to. That's just to get started. To fix the issue would entirely depend on how the message got sent (beyond the scope of this rambling reply)

However, if you suspect you've got a spammable script on your server, you're better off starting with your raw web server logs to see who's been beating on your scripts. If you've got a time that the message was sent or received by the unfortunate victim, you can correlate that to usage of your site/scripts and possibly find an offending IP in there which you can block with .htaccess or with iptables (might not do much good, but what the heck...). Then you can go fix the script problem, which will probably be pretty obvious, I'd hope.

Just advice, no warranties, use this information (however incomplete or misleading) at your own peril.

Good luck.

 

You can try the guy mentioned earlier in this email, I suppose.

 

Just to elaborate on this (not that I am having this issue), but where could I get some information in regards to the output (i.e.: all the goodies included in the report that I don't understand) I understand some but not all; messages file as well?

In regards to Exim, I've scanned through the docs but can't find anything in regards to this (actually was viewing it late last night (or early this morning)), so I could of missed it. URL's would be very appreciated.

---UPDATE--- Found info in http://www.exim.org/exim-html-4.30/doc/html/spec.html in section 45. Now anyone can help with messages log??

Thanks..

 

You're missing some important points here.

What uid/gid owned the files you deleted?
Are there ANY other accounts on the box besides those with gid < 100 (besides cpanel and mailman)?
Are you running mailman?
What version of sw are you running? Up to date on patches?
What was the content of the files you deleted?

In a default install, /var/tmp is world writable, so any other account on your box could have created them.

Just from your description, my first impression is that there's a php script that's got a flaw, OR you've got a user on the box that doesn't

My unofficial opinion...
the directory was called test, and there was a file called bla.txt. these are indicative of testing the waters. Going back to the logs (web logs, /var/log/secure, /var/log/messages) might give you an idea of what's going on.