Hacker spamming with exim

[paisley]

Hello,

I have a client on my server he have 1 website with wordpress and also 1 e-mail.
The problem is that i think he is hacked and now the hacker keeps spamming.

I have searching in logs:
2014-01-15 23:38:07 1W2hgE-0006td-P1 ** ***@.com <*****@***.com> F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data
2014-01-15 23:38:17 1W2fJE-0005lF-Do Unfrozen by errmsg timer
2014-01-15 23:38:17 1W2fJE-0005lF-Do ** ***@*****.com F=<> R=virtual_aliases:
2014-01-15 23:38:17 1W2fJE-0005lF-Do newname@*****.com: error ignored
2014-01-15 23:38:17 1W2fJE-0005lF-Do Completed

I think he is creating own e-mail adress but without that it will shows in Directadmin.
I have also update my Exim to Version 4.82
I have also scan all his files with ClamAV: no result

And install /.php/mail.log but it keeps empty so he is not sending via the website i think (like mail() )
Can somebody help me out ?

I also see this in Exim Panic.Log: User 0 set for local_delivery transport is on the never_users list what is it ?

 

[scsi]

You must have an infected website or they guessed someones password.

 

[ISOS6]

Dont let users create accounts with weak password.

Check it
http://www.directadmin.com/features.php?id=910


And set limit outgoing emails per user
http://help.directadmin.com/item.php?id=81

 

[Cliff Spark]

mod_sec with a set of good rules.

Check frequency of spam. See if the spammer is using shell. They don't need an account or even to login now-a-days to spam via ssh. Just shut down the service for awhile to see if it magically stops.

 

[Richard G]

Don't mess with mod_sec until you have experience enough with it. It can break more then it repairs if you don't know what you are doing.

User 0 set for local_delivery transport is on the never_users list what is it ?

User 0 is root. Root is on the never user list of Exim. Mostly system messages could be send from root. You can put an alias for root.
For example, edit your /etc/aliases and put this in:
root: [email protected]
and restart exim. That email address must be an existing one. You will receive message which would be send to root, in that account.

It could also be the computer of the user is infected with a trojan which stealed the password. We had it a couple of times with some users last year.
Change the password of the email account used. If it starts again soon, then his pc might really be infected. Let him run things like Malware Bytes or Adwcleaner or let him contact a forum or company with knowledge of that stuff.

Next to that, change some stuff in Exim so you will have a better idea where its coming from, you can see that in mails which come back, or just look in some mails which still are hanging in the mailqueue.
Edit your /etc/exim.conf, find log_selecter and add these lines to it if not present already:

+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

restart Exim.

If not present, it would also be nice to have a firewall like CSF/LFD present.