Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

which process or script is sending spam?

Discussion in 'E-mail Discussion' started by arjanvr, Dec 12, 2014.

  1. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If there is a lot of spam coming from an account and maldet says there is no malware and the owner does not know either. Is it possible to trace which process or script is sending?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,342
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I meant outgoing spam. How can I trace what is causing it as I cannot find anything in that topic.

    Thanks
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,342
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where are you seeing the spam?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    In the mail queue manager where it is in cueue due to send restrictions I enforce on accounts. Otherwise it would have send 10000's already but there is no malware detected
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,342
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Click the icon there to, View Message. You might find some details there of some use.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    They are all Facebook spam mail but I don't know what is sending.
    Code:
    Mail Control Data:
    nederlandsewyand 615 616
    <nederlandsewyand@vps1.domain.nl>
    1418368873 0
    -ident nederlandsewyand
    -received_protocol local
    -body_linecount 150
    -max_received_linelength 146
    -auth_id nederlandsewyand
    -auth_sender nederlandsewyand@vps1.domain.nl
    -allow_unqualified_recipient
    -allow_unqualified_sender 
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,342
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure what you mean by facebook spam.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Fake mails as if sent from facebook security team asking people to login.

    My question is if I can find out which script or process is sending them
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    so when i use this command
    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr 
    it shows me

    Code:
    login as: root
    root@195.242.xx.xxx's password:
    Last login: Fri Dec 12 05:00:09 2014 from 86.93.xxx.xxx
    root@vps1 [~]# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -                                                                                                                                                             c | sed "s|^ *||g" | sort -nr
    
    32860 cwd=/home/username/public_html/administrator/templates/hathor/html                                                                                                                                               /com_redirect/links
    
    does that mean something in that directory is spamming?
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, you should review that directory and look for scripts that can send out email. It's possible that the script has been exploited and you may need to investigate that further.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Well now maldet confirms also

    Code:
    Dec 12 05:00:27 vps1 maldet(5152): {scan} file list completed, found 13840 files...
    Dec 12 05:46:17 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/administrator/templates/hathor/html/com_redirect/links/xml.php
    Dec 12 05:48:58 vps1 maldet(5152): {md5hash} malware hit {MD5}php.cmdshell.unclassed.5408 on /home/username/public_html/modules/mod_araticlhess/mod_araticlhess.php
    Dec 12 05:52:45 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/.test.php
    Dec 12 05:59:36 vps1 maldet(5152): {scan} scan completed on /home/username/public_html/: files 13840, malware hits 3, cleaned hits 0
    
    It's good to have learned this command
    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr 
    Thank you all for assistance
     
    #13 arjanvr, Dec 12, 2014
    Last edited: Dec 12, 2014
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice