User Account - File being created/sending spam via local mail server

[OwenB]

We use WHM to manage a multitude of our websites. One of these sites appear to have a vulnerability somewhere that is allowing a file to either be uploaded or created in the accounts public_html folder, which is them attempting to send spam out.

As Im not a developer or have a huge knowledge of Linux, I am at a bit of a loss on how to track down what is allowing the uploading/creation of the file. I suspect once the file is there, the hacker/bot/whatever is simply opening the url for the file which then causes it to start sending spam using the local mail server.

As a workaround I thought I might have been able to change the public_html folder to read only, but that broke the website its running. I also thought I might be able to configure the mail server to dump the emails as its using the full domain as the sender address - whilst we send emails from this host, its from a different domain - but I do not know where to begin for that.

I realise this is unlikely to be WHMs fault, rather the poor coding of the website but I hope someone here can point me in the right direction to stop this.

 

[OwenB]

Turns out its very similar to this Help my server is sending spam and my abuse department is mad at me! (A HOWTO) - Hosting Security and Technology Tutorials - Web Hosting Talk

Whilst I've not yet ascertained the exact method they are using to get the files onto the server, I've identified several other files and removed them. The vulnerability appears to be related to an old joomla install, but I'll keep digging.

 

[cPanelMichael]

Hello

Note that the following document is useful for helping prevent email abuse itself:

Prevent Email Abuse

It won't secure the account or prevent it from getting hacked, but it offers some tips that will help reduce the amount of SPAM sent out in the event that happens.

Thank you.

 

[quizknows]

When the spam file pops up, you need to note the time stamps (use the 'stat' command).

Then look for those exact times in the Apache access log for the domain. You'll likely find a POST request to whatever malicious/vulnerable file is allowing the upload.

 

[OwenB]

When the spam file pops up, you need to note the time stamps (use the 'stat' command).

Then look for those exact times in the Apache access log for the domain. You'll likely find a POST request to whatever malicious/vulnerable file is allowing the upload.

Yes, I can see in the access logs the file being accessed. The only trouble is I have not seen the precursor URL that is creating the file in the first place - usually by the time Im alerted to the issue the logs are overwritten so I can only see entries of the url to the spam file being accessed and generating the emails. I'll start archiving the logs so I can track it down.

In the meantime I'm blocking IPs and investigating what I can do on the exim side.

Hello

Note that the following document is useful for helping prevent email abuse itself:

Prevent Email Abuse

It won't secure the account or prevent it from getting hacked, but it offers some tips that will help reduce the amount of SPAM sent out in the event that happens.

Thank you.

Most of this is implemented, I have hourly rates/high failure rate/suEXEC configured. So it does restrict the amount and allows me to simply delete the queue when the vulnerability is used to spam.

 

[cPanelPeter]

Hello,

Check the /var/log/messages file to see if the account is compromised and the files are being uploaded via FTP. That is always a possibility. If you haven't yet, you should change any and all passwords for the account.

 

[quizknows]

Definitely enable log archiving. In my day to day work I see maybe 1% of spam scripts come in on FTP; the rest are uploaded via exploited site code or existing malicious PHP files.

 

[OwenB]

Have performed numerous things since my last post.

I updated CSF and went through and applied its recommendations. I've also installed mod_security. I also collated a list of the IPs using the hack and blocked them (I realize that is only a stop gap measure). Its now been four days and have not had a re-occurrence.

FTP logging has been enabled for the get go, but that has shown nothing (its rarely used) so I know they are not using that as the vector.

I will trawl through messages and see if the account(s) have been compromised, we are overdue for password changes anyway.


Thank you quizknows, Michael and Peter, appreciate your responses.