12

My server is sending the spam email and I am not able to find out which script is sending them.

The emails were all from nobody@myhost so disabled from the cpanel that nobody should not be allowed to send emails

Now at least they are not going out, I keep receiving them. This is mail I get:

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [email protected] Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings ------ This is a copy of the message, including all the headers. ------ Return-path: <[email protected]> Received: from nobody by cpanel.myserver.com with local (Exim 4.80) (envelope-from <[email protected]>) id 1UBBap-0007EM-9r for [email protected]; Fri, 01 Mar 2013 08:34:47 +1030 To: [email protected] Subject: Order Detail From: "Manager Ethan Finch" <[email protected]> X-Mailer: Fscfz(ver.2.75) Reply-To: "Manager Ethan Finch" <[email protected]> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C" Message-Id: <[email protected]> Date: Fri, 01 Mar 2013 08:34:47 +1030 ------------1362089087512FD47F4767C Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit

This is my logs for exim logs:

2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411) 2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL [email protected]: HELO required before MAIL 2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL [email protected]: Access denied - Invalid HELO name (See RFC2821 4.1.1.1) 2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL 2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q 2013-03-01 14:37:29 Start queue run: pid=12155 2013-03-01 14:37:29 1UBBap-0007EM-9r ** [email protected] R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings 2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r 2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for [email protected] 2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3 2013-03-01 14:37:30 1UBBap-0007EM-9r Completed 2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable 2013-03-01 14:37:38 1UBHFp-0003A7-W3 => [email protected] <[email protected]> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128 2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed 2013-03-01 14:37:39 End queue run: pid=12155 2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1) 2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT 2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t 2013-03-01 14:42:45 1UBHKv-0003BH-LD <= [email protected] U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for [email protected] 2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD 2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable 2013-03-01 14:42:51 1UBHKv-0003BH-LD => [email protected] R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128 2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed 2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1) 2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT

Is there any way to find which script, or which user, is generating those?

Improve this question
6
  • Is this a web server? Are you hosting a PHP form on the machine that sends mail to you? Do you run a webmail interface on the machine? All these are just initial pointers on where to start searching for the culprit. Commented Mar 1, 2013 at 6:40
  • I have the web server with php. i don't have any contact form but i have the user registration form which send the email. but how can i track that Commented Mar 1, 2013 at 6:57
  • First of all disable it. Then read about how to write secure PHP forms that mail stuff back to you. You should ask at PHP specific forums about that. Commented Mar 1, 2013 at 6:58
  • 1
    I don't think this is exactly a duplicate of the other questions. Often it is useful to know what scripts or services are sending out emails - even if your server hasn't been compromised. Commented Apr 25, 2015 at 16:52
  • Exim is mentioned in the question. There's a good guide here: crybit.com/check-spamming-on-server-having-exim Commented Jan 9, 2017 at 16:41

3 Answers 3

Reset to default
22

Linux Malware Detect (http://www.rfxn.com/projects/linux-malware-detect/) installation is quite easy :). Go via this link, download http://www.rfxn.com/downloads/maldetect-current.tar.gz. The link to this file is located at the very top of the web-page. Then unzip this archive, go to newly created directory by running cd in your terminal. In the directory run

sudo ./install.sh

which will install the scanner to your system. To perform the scanning itself you are to run

sudo /usr/local/sbin/maldet -a /

-a option here means that you want ro scan all the files. Use -r instead to scan only recent ones. / specifies the directory where scan should be performed. So just change it to any directory you want.

Just that )

Improve this answer
8

The emails were all from nobody@myhost

Find all processes that is running as nobody:

ps -U nobody

SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)

Run netstat under watch to see which process is connecting to port 25:

watch 'netstat -na | grep :25'

These steps can help you find out the culprit is the... web server. Then you can run a strace to see which script is called when an email is sent:

strace -f -e trace=open,stat -p 1234 -o wserver.strace

(1234 is the parent PID of the web server process)

Improve this answer
3
  • 4
    Will the connection even be open long enough to complete this? Commented Mar 1, 2013 at 8:15
  • Which connection do you mean? The PHP script? Commented Mar 1, 2013 at 8:21
  • Add p to show the process ID watch 'netstat -nap | grep :25' Commented Apr 9, 2018 at 15:31
4

Run a malware scanner, such as maldet, or AVG, or both, on your user's data. Most malicious scripts are picked up by such tools.

Improve this answer
4
  • how can i install that , then how to run it Commented Mar 1, 2013 at 5:52
  • 1
    You click the link and follow the directions. Commented Mar 1, 2013 at 6:10
  • there is nothing written over there which says how to install and use it Commented Mar 1, 2013 at 6:14
  • 3
    You may wish to have a professional server administrator perform the installation for you, if you are unable to do it yourself. Commented Mar 1, 2013 at 6:24

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.