Warning: 1000 emails have just been sent by admin

michcio29

Verified User
Joined
Dec 2, 2017
Messages
42
Hello,

Today i see in the Directadmin info but i don't send any email:/ I changed password updates application.. etc and find ip from china who modified core.
is this boot? what can i do more? thx for help.


The admin account has just finished sending 1000 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/admin.bytes file, it was found that the highest sender was [email protected], at 1105 emails.

The top authenticated user was admin, at 1105 emails.
This accounts for 110% of the emails. The higher the value, the more likely this is the source of the emails.
An authenticated username is the user and password value used at smtp time to authenticate with exim for delivery.


The most common path that the messages were sent from is /home/admin/domains/demo.xxxx/public_html/xxx, at 1000 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

The top sending script was /home/admin/domains/demo.xxx/public_html/xxx/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php:689, at 992 emails, (99%).
Because the bulk of the emails have been sent by the script, please check it to confirm it has not been compromised.


This warning was generated because the 1000 email threshold was hit.
 
Versions?

OS?

CLAMAV updated and so much more with security flaws?

Did you asked your hoster for support.

Saved all log files extern allready?

OYea to be sure wich admin? The DA admin?
 
Hello,

1.CentOS Linux release 7.4.1708 (Core)
2.1.52.1 DA
3.Version 0.99.3
4. Yes, but very hard to help.
5. Yes
6 Yes DA.
 
IF important and production server search prof help!
( SMTALK ore some other here can maybe help against a "normal" fee )
COUNTRY?

Spectre and meltdown bug updated CENTOS kernel ?

You can have a view in mail logs to whom sended.
 
I mean CMS core not Centos Core. Yes i found in the mail logs. this is China spam but sended only to one email ( not exist)
 
IF CMS then take a look at the used php mailer versions also , there also some security updates and very old versions are on production systems.

For problem with CMS i think it is not CENTOS related ?

Even it should not be DA related, while PHPmailer....
 
Back
Top