What is sending spam on my server !

LJSHost

Well-known member
Joined
Jul 5, 2016
Messages
1,031
Best answers
0
Ratings
202
Points
63
#1
I was just creating some new content for the LJSHost knowledge base and thought this article would be a nice tutorial for all you WHM VPS owners with spam problems :)

Finding out what script is spamming on a WHM server


Spam or unsolicited email is a huge problem for anyone with a server, it is estimated that around 90% of all email worldwide is junk mail. Spammers can have a negative impact on your server in many ways included consuming all server resources resulting in poor performance and getting your IP address blacklisted preventing you from sending mail to some providers from your server.

Spammers send junk mail in a couple of different ways sometimes from an external mail client but more often from a script uploaded to your server. Compromised CMS platforms such as WordPress are often the cause of spam due to being hijacked by a hacker who is using your contact form to send thousands of messages.

So now you know the problem let's talk about what you can do about it and shut it down.

All mail servers have an MTA (Mail Transport Agent) that receives mail from mail clients, web applications and other servers which have mail for users on your server. WHM uses the Exim transport agent which this guide will be focusing on but these forensic techniques can be adjusted for other mail transport agents.

Locating the script that is spamming


Code:
 grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
This command will scan the exim_mainlog file which is where Exim logs all mail activity. It might look complex but it's just a few simple Linux command piped together.

How the command works

Code:
grep cwd /var/log/exim_mainlog
- Show all row with ‘cwd' (current working directory) in the log

Code:
grep -v /var/spool
- Use the grep with the -v to show an invert match, so to exlcude /var/spool which are normal Exim delivers not from a script.

Code:
 awk -F"cwd=" '{print $2}' | awk '{print $1}'
- format the output so we only see the data we need.

Code:
sort | uniq -c | sort -n
- Sort the script paths by name, count them and format the output numerically from lowest to highest.


Code:
      12 /home/account1/public_html/folder1
      43 /home/account2
      1652 /home/account3/public_html/scripts
      32 /home/account12/data/
      16 /home/account5/public_html
      19 /home/account 9/public_html
       7 /home/account21/public_html/content/scripts
      14 /home/account43/public_html/wp-content/themes/twentythirteen
      58 /home/account 45/public_html/tmp/
      20 /home/account31/public_html/wp-includes/js/imgareaselect
     346 /etc/csf
     794 /usr/local/cpanel/whostmgr/docroot
     1209 /
     187175 /root
This is a typical output from the command. All user data is contained within the /home/ directory which are the results you want to focus on /etc/csf /root for example are system generated emails which are only internal sending firewall reports, cron job notifications etc.

As you can see from the output 1652 /home/account3/public_html/scripts is the most likely suspect and shows 1652 mails sent from a script in the scripts folder.

Lets take a look in the scripts directory to see what we find.

Code:
ls -lahtr  /home/account3/public_html/scripts

Code:
 -rw-r--r-- 1 account3 account3 5.6K Apr 14 23:27 spam_script.php
Here we find the script spam_script.php which is the php program sending the spam. In a real world situation the file will be called something innocent such as wp-plug-contact.php to make it look like a genuine file.

A quick view of this file will show mail() functions etc to send the spam.

All you need to do the stop the spam is delete the file. :)
 

DTS-NET

Well-known member
Joined
Feb 6, 2017
Messages
87
Best answers
0
Ratings
6 1
Points
8
#2
That is awesome a lot of time files rebuild form types of malware and viruses
does this stop them from rebuilding
Have used other programs that have help us and our clients
This one will be very useful as well awesome job
 

LJSHost

Well-known member
Joined
Jul 5, 2016
Messages
1,031
Best answers
0
Ratings
202
Points
63
#6
LJSHost
No this will not stop the attacker uploading the script again if that is what you mean ?

Our policy on this is to suspend the account and get the customer to clean everything out and we change all the account password's, we also advise customers to run malware/virus scans of any PC's they are using to connect to the server.

