Primary Hostname Sending spam

[philwebservices]

Hi,

Recently deployed a Cpanel server. We noticed a great deal of spam coming from the server hostname
Server hostname : ns1.wizkidhosting.com

A snippet of exim_mainlog

2022-04-25 08:22:24 1nimUi-0000ST-0I <= [email protected] H=(ns1.domain.com) [127.0.0.1]:57276 P=esmtp S=24112 id=[email protected] T="You appeared in 4 searches this week" for [email protected]
2022-04-25 08:22:24 SMTP connection from (ns1.domain.com) [127.0.0.1]:57276 closed by QUIT
2022-04-25 08:22:24 1nimUi-0000SU-1m <= [email protected] H=(ns1.domain.com) [127.0.0.1]:57278 P=esmtp S=23834 id=[email protected] T="You appeared in 5 searches this week" for [email protected]


Any insights much appreciated.

 

[quietFinn]

That shows 2 accounts, gmorone & csad, sending spam.

 

[philwebservices]

Hi @quietFinn,

Yep but I can say that these accounts are non-existent and keeps changing all the time, in fact ns1.wizkidhosting.com is the primary domain and does not have a default mailbox

 

[quietFinn]

There is no such a thing as "primary domain", in the exim log you can see the usernames where the mails are sent from (i.e. form USERNAME@HOSTNAME).
If those users are not cPanel users I'd think that your server is compromised.
Check what users you have in /home directory.

 

[Spirogg]

@philwebservices

when I tried to access your site I got this in my browser.

Website blocked due to a Trojan
Your Malwarebytes Premium blocked this website because it may contain a Trojan.

We strongly recommend you do not continue.

@quietFinn seems to be correct, you are compromised unfortunately

 

[philwebservices]

Thanks for the input , will have this scanned entirely

 

[philwebservices]

Scanned the server and found the php file culprit Thank you all!

 

[Spirogg]

Scanned the server and found the php file culprit Thank you all!

I’m Glad you found it and hopefully all is well and resolved.