The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

View Mail stats ( View Relayers) oh boy!!

Discussion in 'E-mail Discussions' started by rpmws, Sep 16, 2003.

  1. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Can you guys check to see if you see if using this tool produces a list of sending users that do NOT appear to be users?

    I am seeing users listed like:

    Ice^Stylez
    x0b0r
    hidden-user


    and a few others that have me worried. When I click on them I get (invalid user). The mail log shows maybe one or 2 emails for each. Thta's it. I ran chkrootkit with no warnings. I am still a bit worried.

    cPanel.net Support Ticket Number:
     
  2. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    What tool?

    cPanel.net Support Ticket Number:
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    in WHM ..under the email section.

    ( View Relayers)

    cPanel.net Support Ticket Number:
     
  4. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    Sorry, but i dont see that option anywhere.

    Under the Mail Section i only have this:

    Mail Troubleshooter
    Manage Mail Queue
    View Mail Statistics

    cPanel.net Support Ticket Number:
     
  5. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    my WHM must be "special"

    cPanel.net Support Ticket Number:
     
  6. efeito

    efeito Well-Known Member
    PartnerNOC

    Joined:
    Jul 24, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    .pt
    My version is WHM 7.4.2 cPanel 7.4.2-R158
    on redhat 9
    and yours?

    cPanel.net Support Ticket Number:
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I run edge on all my boxes

    cPanel.net Support Ticket Number:
     
  8. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Try searching through your logfiles in /var/log/exim/ to find occurences of those dodgy usernames:

    grep youruser /var/log/exim -ri

    and paste the results :)

    cPanel.net Support Ticket Number:
     
  9. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    root@mybox [~]# grep Ice^Stylez /var/log/exim_mainlog -ri
    2003-09-15 16:06:04 19z0Xs-0001zb-5Z <= 8zuq3o11z@hotmail.com H=(myiphere) [69.67.67.2] U={Ice^Stylez] P=smtp S=1403 id=6v$qv736-t8-t5kl$$4--5u4@bo1hf1v.ukgtj1

    another ..1 entry

    2003-09-16 03:18:34 19zB2f-0003pP-JP <= ycni2o@aol.com H=(myserverip) [210.182.108.189] U=DTQLNNNIX P=smtp S=4702 id=3j60a$qu5dy$2$41-$7---z@d4zq8z.3e.b.vf


    Looks like one entry for the most fishy usernames
    Note these are NOT real users on my system. well not supposed to be. I also see some for "administrator", "daemon" and a few weird "users"
    cPanel.net Support Ticket Number:
     
    #9 rpmws, Sep 16, 2003
    Last edited: Sep 16, 2003
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    root@mybox [~]# grep hidden-user /var/log/exim_mainlog -ri
    2003-09-15 10:09:03 19yuyN-0000ns-AM <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1928 id=Pine.SGI.4.44.0309151007500.19117519-100000@itchy.southern.net
    2003-09-15 10:29:27 19yvI6-00022u-Pp <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2615 id=Pine.SGI.4.44.0309151029250.19117519-100000@itchy.southern.net
    2003-09-15 10:49:09 19yvbA-0003Uf-Qm <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=5141 id=Pine.SGI.4.44.0309151037160.19117519-100000@itchy.southern.net
    2003-09-15 11:01:50 19yvnR-0004kV-NI <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2986 id=Pine.SGI.4.44.0309151101010.19117519-100000@itchy.southern.net
    2003-09-15 11:29:14 19ywDx-0006zy-CL <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=7877 id=Pine.SGI.4.44.0309151108350.19117519-100000@itchy.southern.net
    2003-09-15 11:50:37 19ywYe-0008Rn-9s <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=10090 id=Pine.SGI.4.44.0309151149540.19117519-100000@itchy.southern.net
    2003-09-15 16:04:02 19z0Vu-0001sF-OC H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>"
    2003-09-15 16:30:16 19z0vI-0003QR-B7 <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=1863 id=Pine.SGI.4.44.0309151628541.18773790-100000@itchy.southern.net
    2003-09-15 16:32:34 19z0xW-0003Za-2V <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=2376 id=Pine.SGI.4.44.0309151631300.18277281-100000@itchy.southern.net
    2003-09-15 16:43:20 19z17w-0004Em-Ew <= scotd@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3095 id=Pine.SGI.4.44.0309151641450.18277281-100000@itchy.southern.net
    2003-09-16 15:50:20 19zMmC-0002kX-9Q <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=4227 id=Pine.SGI.4.44.0309161543130.19062074-100000@itchy.southern.net
    2003-09-16 15:51:24 19zMnA-0002o3-Rk <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3538 id=Pine.SGI.4.44.0309161550460.19062074-100000@itchy.southern.net
    2003-09-16 16:03:31 19zMyx-0004Yw-AS H=(listserv1.economy.com) [205.247.35.65] U=hidden-user F=<listserv@dismal.com> rejected after DATA: syntax error in 'Reply-To:' header when scanning for sender: malformed address: <listserv@economy.com> may not follow listserv@economy.com in "listserv@economy.com <listserv@economy.com>"
    2003-09-16 17:30:05 19zOKg-0001zd-AJ <= shtfnwm6@yahoo.com H=(nezu.kiban.co.jp) [210.230.183.225] U=hidden-user P=smtp S=6633 id=e6$$-m01sr4s5g20$51w5-21@1iok5gm24d6d

