Portal Home > Knowledgebase > Articles Database > Help Please: My server is sending out spam emails
Help Please: My server is sending out spam emails
| Posted by GeorgRauh, 08-23-2012, 02:17 PM |
| I have a VPS on Centos running Cpanel/WHM...recently it started to send out spam emails.
I already have cfs firewall installed, clamav, spamassassin, yesterday i set the hourly max email to 500, disabled "nobody" for sending emails and implemented some other stuff i read online, but it keeps filling up the queue. I am running Apache with DSO by the way. Any help appreciated!
(Switching to apache w/ su_php handler would be a major issue, by the way, this should only be the last resort if nothing else helps)
|
| Posted by kevincheri, 08-23-2012, 03:02 PM |
| The best try would be to enable extended logging to exim and check through the logs. You dont really need to switch to SuPHP due to this; many host still runs shared hosting with php as dso.
|
| Posted by brianoz, 08-23-2012, 05:04 PM |
| Switch anyway (or to something similar); running all PHP instances as the same user is inherently and dangerously insecure.
How would your users feel if they knew that every other user on the server could read their files? (at least in principle, I know open_basedir etc makes it harder)
I understand there's a trade-off for performance; it's just the way it is.
While you're at it read up on the Apache symlink issue.
|
| Posted by GeorgRauh, 08-23-2012, 06:28 PM |
| It's not only a performance issue, i also have lots of caching going on which only works with DSO - PLUS i would likely have to correct permissions for MANY websites on my server. It wouldn't be a big deal if i only hosted one or two sites.
|
| Posted by SPINIKR-RO, 08-23-2012, 06:45 PM |
| You can run a few commands which would bulk update the permissions for files and folders.
Yes, you still may have a few problems but still worth it.
|
| Posted by GeorgRauh, 08-23-2012, 08:18 PM |
| It looks like that there is a
(local) connection using mailnull (exim) via SMTP, and the host involved is one certain host on my server. Is there a way to completely disable sending mails for that certain domain?
I am really not so proficient...but as it looks this is a remote connection via SMTP, so i don't need to bother looking for suspicios PHP scripts?
|
| Posted by spykee, 08-23-2012, 10:59 PM |
| Look at the mail logs, see which user was authenticated at that time.
Then look at the access-logs for that user, grep for POST.
|
| Posted by Larry, 08-23-2012, 11:15 PM |
| This doesn't help resolve the issue, but is something you should consider. Once a server is sending out spam, the first thing you should do is disable all email capabilities. Shut down all mail servers (pop3 and imap), and shut down exim. Until you figure out how to resolve this issue, you should protect your IP's reputation as keeping it enabled until you resolve this could lead to worse damage than disabling it now and troubleshooting. Your host could even disable your server for such a situation, so play it safe. Check all your logs afterwards. (Send all your clients notice that the server email features will be unavailable for a while)
Although if you have clients that depend on email for mission critical projects, then I suppose this isn't an option. This is if your clients can do without email for up to 2-3 days until you figure this out. Some hosts charge for IP blacklist removal which is why I brought this up.
|
| Posted by cuantica, 08-23-2012, 11:15 PM |
| This script should be helpful if you decide to switch to suphp, it fixes permissions and comments php_value in .htaccess iles. You should let your users know about the permissions change and modify them on those folders that require write permissions
#!/bin/bash
#suPHP permissions fixes
for user in `ls /var/cpanel/users`
do
for site in `ls /var/cpanel/userdata/$user | grep -v ".cache" | grep -v "main"`
do
docroot=`cat /var/cpanel/userdata/$user/$site | grep "documentroot"`
docrootfixed=`echo $docroot | cut -d: -f2`
echo "working in docroot: $docrootfixed ..."
#most here is ssullivan's work rephrased as a single bash script. thx scott!
#clear php tweaks out of any .htaccess
echo " commenting out php tweaks from .htaccess if present..."
find $docrootfixed -name .htaccess -exec sed -i 's/php_flag/#php_flag/g' {} \;
find $docrootfixed -name .htaccess -exec sed -i 's/php_value/#php_value/g' {} \;
find $docrootfixed -name .htaccess -exec sed -i 's/php_admin_flag/#php_admin_flag/g' {} \;
find $docrootfixed -name .htaccess -exec sed -i 's/php_admin_value/#php_admin_value/g' {} \;
#change ownership of all files and dirs to user:user
echo " recursively changing ownership of docroot files and folders to $user:$user..."
chown -R $user:$user $docrootfixed/*
#directories to 755 permissions
echo " recursively changing permissions of docroot folders to 755..."
find $docrootfixed -type d -exec chmod 755 {} \;
#change php documents to 644 permissions
echo " recursively changing permissions of docroot PHP files to 644..."
for file in `find $docrootfixed -name *.php`
do
chmod 644 $file
done
echo "fixed! moving on..."
done
done
echo "This is all set."
|
| Posted by racknap1, 08-24-2012, 12:42 PM |
| Hi,
I think your server has been compromised, you need to check your SYNC RECEIVE status through netstat.
netstat -n -p|grep SYN_REC | wc -l
Run this command to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high.
Find out those IP's which you find making high concurrent connections, try to stop them in your /etc/hosts.deny file.
or Stop them if you have csf installed on server.
#csf -d xx.xx.xx.xx
#csf -r
|
| Posted by GeorgRauh, 08-24-2012, 01:27 PM |
| znetindia,
right now 0 or 1 if i run this command. Will monitor this tho.
I haven't accumulated any more mails in the last days tho. I set the offending host to only allow 1 mail/hour as well.
|
Add to Favourites 
Print this Article
Also Read
Shared Hosting
Shared Hosting