With a customers WordPress site for example we advise to delete everything excluding the database and then help the customer re install fresh and provide the database connection details to them. Spam activity is stopped 95% of the time after these actions are taken. I have seen user cron jobs downloading the script again using wget and creating a 5 min cron to execute it.

Those pesky hackers :bash:
 

Dr. McKay

Well-known member
Joined
Nov 26, 2016
Messages
343
Best answers
0
Ratings
22
Points
18
#3
It would be great if i can use these ways on a Linux server without WHM/cPanel, for instance, on a LEMP stack, Plesk, Directadmin or other hosting control panels?
I have several VPS using WHM/cPanel and I will check them with your codes and see how it works.

Thanks for sharing useful tips!
 

LJSHost

Well-known member
Joined
Jul 5, 2016
Messages
1,031
Best answers
0
Ratings
202
Points
63
#7
LJSHost
Yes you can use this method with other MTA's/Setups you just need to modify the mail log location in the script and perhaps change the output formatting to reflect the style of the log file.
 

webhostuk

Well-known member
Joined
Jan 25, 2017
Messages
95
Best answers
0
Ratings
4
Points
8
#4
You have really provider a good information for many of the users who got unmanaged servers or VPS. Spamming is a major concern and to understand what exactly is causing the problem can only stop the issue from occurring again and again on the server.
 

HostXNow

Well-known member
Joined
Nov 26, 2014
Messages
373
Best answers
0
Ratings
25 1
Points
28
#5
I've been using the same methods for many years and they sure do help a lot! Very nice detailed guide you did on it, though. Good job!

PS I would also suggest monitoring all your server IPs on blacklists using HetrixTools, too.
 

energizedit

Well-known member
Joined
Dec 13, 2016
Messages
259
Best answers
0
Ratings
14
Points
18
#8
Thanks for this info, I'm always trying to look back through forums/emails etc. to find these commands again, when there is a mail issue on one of my servers. Great info for anyone running their own server.
 

Mujkanovic

Well-known member
Joined
Apr 24, 2016
Messages
209
Best answers
1
Ratings
4
Points
18
#10
I am wondering how the OP determined an email is spam mail or not.

Which command do this job?

Or do I need to do as following step you guided above?
 

LJSHost

Well-known member
Joined
Jul 5, 2016
Messages
1,031
Best answers
0
Ratings
202
Points
63
#11
You need to view the email to decided if it is spam however most of the time the Subjects will all be the same.

Identifying out going SPAM needs to be done before the steps in this guide which is done by viewing the logs either with WHM or the eximstats tools. The guide I posted as aimed towards drilling down to the root cause and stopping it once you have identified a mailbox is spamming. Most spam is automated on the server with PHP these days, Spammers don't send remotely via SMTP as they used it but it still happens.
 
Joined
Jan 27, 2017
Messages
47
Best answers
0
Points
0
#13
Thanks LJSHOst for this detailed writing. I have searched over here & there to sort out a system to detect spamming script but couldn't find out. Thanks a lot. I used LMD & ClamAV to find them out previously.
 
Joined
Jun 26, 2017
Messages
20
Best answers
0
Points
0
#15
Thank you for this post. I am learning a lot by just reading these posts. I also have bookmarked this for future reference.
Thank you guys!

Cheers!
 
Joined
Mar 6, 2016
Messages
52
Best answers
0
Ratings
5
Points
8
#16
Aewsome sharing but I think its limited to WHM.
I had a dedicated server multiple times suspended due to some of the client abusing it. The only way I knew it was getting the server suspended and they telling me the ip of the client. Can anybody guide me for how to avoid spamming on my dedicated box with multiple clients using VPS.
 

vpsrus

Well-known member
Joined
Jan 17, 2017
Messages
92
Best answers
0
Ratings
14
Points
0
#19
vpsrus
If your Virtualization is OpenVZ you can run nodewatch and also you can configure it to suspend the abuse VPS only before be suspended from your provider, on KVM it is a little more complicated but you can use Pinguzo and can find the abuse VPS and suspend it manually.
 

