How to find which script on my server is sending spam emails?

Question

My server is sending the spam email and I am not able to find out which script is sending them.

The emails were all from nobody@myhost so disabled from the cpanel that nobody should not be allowed to send emails

Now at least they are not going out, I keep receiving them. This is mail I get:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  eckert@clearfieldjeffersonredcross.org
    Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@cpanel.myserver.com>
Received: from nobody by cpanel.myserver.com with local (Exim 4.80)
        (envelope-from <nobody@cpanel.myserver.com>)
        id 1UBBap-0007EM-9r
        for eckert@clearfieldjeffersonredcross.org; Fri, 01 Mar 2013 08:34:47 +1030
To: eckert@clearfieldjeffersonredcross.org
Subject: Order Detail
From: "Manager Ethan Finch" <support@raleight.us>
X-Mailer: Fscfz(ver.2.75)
Reply-To: "Manager Ethan Finch" <support@raleight.us>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C"
Message-Id: <E1UBBap-0007EM-9r@cpanel.server.com>
Date: Fri, 01 Mar 2013 08:34:47 +1030

------------1362089087512FD47F4767C
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

This is my logs for exim logs:

2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411)
2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL gpgjouczsr@gmail.com: HELO required before MAIL
2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL admin@gmail.com: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL
2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2013-03-01 14:37:29 Start queue run: pid=12155
2013-03-01 14:37:29 1UBBap-0007EM-9r ** eckert@clearfieldjeffersonredcross.org R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r
2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for nobody@cpanel.server.com
2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3
2013-03-01 14:37:30 1UBBap-0007EM-9r Completed
2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable
2013-03-01 14:37:38 1UBHFp-0003A7-W3 => johnmyk@server.com <nobody@cpanel.server.com> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128
2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed
2013-03-01 14:37:39 End queue run: pid=12155
2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)
2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT
2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t
2013-03-01 14:42:45 1UBHKv-0003BH-LD <= root@cpanel.server.com U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for johnmyk@server.com
2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD
2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable
2013-03-01 14:42:51 1UBHKv-0003BH-LD => johnmyk@server.com R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128
2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed
2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1)
2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT

Is there any way to find which script, or which user, is generating those?

I don't think this is exactly a duplicate of the other questions. Often it is useful to know what scripts or services are sending out emails - even if your server hasn't been compromised. — Eric Kigathi, Apr 25 '15 at 16:52
Is this a web server? Are you hosting a PHP form on the machine that sends mail to you? Do you run a webmail interface on the machine? All these are just initial pointers on where to start searching for the culprit. — adamo, Mar 01 '13 at 06:40
I have the web server with php. i don't have any contact form but i have the user registration form which send the email. but how can i track that — user75380, Mar 01 '13 at 06:57
First of all disable it. Then read about how to write secure PHP forms that mail stuff back to you. You should ask at PHP specific forums about that. — adamo, Mar 01 '13 at 06:58
Exim is mentioned in the question. There's a good guide here: https://crybit.com/check-spamming-on-server-having-exim/ — user56reinstatemonica8, Jan 09 '17 at 16:41
I don't think this is a duplicate of the other proposed questions since this one asks specifically for a way to know which script is sending spam. No malware scanners will find those scripts as they aren't malware, simply forms without captchas or "vulnerabilities" of this kind. IMO, the best way is logging the mail() function: http://stackoverflow.com/a/34166818/1703516 — campsjos, Feb 20 '17 at 12:02

score 22 · Accepted Answer · answered Mar 01 '13 at 17:31

Linux Malware Detect (http://www.rfxn.com/projects/linux-malware-detect/) installation is quite easy :). Go via this link, download http://www.rfxn.com/downloads/maldetect-current.tar.gz. The link to this file is located at the very top of the web-page. Then unzip this archive, go to newly created directory by running cd in your terminal. In the directory run

sudo ./install.sh

which will install the scanner to your system. To perform the scanning itself you are to run

sudo /usr/local/sbin/maldet -a /

-a option here means that you want ro scan all the files. Use -r instead to scan only recent ones. / specifies the directory where scan should be performed. So just change it to any directory you want.

Just that )

score 8 · Answer 2 · answered Mar 01 '13 at 08:13

8

The emails were all from nobody@myhost

Find all processes that is running as nobody:

ps -U nobody

SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)

Run netstat under watch to see which process is connecting to port 25:

watch 'netstat -na | grep :25'

These steps can help you find out the culprit is the... web server. Then you can run a strace to see which script is called when an email is sent:

strace -f -e trace=open,stat -p 1234 -o wserver.strace

(1234 is the parent PID of the web server process)

answered Mar 01 '13 at 08:13

quanta

50,327
19
152
213

4

Will the connection even be open long enough to complete this? – Michael Hampton Mar 01 '13 at 08:15
Which connection do you mean? The PHP script? – quanta Mar 01 '13 at 08:21
Add p to show the process ID `watch 'netstat -nap | grep :25'` – Dean Oakley Apr 09 '18 at 15:31

score 4 · Answer 3 · answered Mar 01 '13 at 05:37

4

Run a malware scanner, such as maldet, or AVG, or both, on your user's data. Most malicious scripts are picked up by such tools.

answered Mar 01 '13 at 05:37

Michael Hampton

237,123
42
477
940

how can i install that , then how to run it – user75380 Mar 01 '13 at 05:52
1

You click the link and follow the directions. – Michael Hampton Mar 01 '13 at 06:10
there is nothing written over there which says how to install and use it – user75380 Mar 01 '13 at 06:14
3

You may wish to have a professional server administrator perform the installation for you, if you are unable to do it yourself. – Michael Hampton Mar 01 '13 at 06:24

How to find which script on my server is sending spam emails?

3 Answers3

Linked