The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Spam

Discussion in 'General Discussion' started by adamwebb, Jun 17, 2004.

  1. adamwebb

    adamwebb Active Member

    Joined:
    May 12, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    It seems someones been sending spam emails from my server. At the moment theres only one account on the server which is my own account (and I plan on keeping it like that), so I guess the spammers must have found a loop whole in one of my scripts. My questions is, what (If any) is the easiest way for me to find out how these emails were sent? Is there any log anywhere i can check?
     
  2. adamwebb

    adamwebb Active Member

    Joined:
    May 12, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Ok, basically I need to get this problem sorted asap as my hosts say they will terminate my account. Basically I need to know how I can stop spammers getting through to my server. I have red hat fedora and am using the latest CURRENT build of Cpanel/WHM. Any help will be greatly appreciated.
     
  3. ddeans

    ddeans Well-Known Member

    Joined:
    Feb 13, 2004
    Messages:
    296
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Maryland
    You should hire a server admin to look into it. Try efeito he does really good work.
     
  4. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Since this is a high priority for you, I agree with the advice to hire somebody. The type of question that you're asking would be quickly answered by somebody who has the right type of experience.

    However...
    There's nothing wrong with learning how to do this for yourself, if you have the time. The first thing you could do is check the exim log, located in /var/log/exim_mainlog. If you happen to have a copy of the message that was sent, all the better. You can get the message id from the headers of that message. Then just track that message through the log. It'll tell you when, where, and "how" the message was submitted, and also tell you where it went to. That's just to get started. To fix the issue would entirely depend on how the message got sent (beyond the scope of this rambling reply)

    However, if you suspect you've got a spammable script on your server, you're better off starting with your raw web server logs to see who's been beating on your scripts. If you've got a time that the message was sent or received by the unfortunate victim, you can correlate that to usage of your site/scripts and possibly find an offending IP in there which you can block with .htaccess or with iptables (might not do much good, but what the heck...). Then you can go fix the script problem, which will probably be pretty obvious, I'd hope.

    Just advice, no warranties, use this information (however incomplete or misleading) at your own peril.

    Good luck.
     
  5. adamwebb

    adamwebb Active Member

    Joined:
    May 12, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, where can I hire someone to look at it?
     
  6. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    You can try the guy mentioned earlier in this email, I suppose.
     
  7. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Just to elaborate on this (not that I am having this issue), but where could I get some information in regards to the output (i.e.: all the goodies included in the report that I don't understand) I understand some but not all; messages file as well?

    In regards to Exim, I've scanned through the docs but can't find anything in regards to this (actually was viewing it late last night (or early this morning)), so I could of missed it. URL's would be very appreciated.

    ---UPDATE--- Found info in http://www.exim.org/exim-html-4.30/doc/html/spec.html in section 45. Now anyone can help with messages log??

    Thanks..
     
    #7 AlexF, Jun 18, 2004
    Last edited: Jun 18, 2004
  8. adamwebb

    adamwebb Active Member

    Joined:
    May 12, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Ok, so someone forwarded me a copy of the spam email, a fake ebay email trying to get peoples ebay details. Interestingly I found these 3 lines in its header:

    X-Source: /usr/local/bin/php
    X-Source-Args: php -f ebay.php
    X-Source-Dir: /var/tmp/test

    So I thought I would investigate. And in the var/tmp/test directory were the files bla.txt, ebay.php, list4.txt, list.txt and ini.inc. So these would seem to be whats generating the emails, so I have deleted all these files and the test directory. Now, does anyone have any ideas how these files could have got on my server? No ones knows my login details, so there must be a flaw on the server somewhere.
     
  9. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    You're missing some important points here.

    What uid/gid owned the files you deleted?
    Are there ANY other accounts on the box besides those with gid < 100 (besides cpanel and mailman)?
    Are you running mailman?
    What version of sw are you running? Up to date on patches?
    What was the content of the files you deleted?

    In a default install, /var/tmp is world writable, so any other account on your box could have created them.

    Just from your description, my first impression is that there's a php script that's got a flaw, OR you've got a user on the box that doesn't

    My unofficial opinion...
    the directory was called test, and there was a file called bla.txt. these are indicative of testing the waters. Going back to the logs (web logs, /var/log/secure, /var/log/messages) might give you an idea of what's going on.
     
Loading...

Share This Page