Hi,
We faced some severe spamming issue on a Cpanel server, upon checking the email queue, I can see that there is more than 1 lakh of emails. On checking the headers I can see that almost all of them are spam. Below are the steps that I have taken for fixing the spamming issues on the server.
Exim command to detect the email queue is
exim -bpc
exim -bp|exiqsumm
command will give you summary of the queue. Once you get the Message IDs from the above command you can view the Header of an email using the command
exim -Mvh Message ID
This will list the headers including the php script which is sending emails, if any.
X-php-script
You can check the body of the message as well in exim to make sure that it was a body of spam email
exim -Mvb Message-ID
Mostly you will get the php script from the exim -Mvh command. But some times you won't get the php scripts from the headers. The hackers might made some custom changes so that it won't appear in the headers.
Then we can use the below command which will detect the directory under which exim is sending emails.
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Also you will get the common subject of spam emails by searching for duplicate subject lines from the exim logs.
awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n
The above commands will give you the directory in which exim is currently executing the emails.The above command will also list the count of emails. So you will know from which directory the emails are sending heavily. Just cd into the directory and check the php files inside or scan with available antivirus(clamav inside that directory)
clamscan -i -r Directory-Name
This will list the vulnerable php files. You just need to delete those files first.
After you find the files which caused the spamming you might need to run a full system scanning on the server using clamav antivirus to find out any other suspicious files are residing on the server.
clamscan -i -r /
Below are the steps to make the system more secure against spamming
1)First install a antivirus like clamav on the server and then scan whole the server and automate it to run daily or weekly using crontab.
2)Install CSF firewall on the server and enable lfd on it
3)Install chrootkit or RK hunter on the server and automate the scanning of those using cron jobs
4)Disable shell access for users on the Cpanel servers unless it is required.
5)Disable any unanonymous FTP uploads on the Cpanel server.
6)Disable variables like open_basedir and php exec_shell and register_globals of php on the server
Regards
Syamkumar.M
We faced some severe spamming issue on a Cpanel server, upon checking the email queue, I can see that there is more than 1 lakh of emails. On checking the headers I can see that almost all of them are spam. Below are the steps that I have taken for fixing the spamming issues on the server.
Exim command to detect the email queue is
exim -bpc
exim -bp|exiqsumm
command will give you summary of the queue. Once you get the Message IDs from the above command you can view the Header of an email using the command
exim -Mvh Message ID
This will list the headers including the php script which is sending emails, if any.
X-php-script
You can check the body of the message as well in exim to make sure that it was a body of spam email
exim -Mvb Message-ID
Mostly you will get the php script from the exim -Mvh command. But some times you won't get the php scripts from the headers. The hackers might made some custom changes so that it won't appear in the headers.
Then we can use the below command which will detect the directory under which exim is sending emails.
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Also you will get the common subject of spam emails by searching for duplicate subject lines from the exim logs.
awk -F"T=\"" '/<=/ {print $2}' /var/log/exim_mainlog | cut -d\" -f1 | sort | uniq -c | sort -n
The above commands will give you the directory in which exim is currently executing the emails.The above command will also list the count of emails. So you will know from which directory the emails are sending heavily. Just cd into the directory and check the php files inside or scan with available antivirus(clamav inside that directory)
clamscan -i -r Directory-Name
This will list the vulnerable php files. You just need to delete those files first.
After you find the files which caused the spamming you might need to run a full system scanning on the server using clamav antivirus to find out any other suspicious files are residing on the server.
clamscan -i -r /
Below are the steps to make the system more secure against spamming
1)First install a antivirus like clamav on the server and then scan whole the server and automate it to run daily or weekly using crontab.
2)Install CSF firewall on the server and enable lfd on it
3)Install chrootkit or RK hunter on the server and automate the scanning of those using cron jobs
4)Disable shell access for users on the Cpanel servers unless it is required.
5)Disable any unanonymous FTP uploads on the Cpanel server.
6)Disable variables like open_basedir and php exec_shell and register_globals of php on the server
Regards
Syamkumar.M
Great Post, I love to read articles that are informative and actually have good content. Thank you for sharing your experiences and I look forward to reading more.
ReplyDeletecpanel server management | 24x7 Technical Support Service