Mail spam sending script injected

email spam centos

I apologize if this is already asked a million times.

One of accounts on my server got hacked. An email spam sending script is injected and sending ton of emails to some random addresses.

I have cPanel/WHM on my server WHM 11.38.0 (build 5) Also it is CENTOS 5.9 x86_64

I usually don't use cPanel nor WHM I have it on this server from the start and later I was too busy to setup an non WHM based server.

What I did up until now:

  1. I blocked problematic account from sending emails at all from WHM
  2. I executed this command exim -bp | grep \< | awk '{print $3}' | xargs exim -Mrm since I got 70k emails in mail queue
  3. I restarted the server

Currently I cant easily change password for that email account.

Is there a way to see what process exactly, or much better what script is sending those mails and where is it located?

Thank you in advance and if you need some additional info to help me just ask.

EDIT

I have looked in crontab for that user and there were nothing suspicious in it. Thank you in advance and if you need some additional info to help me just ask.

EDIT 2

Here is an screenshot of top command executed and I pointed to my suspect: ssh top email spam script

Aside from pointed process there are a lot of "mailnull" processes. What can I do about it?


Solution 1:

If you know the mail account the spam comes from, you will definitely have to change the password. How do you know the spam is sent via some script?

If it is sent via some vulnerable (PHP?-)script, to find out where it comes from, you should create a sendmail wrapper, as scripts are usually using the sendmail binary to send out mails.

Create a file /usr/sbin/sendmail-wrapper with this content:

#!/bin/sh
TODAY=`date -Iseconds`
echo $TODAY sendmail-wrapper called $USER from $PWD >>/tmp/mail.send
(echo X-Additional-Header: $(dirname $PWD);cat) | /usr/sbin/sendmail-real "$@"

To get your wrapper active, move the real sendmail binary:

mv /usr/sbin/sendmail /usr/sbin/sendmail-real

and move the wrapper:

mv /usr/sbin/sendmail-wrapper /usr/sbin/sendmail

Everytime sendmail is called, it will add an additional header to the mail and will log the path sendmail was called from to /tmp/mail.send . This way, you should be able to find the problematic script.

Make sure to put the original sendmail binary back in place afterwards to stop /tmp/mail.send from growing indefinitely.

Solution 2:

Maybe a php script is exploited If you are running php 5.3.x or over set :

mail.add_x_header=1
mail.log=/var/log/phpmail

in php.ini.
Also make sure that /var/log/phpmail is world writeable , so every php process can write it.
Then restart apache.

After this check the headers of outgoing mail's, should contain the name of php script (X-PHP-Originating-Script)

Related

Automatically retrieve a specific file via SFTP
Nginx wont send POST to FastCGI backend, but GET works fine?
How can I limit a users bandwidth in Windows Server 2008 R2 [closed]
HAProxy check does not check content on IIS
Configure apache2 virtual host subdomain
Need a resource that lists WMI perfmon classes
Xen in routed mode: start fails
HP DL380p Gen8 and PCIe SSD? [duplicate]
Trouble with interactive service on Windows Server 2012
Quick Linux Mail Server Setup For Programming
Python cos(90) and cos(270) not 0
Gathering a sequence of unknown length in dask