Mail spam sending script injected

I apologize if this is already asked a million times.

One of accounts on my server got hacked. An email spam sending script is injected and sending ton of emails to some random addresses.

I have cPanel/WHM on my server WHM 11.38.0 (build 5) Also it is CENTOS 5.9 x86_64

I usually don't use cPanel nor WHM I have it on this server from the start and later I was too busy to setup an non WHM based server.

What I did up until now:

  1. I blocked problematic account from sending emails at all from WHM
  2. I executed this command exim -bp | grep \< | awk '{print $3}' | xargs exim -Mrm since I got 70k emails in mail queue
  3. I restarted the server

Currently I cant easily change password for that email account.

Is there a way to see what process exactly, or much better what script is sending those mails and where is it located?

Thank you in advance and if you need some additional info to help me just ask.

EDIT

I have looked in crontab for that user and there were nothing suspicious in it. Thank you in advance and if you need some additional info to help me just ask.

EDIT 2

Here is an screenshot of top command executed and I pointed to my suspect: ssh top email spam script

Aside from pointed process there are a lot of "mailnull" processes. What can I do about it?


Solution 1:

If you know the mail account the spam comes from, you will definitely have to change the password. How do you know the spam is sent via some script?

If it is sent via some vulnerable (PHP?-)script, to find out where it comes from, you should create a sendmail wrapper, as scripts are usually using the sendmail binary to send out mails.

Create a file /usr/sbin/sendmail-wrapper with this content:

#!/bin/sh
TODAY=`date -Iseconds`
echo $TODAY sendmail-wrapper called $USER from $PWD >>/tmp/mail.send
(echo X-Additional-Header: $(dirname $PWD);cat) | /usr/sbin/sendmail-real "$@"

To get your wrapper active, move the real sendmail binary:

mv /usr/sbin/sendmail /usr/sbin/sendmail-real

and move the wrapper:

mv /usr/sbin/sendmail-wrapper /usr/sbin/sendmail

Everytime sendmail is called, it will add an additional header to the mail and will log the path sendmail was called from to /tmp/mail.send . This way, you should be able to find the problematic script.

Make sure to put the original sendmail binary back in place afterwards to stop /tmp/mail.send from growing indefinitely.

Solution 2:

Maybe a php script is exploited If you are running php 5.3.x or over set :

mail.add_x_header=1
mail.log=/var/log/phpmail

in php.ini.
Also make sure that /var/log/phpmail is world writeable , so every php process can write it.
Then restart apache.

After this check the headers of outgoing mail's, should contain the name of php script (X-PHP-Originating-Script)