How to find which script on my server is sending spam emails?

user75380 asked:

My server is sending the spam email and I am not able to find out which script is sending them.

The emails were all from nobody@myhost so disabled from the cpanel that nobody should not be allowed to send emails

Now at least they are not going out, I keep receiving them. This is mail I get:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  eckert@clearfieldjeffersonredcross.org
    Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@cpanel.myserver.com>
Received: from nobody by cpanel.myserver.com with local (Exim 4.80)
        (envelope-from <nobody@cpanel.myserver.com>)
        id 1UBBap-0007EM-9r
        for eckert@clearfieldjeffersonredcross.org; Fri, 01 Mar 2013 08:34:47 +1030
To: eckert@clearfieldjeffersonredcross.org
Subject: Order Detail
From: "Manager Ethan Finch" <support@raleight.us>
X-Mailer: Fscfz(ver.2.75)
Reply-To: "Manager Ethan Finch" <support@raleight.us>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C"
Message-Id: <E1UBBap-0007EM-9r@cpanel.server.com>
Date: Fri, 01 Mar 2013 08:34:47 +1030

------------1362089087512FD47F4767C
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

This is my logs for exim logs:

2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411)
2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL gpgjouczsr@gmail.com: HELO required before MAIL
2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL admin@gmail.com: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL
2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2013-03-01 14:37:29 Start queue run: pid=12155
2013-03-01 14:37:29 1UBBap-0007EM-9r ** eckert@clearfieldjeffersonredcross.org R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r
2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for nobody@cpanel.server.com
2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3
2013-03-01 14:37:30 1UBBap-0007EM-9r Completed
2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable
2013-03-01 14:37:38 1UBHFp-0003A7-W3 => johnmyk@server.com <nobody@cpanel.server.com> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128
2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed
2013-03-01 14:37:39 End queue run: pid=12155
2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)
2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT
2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t
2013-03-01 14:42:45 1UBHKv-0003BH-LD <= root@cpanel.server.com U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for johnmyk@server.com
2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD
2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable
2013-03-01 14:42:51 1UBHKv-0003BH-LD => johnmyk@server.com R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128
2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed
2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1)
2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT

Is there any way to find which script, or which user, is generating those?

My answer:


Run a malware scanner, such as maldet, or AVG, or both, on your user’s data. Most malicious scripts are picked up by such tools.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.