The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

User Account - File being created/sending spam via local mail server

Discussion in 'Security' started by OwenB, Jun 5, 2014.

  1. OwenB

    OwenB Registered

    Joined:
    Jun 5, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    We use WHM to manage a multitude of our websites. One of these sites appear to have a vulnerability somewhere that is allowing a file to either be uploaded or created in the accounts public_html folder, which is them attempting to send spam out.

    As Im not a developer or have a huge knowledge of Linux, I am at a bit of a loss on how to track down what is allowing the uploading/creation of the file. I suspect once the file is there, the hacker/bot/whatever is simply opening the url for the file which then causes it to start sending spam using the local mail server.

    As a workaround I thought I might have been able to change the public_html folder to read only, but that broke the website its running. I also thought I might be able to configure the mail server to dump the emails as its using the full domain as the sender address - whilst we send emails from this host, its from a different domain - but I do not know where to begin for that.

    I realise this is unlikely to be WHMs fault, rather the poor coding of the website but I hope someone here can point me in the right direction to stop this.
     
  2. OwenB

    OwenB Registered

    Joined:
    Jun 5, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Note that the following document is useful for helping prevent email abuse itself:

    Prevent Email Abuse

    It won't secure the account or prevent it from getting hacked, but it offers some tips that will help reduce the amount of SPAM sent out in the event that happens.

    Thank you.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    When the spam file pops up, you need to note the time stamps (use the 'stat' command).

    Then look for those exact times in the Apache access log for the domain. You'll likely find a POST request to whatever malicious/vulnerable file is allowing the upload.
     
  5. OwenB

    OwenB Registered

    Joined:
    Jun 5, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Yes, I can see in the access logs the file being accessed. The only trouble is I have not seen the precursor URL that is creating the file in the first place - usually by the time Im alerted to the issue the logs are overwritten so I can only see entries of the url to the spam file being accessed and generating the emails. I'll start archiving the logs so I can track it down.

    In the meantime I'm blocking IPs and investigating what I can do on the exim side.


    Most of this is implemented, I have hourly rates/high failure rate/suEXEC configured. So it does restrict the amount and allows me to simply delete the queue when the vulnerability is used to spam.
     
  6. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Check the /var/log/messages file to see if the account is compromised and the files are being uploaded via FTP. That is always a possibility. If you haven't yet, you should change any and all passwords for the account.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Definitely enable log archiving. In my day to day work I see maybe 1% of spam scripts come in on FTP; the rest are uploaded via exploited site code or existing malicious PHP files.
     
  8. OwenB

    OwenB Registered

    Joined:
    Jun 5, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Have performed numerous things since my last post.

    I updated CSF and went through and applied its recommendations. I've also installed mod_security. I also collated a list of the IPs using the hack and blocked them (I realize that is only a stop gap measure). Its now been four days and have not had a re-occurrence.

    FTP logging has been enabled for the get go, but that has shown nothing (its rarely used) so I know they are not using that as the vector.

    I will trawl through messages and see if the account(s) have been compromised, we are overdue for password changes anyway.


    Thank you quizknows, Michael and Peter, appreciate your responses.
     
Loading...

Share This Page