Outbound emailing - exim processes??

[Artashes]

One of my sites was suspended yesterday for what the technical department called "spam", or "outbound emailing". Obviously, it came as a shock since I am the only one with access and I know that I do not spam, nor do I really send that many emails to even qualify for mass mailing. Anyways, further investigation today and I finally got an explanation back. Well, sort of half of an explanation. They said "Your mailing caused the server to crash again by exim processes. You need to check your site for this issue".

Now, to speed up the process of recovery since this is all the information I got to this point, can someone explain to me where do I look for these "exim processes", and better yet, how do I stop whatever is being sent (mailing-wise) from taking place?

Appreciate any info.

Best,

 

[Artashes]

Btw, what is the downside of not having this exim process working?

 

[lowesthost]

You would need root access to the server to view

perhaps a mail script you are running is exploitable

 

[Artashes]

lowesthost, thanks for your reply. I do seem to have access to server, not sure if it is root though.

They did in fact tell me today "It seems it is coming from one of your php pages that is being exploited to generate the emails", which frustrated me even further because the site in question is static (HTML pages). We had some additional parts of the site dynamically built (scripts like forum and lyrics engine), but they were deleted long time ago.

Any other ideas?

 

[Blue]

Art, if you have root access and can log on using with an SSH client try the following commands.

find / -name "[Ff]orm[mM]ai*"
This command will look through your server to see if any form mail is being used. Form mail is easy to exploit. (copy and paste the whole command including quotations)

You can also check for CGI mailing programs using the following command:
find / -name "[Cc]giemai*"

If you are not using any form mail but some show up you can use the following command to disable form mail inserting the path that shows up in your search:

chmod a-rwx /path/to/filename

 

[Artashes]

Mike, by "form mail" you mean simple web-based mailing forms that are used, for example, to send site feedback, submit a ticket or contact site webmasters?

If yes, then how is it possible to abuse those systems since they only work toward incoming mail traffic, not outgoing. Its quite impossible to email from some server (POP account) without knowing account password? Or are passwords the thing of the past?

 

[Blue]

Unless the form is configured to send mail only to accounts on the server they can be breached fairly easily Art.
That's not to say that all forms are vulnerable but it would be worth checking in to.