Hello
thank you all.
Unluckly cPanel enviroment allows the usage of /usr/sbin/sendmail as alternative to
SMTP auth , so the hacker is free to use sendmail to send out spam.
And sendmail is not a symlink (is a binary) and if I replace it with a bash script , cPanel will fix it with the daily update so it's not a solution.
So , there is no way to configure exim.conf to block outgoing email sent from
cwd=/home/nordic/public_html
?
In this case if the customer is not online to fix his CMS , I need to change permissions in
/home/nordic/public_html to stop the outgoing activity . This is not a good solution because in this was his site will be off line.
For this reason I'm searching a way to block only the email sent from cwd=/home/nordic/public_html
Thank you
Graziano
> On Sat, Aug 03, 2019 at 09:25:29AM +0200, DL via Exim-users wrote:
>> Sometimes one of these accounts using a CMS get hacked, and the hacker is able to send out spam email using a CMS php vulnerability.
>> When it happens I see hundred of rows like this below in EXIM log:
>>
>> 2019-07-29 06:40:30 cwd=/home/nordic/public_html 4 args: /usr/sbin/sendmail -t -i -p125
>>
>> My question is, may I configure temporarily exim.conf to block any email sent from:
>>
>> /home/nordic/public_html
> As /usr/sbin/sendmail is usually symlink to Exim, you can substitute it
> with wrapper script, i.e. something like:
>
> ------------------------------------------------------------------------
> #!/bin/sh
> case "`pwd`" in /home/nordic/public_html )
> cat - > /dev/null ; exit ;;
> esac
> exec /usr/sbin/exim "$@"
> ------------------------------------------------------------------------
>
> Put any desired logic here. But note that this approach does not protect
> against direct invocation of Exim, forcing SMTP+AUTH might be better.