The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unsolicited mails sent from my vps server

Discussion in 'E-mail Discussions' started by buyonlineindia, Oct 12, 2014.

  1. buyonlineindia

    buyonlineindia Registered

    Joined:
    Oct 12, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi,

    I am new to VPS and trying to set up my server.
    Since quite some time I am facing an issue where my server is sending unsolicited emails.
    as sender <user-name>@<mydomain>.com

    these email ids are not registered in my server. I have restricted the outgoing mail volumes as last resort after trying out all the email security measure like disabling exim (was desperate to stop), spamd, RBL, etc...

    did someone face this issue or does someone know what should be done to secure the server.


    T&R
    PG
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hello,

    You might need to check for the mail queue and try to see if the mails are being sent from a single mail address
    which might be compromised or if its due to any insecure scripts from your <mydomain.com>
     
  3. mageshm

    mageshm Well-Known Member

    Joined:
    Apr 17, 2014
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Chennai, INDIA
    cPanel Access Level:
    DataCenter Provider
    @buyonlineindia,

    It seem's that the account got infected, So try below command it will clearly shows mail originator location and remove infected files and change password of account

    # grep "<user-name>@<mydomain>.com" /var/log/exim_mainlog
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Check the account associated with that username for scripts with the ability to send out email. It's possible the user has uploaded a script for sending email and it's being used to send out SPAM.

    Thank you.
     
  5. buyonlineindia

    buyonlineindia Registered

    Joined:
    Oct 12, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello,

    Thanks for the responses, I found the originator script and deleted it.
    Now it looks find as I don't see any unsolicited mails sent in the report and queue.

    Thanks to all and specially @mageshm

    Regards
     
  6. buyonlineindia

    buyonlineindia Registered

    Joined:
    Oct 12, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi All,

    the problem was temporarily removed, the mails sending started again.

    I removed the file after changing all the passwords. The file db.php had some cryptic text and after removing the file there were no unsolicited mails sent. But after 10-15 days the sever creates the file again at public_html/libraries/joomla/filter and starts sending mails.

    Any help would be appreciated.
    T&R
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The Security Advisor option in WHM (Home >> Security Center >> Security Advisor) is a good place to start when attempting to secure your server. This feature runs a security scan on your cPanel & WHM server and advises you how to resolve any security issues found.

    You may also want to review the domain access logs or the Apache access log for the time period it occurred to see if you can find additional details about how the account was exploited.

    Thank you.
     
Loading...

Share This Page