User Account - File being created/sending spam via local mail server

OwenB

Registered
Jun 5, 2014
4
0
1
cPanel Access Level
Reseller Owner
We use WHM to manage a multitude of our websites. One of these sites appear to have a vulnerability somewhere that is allowing a file to either be uploaded or created in the accounts public_html folder, which is them attempting to send spam out.

As Im not a developer or have a huge knowledge of Linux, I am at a bit of a loss on how to track down what is allowing the uploading/creation of the file. I suspect once the file is there, the hacker/bot/whatever is simply opening the url for the file which then causes it to start sending spam using the local mail server.

As a workaround I thought I might have been able to change the public_html folder to read only, but that broke the website its running. I also thought I might be able to configure the mail server to dump the emails as its using the full domain as the sender address - whilst we send emails from this host, its from a different domain - but I do not know where to begin for that.

I realise this is unlikely to be WHMs fault, rather the poor coding of the website but I hope someone here can point me in the right direction to stop this.
 

OwenB

Registered
Jun 5, 2014
4
0
1
cPanel Access Level
Reseller Owner

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Hello :)

Note that the following document is useful for helping prevent email abuse itself:

Prevent Email Abuse

It won't secure the account or prevent it from getting hacked, but it offers some tips that will help reduce the amount of SPAM sent out in the event that happens.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
When the spam file pops up, you need to note the time stamps (use the 'stat' command).

Then look for those exact times in the Apache access log for the domain. You'll likely find a POST request to whatever malicious/vulnerable file is allowing the upload.
 

OwenB

Registered
Jun 5, 2014
4
0
1
cPanel Access Level
Reseller Owner
When the spam file pops up, you need to note the time stamps (use the 'stat' command).

Then look for those exact times in the Apache access log for the domain. You'll likely find a POST request to whatever malicious/vulnerable file is allowing the upload.
Yes, I can see in the access logs the file being accessed. The only trouble is I have not seen the precursor URL that is creating the file in the first place - usually by the time Im alerted to the issue the logs are overwritten so I can only see entries of the url to the spam file being accessed and generating the emails. I'll start archiving the logs so I can track it down.

In the meantime I'm blocking IPs and investigating what I can do on the exim side.


Hello :)

Note that the following document is useful for helping prevent email abuse itself:

Prevent Email Abuse

It won't secure the account or prevent it from getting hacked, but it offers some tips that will help reduce the amount of SPAM sent out in the event that happens.

Thank you.
Most of this is implemented, I have hourly rates/high failure rate/suEXEC configured. So it does restrict the amount and allows me to simply delete the queue when the vulnerability is used to spam.
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
585
25
153
cPanel Access Level
Root Administrator
Hello,

Check the /var/log/messages file to see if the account is compromised and the files are being uploaded via FTP. That is always a possibility. If you haven't yet, you should change any and all passwords for the account.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Definitely enable log archiving. In my day to day work I see maybe 1% of spam scripts come in on FTP; the rest are uploaded via exploited site code or existing malicious PHP files.
 

OwenB

Registered
Jun 5, 2014
4
0
1
cPanel Access Level
Reseller Owner
Have performed numerous things since my last post.

I updated CSF and went through and applied its recommendations. I've also installed mod_security. I also collated a list of the IPs using the hack and blocked them (I realize that is only a stop gap measure). Its now been four days and have not had a re-occurrence.

FTP logging has been enabled for the get go, but that has shown nothing (its rarely used) so I know they are not using that as the vector.

I will trawl through messages and see if the account(s) have been compromised, we are overdue for password changes anyway.


Thank you quizknows, Michael and Peter, appreciate your responses.