Hello!

Status:
Centos 5
Exim
Cpanel/WHM
PHP vulnerability

Somewhere in my php code a hacker has placed a preg_replace statement allowing him to receive all the emails being sent out from my website. The first time he put in the preg_replace statement I found it and removed it. I cannot find it now - I am running cpanel/WHM to manage the site. I know what the hackers email is - is there a way I can block exim from sending mail to that address? I'm in the process of getting the site rebuilt by a professional. Looking for a fix for the interim though.

- Stop your MTA until you figured out what to do.
- Those preg_replace statements were just a symptom. Running bad homebrewn scripts, outdated software, risky 3rd party plugins, leeched FTP credentials, other malicious activity in a shared host etc, etc may be a few of the causes. Encountering them pregs twice could point to negligence. So don't wait for your "professional", be pro-active, act responsibly and FIX THE PROBLEM.
- See if you can enable the mail header function in php.ini (PHP >= 5.3: mail.add_x_header = on, mail.log = /tmp/php_headers.log) so you can trace back the script with the "X-PHP-Originating-Script" header.
- Configure an email limit for all accounts.
- Have Mailscanner + SpamAssassin scan all outbound email (also see EximConfig).

Will do. Thanks.

Also, in WHM there is an option to add tracking headers.

The root of the problem is likely a vulnerable php script though.