hi , today one of my customers called me regarding a problem that he can't receive emails via his cpanel email account.
i checked the server ip with mxtoolbox , for black lists and other smtp diagnostics and all were fine.
then i restarted exim and cpanel services in that linux . and still i couldn't recieve emails to the address on server .
for example i didnt recieve emails that i send to [email protected] . and checked it from horde or other cpanel webmail programs.
then i checked the quotes and reseted the fix quote and it didnt work too.
at last i checked the exim queue and saw that there are lots of emails from a host that uses wordpress , and the title was strange.
2013-08-11 <= [email protected] U=user P=local S=11029 T="Cron <[email protected]> cat /etc/passwd" for [email protected]"
i opened one of them and saw that they somehow accessed the /etc/passwd file.
in the case that , for that wordpress host , there was php safemod and safemod gid active , and so many other php functions were disabled on that host , no cgi enabled , and no shell access is on that account .
clamav and other shell checking scripts didnt find anything in their daily scans.
i checked the recently uploaded files to that user -mtime -90 and didnt find anything special , i checked his tmp directory and server tmp directory but found nothing suspicious.
php mod suphp and disabling some htaccess functions and blocking the usage of customized php.ini files are active on the server and also queries are checked with mod security , and csf is active .
there is so much security active on that cpanel linux that a new installation of wordpress needs some php functions to let wp work for new customers ! so i really dont know how they gained access to bash execution.
i have suspended that account and deleted the mail queue for that gmail account . but i cant block gmail IPs. so how can i find and block that hacker and prevent his further actions ?
this must be a hacking way like this : - Link Removed -
the emails were send every one minute , but i checked the cpanel cron manager , and No Cron Jobs were defined there. it must use the wordpress cron jobs.
i checked the server ip with mxtoolbox , for black lists and other smtp diagnostics and all were fine.
then i restarted exim and cpanel services in that linux . and still i couldn't recieve emails to the address on server .
for example i didnt recieve emails that i send to [email protected] . and checked it from horde or other cpanel webmail programs.
then i checked the quotes and reseted the fix quote and it didnt work too.
at last i checked the exim queue and saw that there are lots of emails from a host that uses wordpress , and the title was strange.
2013-08-11 <= [email protected] U=user P=local S=11029 T="Cron <[email protected]> cat /etc/passwd" for [email protected]"
i opened one of them and saw that they somehow accessed the /etc/passwd file.
in the case that , for that wordpress host , there was php safemod and safemod gid active , and so many other php functions were disabled on that host , no cgi enabled , and no shell access is on that account .
clamav and other shell checking scripts didnt find anything in their daily scans.
i checked the recently uploaded files to that user -mtime -90 and didnt find anything special , i checked his tmp directory and server tmp directory but found nothing suspicious.
php mod suphp and disabling some htaccess functions and blocking the usage of customized php.ini files are active on the server and also queries are checked with mod security , and csf is active .
there is so much security active on that cpanel linux that a new installation of wordpress needs some php functions to let wp work for new customers ! so i really dont know how they gained access to bash execution.
i have suspended that account and deleted the mail queue for that gmail account . but i cant block gmail IPs. so how can i find and block that hacker and prevent his further actions ?
this must be a hacking way like this : - Link Removed -
the emails were send every one minute , but i checked the cpanel cron manager , and No Cron Jobs were defined there. it must use the wordpress cron jobs.
Last edited by a moderator:
