Urgent Help Needed

[WillBlack]

Hi there, I have been watching my FW and seeing loads of SMTP leaving my CPANEL Server. I have disabled all accounts and went so far as to reboot (I am a small time Hosting CO)

I still see the traffic leaving the network. How can I determine what is going on and which account is sending the traffic. Or if the nobody or root is the culpript?


Thanks in advance!

 

[dalem]

tail your mail log

tail -f /var/log/exim_mainlog

view your mail queue in WHM

view you mail statistics in WHM

view your relayers in WHM

 

[WillBlack]

A look at the log!

I was already tail'n that file to watch it BUT!
Pardon my newb stupidity here, but what am I seeing? ... I see <= and => and not sure what that means...
disregard the munin@ as they are not spam.


Please let me know!

R=localuser T=local_delivery
2006-10-26 20:08:00 1GdH8a-0003Ro-5J Completed 20:01:26 1GdH2E-0003OV-7C => barry <barry@blackboardcreations
2006-10-26 20:10:01 1GdHAX-0003T7-52 <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:10:01 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHAX-0003T7-52/sbin/exim -odi -Mc 1GdH5g-0003Q9-AL
2006-10-26 20:10:01 1GdHAX-0003T7-52 => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:10:01 1GdHAX-0003T7-52 Completed
host T=remote_smtp defer (-53): retry time not reached for any hostDX-T7 == [email protected] R=lookuph
2006-10-26 20:05:32 End queue run: pid=13186
2006-10-26 20:08:00 1GdH8a-0003Ro-5J <= [email protected] H=(inrete.it) [222.103.134.217] P=smtp S=1218 id=119901c6f93e$c5cec9b0$f5ce661f@lhmlhfggof T="R..e: Looking .for friend?"
2006-10-26 20:08:00 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdH8a-0003Ro-5J
2006-10-26 20:08:00 1GdH8a-0003Ro-5J => albertas <[email protected]> R=localuser T=local_delivery
2006-10-26 20:08:00 1GdH8a-0003Ro-5J Completed
2006-10-26 20:10:01 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:10:01 1GdHAX-0003T7-52 <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:10:01 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHAX-0003T7-52
2006-10-26 20:10:01 1GdHAX-0003T7-52 => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:10:01 1GdHAX-0003T7-52 Completed
2006-10-26 20:15:00 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:15:00 1GdHFM-0003WM-JJ <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:15:00 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHFM-0003WM-JJ
2006-10-26 20:15:00 1GdHFM-0003WM-JJ => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:15:00 1GdHFM-0003WM-JJ Completed
2006-10-26 20:18:31 1GdHIl-0003Y3-7u <= [email protected] H=(server.crmresponse.com) [204.92.87.134] P=esmtps X=TLSv1:AES256-SHA:256 S=2985 [email protected] T="You only sent me 1 email all month & that trobles me."
2006-10-26 20:18:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHIl-0003Y3-7u
2006-10-26 20:18:31 1GdHIl-0003Y3-7u => bigchili <[email protected]> R=localuser T=local_delivery
2006-10-26 20:18:31 1GdHIl-0003Y3-7u Completed
2006-10-26 20:20:00 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:20:01 1GdHKC-0003Z4-SN <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:20:01 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHKC-0003Z4-SN
2006-10-26 20:20:01 1GdHKC-0003Z4-SN => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:20:01 1GdHKC-0003Z4-SN Completed
2006-10-26 20:21:47 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
2006-10-26 20:21:47 1GdHLv-0003ah-R6 <= [email protected] U=root P=local S=534 T="lfd: SSH login alert for user root from 172.16.10.50 (Unknown)"
2006-10-26 20:21:47 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHLv-0003ah-R6
2006-10-26 20:21:48 1GdHLv-0003ah-R6 => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:21:48 1GdHLv-0003ah-R6 Completed
2006-10-26 20:21:49 H=(friend) [69.40.205.89] sender verify fail for <[email protected]>: unrouteable mail domain "eurovest.biz"
2006-10-26 20:21:49 H=(friend) [69.40.205.89] F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed
2006-10-26 20:21:49 unexpected disconnection while reading SMTP command from (friend) [69.40.205.89]
2006-10-26 20:23:08 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
2006-10-26 20:23:08 1GdHNE-0003bw-8x <= [email protected] U=root P=local S=534 T="lfd: SSH login alert for user root from 172.16.10.50 (Unknown)"
2006-10-26 20:23:08 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHNE-0003bw-8x
2006-10-26 20:23:08 1GdHNE-0003bw-8x => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:23:08 1GdHNE-0003bw-8x Completed
2006-10-26 20:23:53 cwd=/addonscripts 3 args: send-mail -i root
2006-10-26 20:23:53 cwd=/addonscripts 3 args: send-mail -i root
2006-10-26 20:23:53 1GdHNx-0003cu-Ei <= [email protected] U=root P=local S=583 T="RulesDuJour/allserver.webtestdummies.com: Cannot write to /etc/spamassassin. RDJ terminated."
2006-10-26 20:23:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHNx-0003cu-Ei
2006-10-26 20:23:53 1GdHNx-0003cx-Es <= [email protected] U=root P=local S=607 T="RulesDuJour/allserver.webtestdummies.com: Cannot write to /etc/spamassassin/RulesDuJour. RDJ termina"
2006-10-26 20:23:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHNx-0003cx-Es
2006-10-26 20:23:53 1GdHNx-0003cx-Es => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:23:53 1GdHNx-0003cx-Es Completed
2006-10-26 20:23:53 1GdHNx-0003cu-Ei => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:23:53 1GdHNx-0003cu-Ei Completed
2006-10-26 20:24:13 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
2006-10-26 20:24:15 1GdHOH-0003dF-I9 <= [email protected] U=root P=local S=503 T="lfd: SU login alert - Successful login from root to root"
2006-10-26 20:24:15 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHOH-0003dF-I9
2006-10-26 20:24:15 1GdHOH-0003dF-I9 => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:24:15 1GdHOH-0003dF-I9 Completed
2006-10-26 20:24:19 cwd=/addonscripts 3 args: send-mail -i root
2006-10-26 20:24:19 cwd=/addonscripts 3 args: send-mail -i root
2006-10-26 20:24:19 1GdHON-0003dj-41 <= [email protected] U=root P=local S=607 T="RulesDuJour/allserver.webtestdummies.com: Cannot write to /etc/spamassassin/RulesDuJour. RDJ termina"
2006-10-26 20:24:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHON-0003dj-41
2006-10-26 20:24:19 1GdHON-0003dg-4c <= [email protected] U=root P=local S=583 T="RulesDuJour/allserver.webtestdummies.com: Cannot write to /etc/spamassassin. RDJ terminated."
2006-10-26 20:24:19 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHON-0003dg-4c
2006-10-26 20:24:19 1GdHON-0003dj-41 => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:24:19 1GdHON-0003dj-41 Completed
2006-10-26 20:24:19 1GdHON-0003dg-4c => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=mail.iongear.com [66.46.102.107]
2006-10-26 20:24:19 1GdHON-0003dg-4c Completed
2006-10-26 20:25:01 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:25:01 1GdHP3-0003eN-DG <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:25:01 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHP3-0003eN-DG
2006-10-26 20:25:01 1GdHP3-0003eN-DG => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:25:01 1GdHP3-0003eN-DG Completed
2006-10-26 20:26:25 unexpected disconnection while reading SMTP command from (D6FFLCYSOSB6PR5) [219.235.228.14]
2006-10-26 20:28:34 1GdHSU-0003fm-89 <= [email protected] H=(|) [88.153.204.95] P=esmtp S=3104 id=000b01c6f96f$99070ce0$1a01a8c0@bzq-88-153-204-95.red.bezeqint.net T="Re: Diclofenac . About law"
2006-10-26 20:28:34 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHSU-0003fm-89
2006-10-26 20:28:34 1GdHSU-0003fm-89 => blackboa <[email protected]> R=localuser T=local_delivery
2006-10-26 20:28:34 1GdHSU-0003fm-89 Completed
2006-10-26 20:30:01 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:30:01 1GdHTt-0003iP-17 <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:30:01 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHTt-0003iP-17
2006-10-26 20:30:01 1GdHTt-0003iP-17 => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:30:01 1GdHTt-0003iP-17 Completed
2006-10-26 20:35:00 cwd=/home/munin 6 args: /usr/sbin/sendmail -FCronDaemon -i -odi -oem munin
2006-10-26 20:35:00 1GdHYi-0003nG-JL <= [email protected] U=munin P=local S=2681 T="Cron <munin@allserver> /usr/bin/munin-cron"
2006-10-26 20:35:00 cwd=/var/spool/exim 4 args: /usr/sbin/exim -odi -Mc 1GdHYi-0003nG-JL
2006-10-26 20:35:00 1GdHYi-0003nG-JL => munin <mun[email protected]> R=localuser T=local_delivery
2006-10-26 20:35:00 1GdHYi-0003nG-JL Completed
2006-10-26 20:35:24 1GdHZ5-0003nO-Tu <= [email protected] H=(itron.com) [80.224.234.243] P=smtp S=1838 id=000001c6f970$5c41d730$a9bba8c0@hwuqyve T="Re: VlAGHRA"
2006-10-26 20:35:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1GdHZ5-0003nO-Tu
2006-10-26 20:35:24 1GdHZ5-0003nO-Tu => blackboa <[email protected]> R=localuser T=local_delivery
2006-10-26 20:35:24 1GdHZ5-0003nO-Tu Completed

 

[dalem]

Well when you posted I assumed you have a spam problem nothing in what you posted sugests that