    cPanel.net Support Ticket Number:
     
  11. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Try:

    grep hidden-user /etc -ri

    cPanel.net Support Ticket Number:
     
  12. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I get a few "too many sym links" and:

    /etc/httpd/domlogs/ftp.a -domain-on-my-box.com-ftp_log:Sat Sep 6 21:06:14 2003 194 mailhub.infinityward.com 32274243 /home/same-domain-user/public_html/visitor/music/ref.zip b _ i r real-user ftp 1 hidden-user c

    could it be it's a client that is authinticated for SMTP but has a box that is using the "hidden-user" for username?

    cPanel.net Support Ticket Number:
     
  13. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Well the U- part indicates the login name of the process that called exim to submit a message, so there is a user on your system called 'hidden-user' I imagine. It's not to do with authentication - you would see 'P=asmtp' if the user had authenticated.

    Can't you see the user in the 'List Accounts' page in WHM?

    Given the results of the second search it looks like the user is active in whatever domain resides under /home/same-domain-user.

    cPanel.net Support Ticket Number:
     
  14. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    no ..no ..see thats just it. These users aren't listed in my WHM and they don't have a place in /home either. It's a closed box that no new accounts are on. No resellers either.

    Also when I get this list in the "list relayers" in the table in teh list all the other senders have a email@domainname beside it. Beside these few that the users look weird to me there is no email@anydomain.com and when I click on the username the next page says "Invalid user".

    I been searching through this damn box for 10 hours and I can't figure out what is going on yet. How can I see a complete list of all local linux users with any privilages at all?

    cPanel.net Support Ticket Number:
     
  15. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Open the /etc/passwd file to view the local users on the server. Obviously be careful not to make any changes - if you want to edit the password list by hand then use 'vipw' which allows you to make changes to the system password dbs.

    Did you try grepping the /etc directory for the username's of those dodgy users? It could be that there's an alias or somesuch for Exim in there somewhere.

    cPanel.net Support Ticket Number:
     
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    yes I did ..see a few steps above where I quoted when you first told me to search for that funny user. I only found "hidden-user" once. I also need to let you know that this username is actually "hidden-user" it's not what I am typing to hide a real user. It's actually showing up as "hidden-user"

    cPanel.net Support Ticket Number:
     
  17. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I just checked all the users and none of them look liek they don't belong. None of them match the weird ones in the relayed list. I just want to be sure I haven't been hacked. I searched google.com the user {Ice^Stylez] and found a RedHat thread that talked about some hacking. Wanted to see if maybe some spambot was hitting me as well as others.

    The other weird users I can't find anything on google about. I just emailed the guy at the southern.com and found out that he is a sys-admin for 20 years and wouldn't be any hacker. He uses pine for his email .. but it's on his boxes and he does email with a client I host. I am wondering if you send a email using pine from one box to another does that U for user get stamped in exim_mainlog?

    cPanel.net Support Ticket Number:
     
  18. munk

    munk Member

    Joined:
    Sep 6, 2003
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Yes if user 'john' sent a mail using a MUA like pine/mutt or w/e from the local server then U=john would be added in the logfile.

    cPanel.net Support Ticket Number:
     
  19. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    It looks like "hidden-user" is using pine. Now this is a email coming in right?

    2003-09-16 15:51:24 19zMnA-0002o3-Rk <= shannin@southern.com H=(wolfman.southern.net) [195.219.38.1] U=hidden-user P=esmtp S=3538 id=Pine.SGI.4.44.0309161550460.19062074-100000@itchy.southern.net

    cPanel.net Support Ticket Number:
     
  20. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    This is actually a bug. Its logging the ident instead of converting the ip to the username.

    This is fixed in edge 66 and later

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page