Blog

How To Find Spammers In A cPanel Server?

cPanel is the most commonly used web hosting control panel in the web hosting industry. One of the most common issues we have faced in cPanel is spamming. Spamming happens many ways on the mail server. It is the most common issue in the web hosting industry and it causes our server IP’s blacklisted on the different RBL’s.
Spamming is several copies of the same message, in an endeavor to force the message on the folks that do not ought to receive it.

In most cases, the hackers use the vulnerabilities of our websites codes like WordPress, Joomla, plugins, and themes.

Different types of spamming

1. Account compromised.

2. Spamming through scripts.

Account Compromised

In some cases, the spammer gets access to your mail account by guessing our details or by some other ways. Resetting the password with a strong one and educating the customer to avoid common password are some of the methods to prevent the spamming. Clearing the mail queue after a system reboot and restarting the exim to disconnect all connections to the server also helps to make it secure.

Spamming through scripts

The spamming scripts mainly affect the account that uses CMS (content management systems) like WordPress, Joomla etc. The attacker mainly uses the vulnerabilities of the application.

Steps to find out the spamming script

We can analyze the exim logs to find out the spammer on the server. All the emails send from the server are logged.

The following steps will show how to look the spam on your server and how to take care of it

Step 1. Log in to the server via root ssh.

Step 2. Run the subsequent command to tug out the foremost used mailing script location from the exim mainlog.

Use the grep with -v flag that is an inverted match, therefore we do not show any lines that begin with /var/spool, as these square measures are traditional exim deliveries, not sent from a script.

Use the awk command with the -Field extractor set to cwd=, then simply print out the $2nd set of knowledge, finally pipe that to the awk command once more solely printing out the $1st column, so we have a tendency to solely go back to the script path.

# awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’

Use the awk command with the -Field separator set to cwd=, then just print out the $2nd set of data, pipe that to the awk command again only printing out the $1st column so that we only get back the script path.

# sort | uniq -c | sort -n

Sort the script paths by their name, uniquely count them, and sort them again numerically from lowest to highest.

The search result will be something like this.

18 /home/userna/public_html/about-us
28 /home/userna/public_html
1006 /home/userna/public_html/data

The results show that /home/userna/public_html/data has more deliveries than the other directories.

Please run the following command to find out what scripts are located in that directory.

ls -lahtr /userna/public_html/data

The result will be as of below:

drwxr-xr-x 17 userna userna 4.0K Jan 20 10:25../

-rw-r-r–1 userna userna 5.6K Jan 20 11:27 mailer.php

drwxr-xr-x 2 userna userna 4.0K Jan 20 11.27./

We can see that there is a script called mailer.php under the account “userna”

The mailer.php script is sending mail to exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script by using the following command:

grep “mailer.php” /home/userna/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

You should get back something similar to this:

2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123

We can see the IP address 123.123.123.123 was using our mailer script in a malicious nature. If we found any IP address that sending a high volume of emails from a script then we need to block the specific IP’s on the server firewall, so that they can’t connect to the server again.

This can be accomplished with the following command:

ip route add blackhole 123.123.123.123 – No 3rd party firewall – nullroute

csf -d 123.123.123.123 – If you have CSF
apf -d 123.123.123.123 – If you have APF

Hopefully, you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to check if malicious activity is going on, and how to prevent it.

Related Article

May 13, 2019

cPanel File Manager

Leave a Reply

Your email address will not be published. Required fields are marked *