1000 emails have just been sent by username

[tebdilikiyafet]

The myusername account has just finished sending 1000 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/myusername.bytes file, it was found that the highest sender was [email protected], at 1001 emails.

The most common path that the messages were sent from is /, at 881 emails (88%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

This warning was generated because the 1000 email threshold was hit.

Did I've hacked? How can I find the reason of this?

 

[chatwizrd]

Look at the mail logs.

 

[tebdilikiyafet]

What should I search here? I am a newbie can you please help me?

 

[nobaloney]

Look for emails sent by the username for which you got the message; check for their subject lines. You've probably got some exploited software set up in your domain.

Jeff

 

[tebdilikiyafet]

Look for emails sent by the username for which you got the message; check for their subject lines. You've probably got some exploited software set up in your domain.

Jeff

This is an example from my log:

2013-04-04 04:28:59 1UNYz5-0008Lx-UQ <= [email protected] U=apache P=local S=6356 T="=?UTF-8?B?xLBsYcOnIFBlZGlhIHwgRWN6YWPEsWxhciBpbGUgxLBsYcOnIEJpbGdpc2ksIA==?=  =?UTF-8?B?xLBsYcOnIFlh" from <[email protected]> for [email protected]

2013-04-04 04:29:01 1UNYz5-0008Lx-UQ SMTP error from remote mail server after RCPT TO:<[email protected]>: host gmail-smtp-in.l.google.com [173.194.69.27]: 450-4.2.1 The user you are trying to contact is receiving mail too quickly.\n450-4.2.1 Please resend your message at a later time. If the user is able to\n450-4.2.1 receive mail at that time, your message will be delivered. For more\n450-4.2.1 information, please visit\n450 4.2.1 http://support.google.com/mail/bin/answer.py?answer=6592 gc8si3815177bkc.122 - gsmtp

 

[Richard G]

Check the site of the domain owner of [email protected], this user will probably have a hacked or malicious script somewhere like Jeff said.

 

[tebdilikiyafet]

Check the site of the domain owner of [email protected], this user will probably have a hacked or malicious script somewhere like Jeff said.

I changed the password of [email protected]. How can I find the script?

 

[massive]

You have to monitor from now on, until you find with script sends is used, the maillog

 

[Richard G]

How can I find the script?

If the mail was authenticated for, it will probably be a trojan on the users pc at home, let him scan with Malware Bytes.

If it was a script, install Maldet malware scanner on your server, a great howto is to be found here:
http://forum.directadmin.com/showthread.php?t=45851
Scan all users home directory's with it, the command is included in the thread.

You can also check your users public_html files if you see something strange in a php filename and check.
You can also check you users public_html for base64 encrypted files:

find . -type f -exec grep -l ‘base64_decode’ {} \;

from within the users public_html directory. But take care, not all php with base64 in them are bad files.

Another possibillity is to add some log options to exim so when a spam mail returns as undeliverable, you could check the headers which script the mail is coming from.
In /etc/exim.conf go to log_selector, and change what you have there to this:

log_selector = \
  +address_rewrite \
  +all_parents \
  +connection_reject \
  +arguments \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery

and restart Exim.

And monitor from now on as Massive says. The maillog's you want to check is /var/log/exim/rejectlog and mainlog.

Good luck!