trying to locate process on server which is sending spam email

Question

I have a CentOS server running Exim, with a standard LAMP stack installed. The problem is that there is a process that is sending out unsolicited emails, AND I do not know how to locate the process. Here is what I have done:

1. I have done a tail /var/log/exim_mainlog to see what is going on. This is some of the output:

   2016-02-14 01:42:00 SMTP connection from (jabosupply.dcr103.com) [255.255.255.255]:33165 closed by QUIT
   2016-02-14 01:42:00 1aUlhH-0006fx-UO => cpm147 <lstockings@site1.com> R=localuser T=local_delivery
   2016-02-14 01:42:00 1aUlhH-0006fx-UO Completed
   2016-02-14 01:42:03 1aUlhL-0006gS-RD <= AmeliaCruz@site2.com H=(site2.com) [255.255.255.255]:54467 P=esmtp S=25154 id=456dfg4.G880UOMSX255.255.255.255@lisalou.vegan$
   2016-02-14 01:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhL-0006gS-RD
   2016-02-14 01:42:04 1aUlhL-0006gS-RD => cpm147 <duke@site1.com> R=localuser T=local_delivery
   2016-02-14 01:42:04 1aUlhL-0006gS-RD Completed
   2016-02-14 01:42:04 SMTP connection from (site2.com) [255.255.255.255]:54467 closed by QUIT
   2016-02-14 01:42:05 SMTP connection from [255.255.255.255]:40445 (TCP/IP connection count = 5)
   2016-02-14 01:42:05 no host name found for IP address 255.255.255.255
   2016-02-14 01:42:11 SMTP connection from [255.255.255.255]:58622 (TCP/IP connection count = 6)
   2016-02-14 01:42:12 1aUlhU-0006hP-C9 <= GregoryLittle@site3.com H=(site3.com) [255.255.255.255]:48668 P=esmtp S=37419 id=DV59FTL1CMF.gfjh3ufdg45q1111.6603.WE@chimail1.m$
   2016-02-14 01:42:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhU-0006hP-C9
   2016-02-14 01:42:12 SMTP connection from (site3.com) [255.255.255.255]:48668 closed by QUIT
   2016-02-14 01:42:12 1aUlhU-0006hP-C9 => cpm147 <duke@site1.com> R=localuser T=local_delivery
   2016-02-14 01:42:12 1aUlhU-0006hP-C9 Completed
   2016-02-14 01:42:17 SMTP connection from [255.255.255.255]:40445 lost
   2016-02-14 01:42:17 1aUSE4-0000ZZ-Tp == erika.guerra@fresno.heald.edu R=dkim_lookuphost defer (-1): host lookup did not complete
   2016-02-14 01:42:17 1aUj64-0004bS-6P Message is frozen
   2016-02-14 01:42:17 1aULQ4-0002bv-Bs Unfrozen by errmsg timer
   2016-02-14 01:42:18 1aULQ4-0002bv-Bs ** alisa_mckinney@site4 R=dkim_lookuphost T=dkim_remote_smtp H=smtp.secureserver.net [255.255.255.255]: SMTP error from remote mail server $
   2016-02-14 01:42:18 1aULQ4-0002bv-Bs alisa_mckinney@site4: error ignored
   2016-02-14 01:42:18 1aULQ4-0002bv-Bs Completed
   

2. Tried turning off mail for the server via WHM - this is successful, but not a permanent solution!

3. Done a top to see the exim processes. There are anywhere from 0 to 1 to about 7 of them, with user of either root or mailnull. So the hosted user account is not identified.

I am thinking there must be a PERL script or PHP script somewhere that is running this. I need to identify it. Can anyone help me locate the physical source of the script that is running.

P.S. My server is not high-use and none of the websites have mailing scripts. I'm thinking this must have been injected so I am also changing passwords. But my priority is to locate this.

Answer 1

If my memory serves me right, cpanel users must perform auth in order to send mails. So you should see 'auth_id' field in email headers. I have written small script which is inspecting exim's outgoing queue, find ids which own more than 50 mails in queue and deletes them. Hope, it will be useful for you.

#!/usr/bin/perl
#Script for deleting spam mails
use strict;
use warnings;
use Net::OpenSSH;
my $host = $ARGV[0];
my $ssh2 = Net::OpenSSH->new($host,user=>'root',timeout=>600);
my @authids =  $ssh2->capture("exiqgrep -i |xargs -I \~ /usr/sbin/exim -Mvh \~ |awk -F'[@ ]' '/auth_id/{print \$NF}' |sort |uniq -c |sort -nrk1");
foreach (@authids) {
  my @string = split();
  if($string[0] > 50) {
    my $header = "count - $string[0] , offender - $string[1]\n";
    my $summary = $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mvh \$i |awk '/(Subject: |To:|From:)/{print}';fi;done");
    print "$summary\n";
    print "count - $string[0] , offender - $string[1]\n";
    print "Delete [y/n]";
    my $line = <STDIN>;
    chomp($line);
      if($line eq "y") {
      print "Prepairing to delete\n";
      $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mrm \$i;fi;done") or die "remote command failed: " . $ssh2->error;
      print "Deleted\n";
      }

  } else {
  last;
}

}