LJSHost

Well-known member
Joined
Jul 5, 2016
Messages
1,031
Best answers
0
Ratings
202
Points
63
#17
It all depends on what MTA those servers are using. The method I detailed can be used with any MTA you just need to change the spool and log file location relevant to the MTA configuration.
 

24x7serverman

Well-known member
Joined
Jul 25, 2017
Messages
652
Best answers
1
Ratings
67 6
Points
28
#18
I would like to add some more commands addition to your commands -

1. Once you will check the mail count of all accounts on server in ascending order using below command

exim -bpc; grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
After that you can check the logs of particular email address which has highest email count in email queue using below command -

grep email address /var/log/exim_mainlog
2. When you will check the email logs for the email address that time you can find the email subject too which will specify whether the email account is sending spam emails from it or not.

3. Addition to above command, you can use below commands too -

Checking the header of the mail -
exim -Mvh message id
Checking the body of mail - exim -
Mvb message id
4. You can check the number of emails in exim mail queue using below command -
exim -bpr | grep "<" | wc -l

When you are sure with the script or email account that it is sending the spam emails then you can take below recommended actions -

If the spamming using script is there then use below guidelines-
1. Disable the script from the server that is change it's permission to 000 with ownership as root.
2. Rename that script.

So spammer no longer use that script.

If the spamming using email account is there then then use below guidelines-
1. Reset the email account's password as soon as possible. The password should be combination of small and capital letters, numbers, special characters so it will become strong password and email account can't be hacked easily.
2. Reset the control panel's password from where you are accessing the emails.
3. If there is still spamming then it's recommended to remove the email account from server.
 

Vastor122

New member
Joined
Sep 6, 2017
Messages
5
Best answers
0
Points
0
#20
Thank you for this one! it sure is hard to always monitor all of your server Ips, but what else can you do? I've bookmarked this one also.
 
Joined
Nov 14, 2017
Messages
22
Best answers
0
Points
0
#21
Improve your firewall settings i have problems with that it can fill up your mailbox fast and can affect your acct. That can be blacklisted many programmers used php to send spams.
 

z-BO

New member
Joined
Nov 18, 2017
Messages
9
Best answers
0
Points
0
#22
Nice feed man, good way of pointing out the linking ways of spams, but I think improving security is the best defense.
 
Joined
Oct 24, 2017
Messages
6
Best answers
0
Ratings
1
Points
0
#23
Nobody likes receiving junks or spams in his/her server. Spam are just too annoying and they create some funny impressions on the receiver. Some spam messages are often found to be of help and some are sometimes useful. Some of these spam are also dangerous to the server and may affect the smooth running of the server. Some may even cause server breakdown thereby making it difficult for the administrator to have rightful and complete access on the server.
Truly, spam are unsolicited messages sent to the server. There are many ways by which spam can be sent to one's server. The most common reason among these is unprotected server which tends to attract malicious mails and are vulnerable to virus attack. Servers need to be strongly protected to filter unsolicited messages. I mentioned earlier that some of this junks are sometimes useful. The reason is that there are some mails that if one opens, they will be of good help to someone. Above all, server protection is the way out of receiving unsolicited messages which are otherwise known as junks or spam messages.
 

SenseiSteve

Web Hosting Sensei
Corporate Member
Joined
Nov 11, 2015
Messages
227
Best answers
0
Ratings
57 4
Points
28
#24
SenseiSteve
Good spam??? I think not. Maybe you're thinking of the spam where I'm told I just received $167,000,005.00 from an inheritance in Nigeria?
 
Older Threads
Latest Threads
  • Deleted
  • Deleted by Localnode
  • Reason: Wrong section
Replies
0
Views
4
  • Deleted
  • Deleted by fwh
Replies
0
Views
1
Recommended Threads
Replies
8
Views
2,292
Replies
4
Views
1,586
Replies
2
Views
151
Replies
8
Views
980

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top