The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

which process or script is sending spam?

Discussion in 'E-mail Discussions' started by arjanvr, Dec 12, 2014.

  1. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    If there is a lot of spam coming from an account and maldet says there is no malware and the owner does not know either. Is it possible to trace which process or script is sending?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I meant outgoing spam. How can I trace what is causing it as I cannot find anything in that topic.

    Thanks
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where are you seeing the spam?
     
  5. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    In the mail queue manager where it is in cueue due to send restrictions I enforce on accounts. Otherwise it would have send 10000's already but there is no malware detected
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Click the icon there to, View Message. You might find some details there of some use.
     
  7. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    They are all Facebook spam mail but I don't know what is sending.
    Code:
    Mail Control Data:
    nederlandsewyand 615 616
    <nederlandsewyand@vps1.domain.nl>
    1418368873 0
    -ident nederlandsewyand
    -received_protocol local
    -body_linecount 150
    -max_received_linelength 146
    -auth_id nederlandsewyand
    -auth_sender nederlandsewyand@vps1.domain.nl
    -allow_unqualified_recipient
    -allow_unqualified_sender 
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure what you mean by facebook spam.
     
  9. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Fake mails as if sent from facebook security team asking people to login.

    My question is if I can find out which script or process is sending them
     
  10. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    so when i use this command
    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr 
    it shows me

    Code:
    login as: root
    root@195.242.xx.xxx's password:
    Last login: Fri Dec 12 05:00:09 2014 from 86.93.xxx.xxx
    root@vps1 [~]# awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -                                                                                                                                                             c | sed "s|^ *||g" | sort -nr
    
    32860 cwd=/home/username/public_html/administrator/templates/hathor/html                                                                                                                                               /com_redirect/links
    
    does that mean something in that directory is spamming?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, you should review that directory and look for scripts that can send out email. It's possible that the script has been exploited and you may need to investigate that further.

    Thank you.
     
  12. arjanvr

    arjanvr Well-Known Member

    Joined:
    Dec 13, 2013
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Well now maldet confirms also

    Code:
    Dec 12 05:00:27 vps1 maldet(5152): {scan} file list completed, found 13840 files...
    Dec 12 05:46:17 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/administrator/templates/hathor/html/com_redirect/links/xml.php
    Dec 12 05:48:58 vps1 maldet(5152): {md5hash} malware hit {MD5}php.cmdshell.unclassed.5408 on /home/username/public_html/modules/mod_araticlhess/mod_araticlhess.php
    Dec 12 05:52:45 vps1 maldet(5152): {hexstring} malware hit {HEX}php.base64.v23au.183 on /home/username/public_html/media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/.test.php
    Dec 12 05:59:36 vps1 maldet(5152): {scan} scan completed on /home/username/public_html/: files 13840, malware hits 3, cleaned hits 0
    
    It's good to have learned this command
    Code:
    awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr 
    Thank you all for assistance
     
    #13 arjanvr, Dec 12, 2014
    Last edited: Dec 12, 2014
Loading...

Share This Page