Investigating a Cpanel server sending spam without any entry in mail logs

Categories Security

This is a journal describing a recent investigation of spamming on a CPanel server.

Scenario:This particular server was getting listed in RBLs pretty often. Upon investigation, I noticed that there were no log entries in the exim mail logs which could even suggest that the server was sending out any spam.

Without any help from server logs (evidence), it is necessary for a Server Admin to think for a few moments about how exactly could someone send spam from the server, yet not have any evidence of it in the mail logs? Clearly, the spammer is not using the local mail server.

The first step should be to check for the running processes.

From ‘ps’ man pages:

This argument is very helpful for a Server Admin to check whether the running processes are original or fake. Using this argument, I have been able to identify fake apache processes (which were in fact perl scripts/bots) which might not catch the eye otherwise.

Coming back to this case, I was skeptical about some ssh processes which were running without any pseudo-terminal.

Checking the netstat output, I could see many of these ssh processes connecting to port 25 of some remote servers. The spammer was connecting from a remote ip 80.237.210.29 to this server via ssh, and sending email via telnet (as evident below).

A sshd process has no reason to connect to port 25 of a remote server (unless of course it is trying to send mail, or spam!)

Let us see what these ssh processes are actually doing:

There you have it. Time to clean things up:

Block the remote ip (80.237.210.29), reset root password and sshd port, check for any keys in authorized_keys file, rootkit scan, etc etc follows.