Hi Guys,

I have a BIG problem - a SPAMMER is using one of my servers to send thousands off emails. I realy dont know how. I try everything, all solutions and i simple canot identify how this SPAMER is sending those emails. The SPAMMER continues to use this server.

Please, i am realy need a help.

This is a mail header (sent to me by my DC - ThePlanet):

Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma05.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA058-8ae4647a2e785; Sun, 13 May 2007 19:44:42 -0400
Received: from ypwhw (240.55.175.245)
by ssl.lx8server.com; Sun, 13 May 2007 20:44:32 -0300
Date: Sun, 13 May 2007 20:44:32 -0300
From: <amyr@compuvision.net>
X-Mailer: The Bat! (v2.01)
Reply-To: <20maxcandy@hotmail.com>
X-Priority: 3 (Normal)
Message-ID: <39425751.20060609052006@compuvision.net>
To: redacted@aol.com
Subject: =?iso-8859-5?B?ZnJlZSB2YWNhbmN5?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------3F5DDCD38AAF7"
X-AOL-IP: 209.62.14.18

Other:

Return-Path: <noreply@site.careerbuilder.com>
Received: from rly-ma07.mail.aol.com (rly-ma07.mail.aol.com [172.20.116.51]) by air-ma06.mail.aol.com (v115.11) with ESMTP id MAILINMA061-8be4648c5301bb; on, 14 May 2007 16:23:36 -0400
Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma07.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA078-8be4648c5301bb; Mon, 14 May 2007 16:23:12 -0400
Received: from askepy (237.83.205.19)
by ssl.lx8server.com; Mon, 14 May 2007 17:23:05 -0300
Date: Mon, 14 May 2007 17:23:05 -0300
From: <noreply@site.careerbuilder.com>
X-Mailer: The Bat! (v2.01)
Reply-To: <noreply@site.careerbuilder.com>
X-Priority: 3 (Normal)
Message-ID: <16100012.20060911152825@site.careerbuilder.com>
To: redacted@aol.com
Subject: =?iso-8859-5?B?Q2FyZWVyQnVpbGRlci5jb20g?=
=?iso-8859-5?B?Sm9iIE1hdGNoZXM6IEVuam95?=
=?iso-8859-5?B?IHdvcmtpbmcgaW4gYSBjaGFs?=
=?iso-8859-5?B?bGVuZ2luZyBhbmQgcmV3YXJk?=
=?iso-8859-5?B?aW5nIGVudmlyb25tZW50Lg==?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------F3712F2DB5"
X-AOL-IP: 209.62.14.18

Other:

Return-Path: <no_reply@paypal.com>
Received: from rly-ma04.mail.aol.com (rly-ma04.mail.aol.com [172.20.116.48]) by air-ma10.mail.aol.com (v115.11) with ESMTP id MAILINMA102-8a1464a9134297; Wed, 16 May 2007 01:06:13 -0400
Received: from ssl.lx8server.com (ssl.lx8server.com [209.62.14.18]) by rly-ma04.mail.aol.com (v115.11) with ESMTP id MAILRELAYINMA043-8a1464a9134297; Wed, 16 May 2007 01:05:56 -0400
Received: from wkqsiq (159.213.21.132)
by ssl.lx8server.com; Wed, 16 May 2007 02:05:44 -0300
Message-ID: <007f01c4a93f$ab84947d$473ffb22@wkqsiq>
Reply-To: <no_reply@paypal.com>
From: <no_reply@paypal.com>
To: redacted@aol.com
Subject: =?iso-8859-5?B?UGF5UGFsIEZyYXVkIE1lZGlh?=
=?iso-8859-5?B?dGlvbiBSZXF1ZXN0KEFsZXJ0?=
=?iso-8859-5?B?SUQgQ09ERTo=?=
Date: Wed, 16 May 2007 02:05:44 -0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0072_01C4FB22.473F947D"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-AOL-IP: 209.62.14.18

This server have :

WHM 10.8.0 cPanel 10.9.0-S9966
RedHat Enterprise 4 i686 - WHM X v3.1.0

PHPsuexec, nobody dont send emails, i have ACL and RBL rules, ConfigServer Firewall, etc. In this moment i canot send emails to AOL and HOTMAIL (i am blocked). Root access is fine i bealive (i execute chkrootkit, rkhunter, no problems found).

I am need a help - Thanks for all !!!

There are others that can be more informational about this but I'll offer what I can.

There are many methods used to help enhance tracking down the spammer and many ways of tracking him/her down in Exim. In cases where the spammer is bypassing Exim you will need to use other methods.


Tweak settings, enable

Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

Set a limit to maximum a domain can send per hour.

Uncheck use formmail clone.


Exim Configuration Editor, Advanced Editor

Add to your Exim config first box somewhere. This will enhance your mail logs:
log_selector = +arguments +subject

Check accounts

Often it is a new account on the system or an account running a popular but out-dated version of a script, phpbb for example.



Ok now the fun part, tracking.
If you have the above options enabled it will help in tracking down the spammer.

Check your mail queue. If it is packed with messages with long distribution lists check for domain information in headers.

Check Service Status, CPU/Memory/MySQL Usage in WHM. Often you can find the compromised or placed script loading down the server right there.


If you can get a bounceback email all the better to track down with. You have the header information there so you can start grepping your logs for some of those email addresses.

Commands:
grep 'sentemail@domain.com' /var/log/exim_mainlog

If you can pull a message id from this:
grep 'E1D3lpG-0004Tv' /var/log/exim_mainlog >look_at_this_file

Another option is to actively tail the exim_mainlog

tail -f /var/log/exim_mainlog

Chirpy's ConfigServer Security & Firewall has some great spam tracking tools in it as well. It appears you are using it so you should enable those features.


You can also run top from an SSH session to monitor active scripts.

If it is a relay, track down the IP via:
cat /etc/relayhostsusers >> ippopusers.txt


That's all I can think about at the moment.

I would start with the newest as you are more likely to find that.

grep '007f01c4a93f$ab84947d$47' /var/log/exim_mainlog >trackmessageid.txt

grep 'UGFsIEZyYXVkIE1lZGlh' /var/log/exim_mainlog >tracksubject.txt

Adding all the above features listed previously will definitely provide more information to help you track the spammer better.

Ahh and if you get really desperate there is always:
http://www.configserver.com/cp/exploit.html

He is in the UK so sometimes you may have to deal with the time difference of availability.