Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

unknown spam source

Discussion in 'Security' started by dtandukar, Apr 28, 2014.

  1. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Dear all,

    My server has been generating spam emails since last 3 days and could not trace out the source. I found similar case here: http://forums.cpanel.net/f43/open-relay-server-284991.html as well.

    Followings are the things I have already done without any success:

    1. checked for culprit php script by making new phpmail.log (seems like it is not php script)
    2. malware cleaned
    3. shutdown joomla site
    4. shutdown moodle site
    5. shutdown old lime survey site

    Any advice, suggestion - how can the culprit be tracked?

    Best regards, Deependra
     
    #1 dtandukar, Apr 28, 2014
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    Could you provide more details about how you became aware your server is sending out SPAM? Are you able to view the headers of these emails? Have you checked /var/log/exim_mainlog for more information?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Apr 28, 2014
  3. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    spam emails

    My dedicated server is generating spam emails continuously. it does not seem to be from php script. Is there anyway to track the culprit, i have been trying to find out since last one week. It generates more than 2o emails a second - please help.

    Best regards, Deependra
     
    #3 dtandukar, Apr 30, 2014
  4. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Because of the last amount of email, the server blocked the out going email - that is when i came to know about it. I am copying here one of the mails in queue:

    Code:
    Mail Control Data:
icimod 510 500
<icimod@server.domain.org>
1398777168 0
-ident icimod
-received_protocol local
-body_linecount 3
-max_received_linelength 28
-auth_id icimod
-auth_sender icimod@server.domain.org
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
someuser@hotmail.com

Date:
Tue, 29 Apr 2014 18:57:48 +0545
From:
root@localhost
To:
someuser@hotmail.com
Subject:
Test mail 405209145
Message-Id:
<E1Wf7q4-0004qQ-0n@server.domain.org>
Received:
from domain by server.domain.org with local (Exim 4.82)
(envelope-from <icimod@server.domain.org>)
id 1Wf7q4-0004qQ-0n
for someuser@hotmail.com; Tue, 29 Apr 2014 18:57:48 +0545
Sender:
<icimod@server.domain.org>


    Bla-bla-bla
    ----------------
    best regards
     
    #4 dtandukar, Apr 30, 2014
  5. theoxgr

    theoxgr Member

    Joined:
    Oct 3, 2013
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Greece, Thessaloniki
    cPanel Access Level:
    Root Administrator
    you can block root from sending out emails i think i did it from "tweak settings"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 theoxgr, Apr 30, 2014
  6. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    But this is not the solution or finding out the root of problem. I will try this too. Could this be the cpanel bug or loophole?

     
    #6 dtandukar, Apr 30, 2014
  7. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    sending email by root is already blocked. Any other suggestions?
     
    #7 dtandukar, Apr 30, 2014
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,442
    Likes Received:
    1,961
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    The message header you provided indicates the "icimod" user is sending out those emails. Is that a user on your system? If so, first try changing the password of that account. You can also search for the term "spam source" on our forums and you will see several threads where methods of spam investigation is discussed.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelMichael, Apr 30, 2014
  9. dtandukar

    dtandukar Member

    Joined:
    Apr 28, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    yes, icimod is the main account. Password has been changed several times. Okay let me search for spam source in the forum - if any suggestion, I am glad to take on.

    Best regards,
     
    #9 dtandukar, Apr 30, 2014
  10. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    143
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Try running the following command:

    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
    This will list the source and the number of messages from each source.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelPeter, May 1, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - unknown spam source
  1. Michael Turner

    Unknown App Requested for this version (0) of the api: spamd

    Michael Turner, Oct 18, 2018, in forum: cPanel Developers
    Replies:
    2
    Views:
    218
    cPanelMichael
    Oct 23, 2018
  2. Samet Chan

    Pending Publication [CPANEL-22957] kcarectl reporting unknown patch type

    Samet Chan, Dec 3, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    179
    cPAusaf
    Dec 5, 2018
  3. adamreece.webbox

    SSHD fails with AuthorizedKeysCommandUser unknown error

    adamreece.webbox, Oct 10, 2018, in forum: Security
    Replies:
    3
    Views:
    158
    cPanelLauren
    Oct 11, 2018
  4. CanadaGuy

    KernelCare Patch Unknown Kernel Alerts

    CanadaGuy, Oct 9, 2018, in forum: Security
    Replies:
    8
    Views:
    218
    cPanelLauren
    Oct 12, 2018
  5. upsforum

    Unknown Kernel alert

    upsforum, Aug 23, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    216
    cPanelLauren
    Aug 24, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice