The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spammer's hidden accounts?

Discussion in 'General Discussion' started by rediray, Mar 6, 2007.

  1. rediray

    rediray Registered

    Joined:
    Nov 8, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    hi folks, i searched around this forum and others for a solution, but can't find anything related. hoping someone can help.

    i have a billing system that allows for instant activation. a spammer installed two accounts on my box with fake domain names, so i deleted them.

    however, my server was blacklisted by spamcop the next day or two, and now i'm trying to clean up the mess. it seems they were able to relay email through these bogus accounts. now that i've deleted these accounts, they do not appear in my WHM.

    HOWEVER, when i SSH into the box and do a 'locate acostac' on one of the accounts, it looks like it's still installed. same for the other account that i deleted. interestingly, they're all hidden files and folders:

    /var/spool/mail/acostac
    /var/named/acostacafe.biz.db
    /var/cpanel/users/acostac
    /var/cpanel/bandwidth/acostac-all.rrd
    /var/cpanel/bandwidth/acostac-http.rrd
    /var/cpanel/bandwidth/acostac-ftp.rrd
    /var/cpanel/bandwidth/acostac-pop3.rrd
    /var/cpanel/bandwidth/acostac-imap.rrd
    /var/cpanel/bandwidth/acostac-smtp.rrd
    /var/cpanel/bandwidth/acostac
    /var/cpanel/bandwidth/acostacafe.biz
    /var/cpanel/lastrun/acostac
    /var/cpanel/lastrun/acostac/stats
    /var/cpanel/lastrun/acostac/bandwidth
    /var/cpanel/suspended/acostac
    /var/cpanel/suspendinfo/acostac
    /etc/vdomainaliases/acostacafe.biz
    /etc/proftpd/acostac
    /etc/proftpd/acostac.suspended
    /etc/valiases/acostacafe.biz
    /etc/vfilters/acostacafe.biz
    /etc/vmail/passwd.acostacafe.biz
    /etc/vmail/shadow.acostacafe.biz
    /etc/vmail/vhost.acostacafe.biz
    /etc/vmail/uid.acostacafe.biz
    /etc/vmail/gid.acostacafe.biz
    /usr/local/apache/domlogs/acostacafe.biz
    /usr/local/apache/domlogs/acostacafe.biz-bytes_log
    /usr/local/apache/domlogs/acostacafe.biz-bytes_log.offset
    /usr/local/apache/domlogs/acostacafe.biz-smtpbytes_log
    /home/acostac
    /home/acostac/.kde
    /home/acostac/.kde/Autostart
    /home/acostac/.kde/Autostart/.directory
    /home/acostac/.emacs
    /home/acostac/.bash_logout
    /home/acostac/.bash_profile
    /home/acostac/.bashrc
    /home/acostac/.gtkrc
    /home/acostac/.zshrc
    /home/acostac/etc
    /home/acostac/etc/.imapv4cp5c
    /home/acostac/etc/acostacafe.biz
    /home/acostac/etc/acostacafe.biz/passwd
    /home/acostac/etc/acostacafe.biz/quota
    /home/acostac/etc/acostacafe.biz/shadow
    /home/acostac/etc/acostacafe.biz/quota,v
    /home/acostac/etc/acostacafe.biz/passwd,v
    /home/acostac/etc/acostacafe.biz/shadow,v
    /home/acostac/mail
    /home/acostac/mail/inbox
    /home/acostac/mail/INBOX.Sent
    /home/acostac/mail/INBOX.Trash
    /home/acostac/mail/INBOX.Drafts
    /home/acostac/mail/acostacafe.biz
    /home/acostac/mail/acostacafe.biz/dennie
    /home/acostac/mail/acostacafe.biz/dennie/inbox
    /home/acostac/mail/acostacafe.biz/dennie/INBOX.Sent
    /home/acostac/mail/acostacafe.biz/dennie/.mailboxlist
    /home/acostac/mail/acostacafe.biz/dennie/INBOX.Trash
    /home/acostac/mail/acostacafe.biz/dennie/INBOX.Drafts
    /home/acostac/public_html
    /home/acostac/public_html/cgi-bin
    /home/acostac/public_html/index.html
    /home/acostac/public_html/.htaccess
    /home/acostac/public_html/.htaccess.suspend
    /home/acostac/public_ftp
    /home/acostac/public_ftp/incoming
    /home/acostac/.contactemail
    /home/acostac/www
    /home/acostac/tmp
    /home/acostac/tmp/urchin
    /home/acostac/tmp/urchin/data
    /home/acostac/tmp/urchin/data/reports
    /home/acostac/tmp/urchin/data/reports/acostacafe.biz
    /home/acostac/tmp/urchin/data/cache
    /home/acostac/tmp/urchin/data/history
    /home/acostac/tmp/urchin/data/history/acostacafe.biz
    /home/acostac/tmp/urchin/data/history/acostacafe.biz/1172896368.log
    /home/acostac/tmp/urchin/data/history/acostacafe.biz/1172983730.log
    /home/acostac/tmp/urchin/data/history/acostacafe.biz/1173071101.log
    /home/acostac/tmp/urchin/data/history/acostacafe.biz/1173158490.log
    /home/acostac/tmp/urchin/data/history/UT_200703.log
    /home/acostac/tmp/urchin/data/conf
    /home/acostac/tmp/urchin/data/geodata
    /home/acostac/tmp/urchin/bin
    /home/acostac/tmp/urchin/bin/urchin.cgi
    /home/acostac/tmp/urchin/bin/urchin
    /home/acostac/tmp/urchin/util
    /home/acostac/tmp/urchin/util/uconf-import
    /home/acostac/tmp/urchin/util/uconf-driver
    /home/acostac/tmp/urchin/etc
    /home/acostac/tmp/urchin/etc/urchin.conf
    /home/acostac/tmp/urchin/etc/session.conf
    /home/acostac/tmp/urchin/htdocs
    /home/acostac/tmp/urchin/htdocs/.report.conf
    /home/acostac/tmp/urchin/htdocs/report.cgi
    /home/acostac/tmp/urchin/lib
    /home/acostac/tmp/webalizer
    /home/acostac/tmp/webalizer/dns_cache.db
    /home/acostac/tmp/awstats
    /home/acostac/tmp/awstats/awstats.acostacafe.biz.conf
    /home/acostac/tmp/analog
    /home/acostac/tmp/webalizerftp
    /home/acostac/tmp/cpbandwidth
    /home/acostac/tmp/cpbandwidth/acostacafe.biz-bytes_log
    /home/acostac/.sqmaildata
    /home/acostac/.sqmaildata/acostac.pref
    /home/acostac/.sqmaildata/acostac.abook
    /home/acostac/.sqmaildata/dennie@acostacafe.biz.pref
    /home/acostac/.sqmaildata/dennie@acostacafe.biz.abook
    /home/acostac/.mailboxlist
    /home/acostac/.cpanel-datastore
    /home/acostac/.cpanel-datastore/ftp_LIST_0
    /home/acostac/.cpanel-datastore/apache_LISTSUBDOMAINS_0
    /home/acostac/.cpanel-datastore/apache_LISTMULTIPARKED_0
    /home/acostac/.cpanel-datastore/_usr_bin_mysqladmin_ping
    /home/acostac/.cpanel-datastore/quota_-v


    has anyone experienced this before? if so, can you please advise on how to proceed with removing these two accounts and corresponding files/folders?

    thanks in advance!
    rediray

    PS - i have since tweaked my fraud prevention system to reject domains that do not exist yet...so this shouldn't happen again.
     
    #1 rediray, Mar 6, 2007
    Last edited: Mar 6, 2007
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    maybe your locate database is outdated, showing you files that may have been deleted, but that still show up in the "locate" database as existing.

    run this command to update your locate database.

    slocate -u

    and then wait for it to update. It may take awhile. Then, run locate again and you should see the actual files related to that user which are still on the system after you deleted the accounts (if any).
     
  3. rediray

    rediray Registered

    Joined:
    Nov 8, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    thanks, bmcpanel...that worked! (you're a genious)
     
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    No problem.
     
Loading...

Share This Page