LOCALRELAY Alert for username

Portal Home > Knowledgebase > Articles Database > LOCALRELAY Alert for username

Posted by killerlipz, 02-28-2014, 04:44 PM
How to solve this on going alert: lfd on servername.com : script alert for /home/username/public/folder and LOCALRELAY Alert for username It seems that it is sending out spams
Posted by HostingBig, 02-28-2014, 04:51 PM
suspend username problem solved
Posted by killerlipz, 02-28-2014, 04:54 PM
We cannot suspend the user, as they are one of our top clients. Anyway to configure not to allow local relay?
Posted by HostingBig, 02-28-2014, 04:56 PM
if they are your top client and they are sending out spam your provider will suspend you
Posted by forumtalk, 02-28-2014, 05:00 PM
then most likely compromise account
Posted by HostingBig, 02-28-2014, 05:02 PM
if it is a compromise you need to find out what in /home/username/public/folder is relaying the SPAM and correct it
Posted by killerlipz, 02-28-2014, 05:14 PM
Just did that, the alert was pointing to the twentytwelve theme of wordpress on that username.
Posted by Eased, 02-28-2014, 05:22 PM
Just because you're getting this alert does not mean that it is spam or a compromise. It just means that the script is not set to use a SMTP host and is using the localrelay or PHP Mail() to send email. Review the email as it should contain a list of the first 10 emails including the title of the email. If it looks like spam, then it's probably spam. Otherwise it can be legitimate.
Posted by killerlipz, 03-01-2014, 04:08 AM
The emails I saw was not legitimate emails.. all spams..
Posted by fabin, 03-01-2014, 06:45 AM
I guess the WordPress theme is compromised. If they are not using that theme, it's safe to remove that folder.
Posted by Kailash12, 03-03-2014, 03:10 AM
If your client is using outdated WordPress, you should inform him to upgrade it immediately. Also, you can install Maldet and ClamAV on your server and then scan the entire account.
Posted by nixrookie, 03-03-2014, 04:17 AM
Hi, If you feel that the client is very important one for you, please go ahead and review his account yourselves. Do the needful upgrades and other installations.
Posted by gtcs, 03-21-2014, 06:51 PM
I'm having pretty much the exact same problem. The emails being sent are definitely spam and they are not being sent by the user. How do I determine which script is being used to send this spam? I looked at the scripts that were noted as possible sources in the notification email that lfd sends out, but none have been edited recently. Thank you.
Posted by fabin, 03-22-2014, 01:09 AM
You can scan the document root with antivirus like clamav. If you can intercept a spam mail, try analyzing its header to find the script name.
Posted by gtcs, 03-22-2014, 02:04 AM
Thanks. A scan with clamav came up clean. How would I intercept one of the spam emails?
Posted by LDHosting, 03-22-2014, 05:18 AM
Check your mail queue. It is likely that you have a number of the emails there.
Posted by nwesource, 04-04-2016, 07:20 PM
I appreciate everybody's feedback and this thread is first on Google - but there is no solution presented here. We have a self-hosted WHM on Digital Ocean, and one cPanel Account is getting the LOCALRELAY Alert, the spammers queue up their emails every few days. Every time the culprit seems to be an ini.php file in a different folder, so they seem to have access in order to re-create this file. We are resetting all passwords, cPanel/Username and Database to see if this solves the problem. I may not remember to update this thread in a few days, so if you want to know if this worked please reply. Thanks!
Posted by super-tech, 04-05-2016, 01:20 AM
As a system admin I am following below criteria to check a hack / spamming issue. If you wish you can follow this to detect the culprit . 1. Found the script that sending spam emails you can get it from the Exim maillog or use the command grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort n this command will show the complete file path 2. Use stat command to understand the modification date and time of the hacked file 3. Download apache access_log, /var/log/message and cPanel access log for the certain date 4. Use grep command to search in these log files. Apache_log will help you if the hacked file uploaded through php POST request. Messages log will help you if the file uploaded through ftp and cPanel log help you if it uploaded through file manager. 5. If you could find all the hacked files then nullify its permission with chmod 000 or you can delete it to avoid further abuse. 6. use some string present in the hacked file to search for all hacked file in the document root grep ir search_string /path/to/folder
Posted by nwesource, 04-05-2016, 02:24 AM
I haven't seen any activity since we changed the passwords, so I am hopeful that worked. I have asked my Site Admins to follow your instructions, so we'll see if they can. If they can't and then experience another Local Relay warning we may need someone to get in there and clean it up... so you may here from me if that is the case. Thanks again.
Posted by FaithHost, 04-05-2016, 03:07 AM
Hello, Activate script alert from from CSF. You will get script alert email that is sending spam email. or use this command to find out the fold where spam script resides. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n Look all files inside the folder and remove any suspicious script found. Specially open all big size files by code editor and inspect all codes. Hope that will solve issue but It may occur again. So its better to remove compromised account and set up again.
Posted by Srv24x7, 04-05-2016, 11:00 AM
Hi, Here is the thing. If this is your top client, you have to take care of all the things at your end, but again if any legitimate file is being replaced with any malicious code, the scanner will remove or may be quarantine this file and the site may again go down and your top client will again complaint. It is better, you get their account scanned, analyzed, and send them a report of it and have them take decision of this, after all its their contents and you cannot just do anything on it without their prior confirmation or acknowledgement.
Posted by super-tech, 04-06-2016, 12:57 AM
Hi nesource, I am glad to see that password change helped you to resolve the issue. Thank you.
Posted by wonker, 04-06-2016, 02:14 AM
I've never seen a wordpress hack without any hidden files being added. We always remove all files from webaccess then rebuild the wordpress without restoring any php files that haven't been manually verified. More than likely it will start again in a week or two if you don't do this.
Posted by brianoz, 04-07-2016, 04:38 AM
Some things for you to work through: Make a backup of the website in broken form so you can undo any heinous damage you do when disinfectingTry installing and running the WordPress plugin called "Wordfence". Use it to run a scan of the entire site. It will also repair many of the hacked files for you.Obviously - update themes and plugins etc to be latest version. Remove unused themes and plugins apart from the latest official wordpress theme eg "2016".Run a recursive grep for "eval" and see what you find - it will bring up false alerts but it's likely to bring up hacked files as well.Install Configserver's CSF and configure it to notice and limit outgoing spamPurchase Configserver's CXS virus scanner for the server and use it to scan the site and then work through the hitsConfigure the server to look for outgoing spam in WHM optionsLimit the number of outgoing emails per hour while you work on this (also in WHM options - a reasonable default limit is a lifesaver)Once finished, install Updraft Plus or something similar so you have good backups One very common way (non-website-infection way) that spam is sent is via using a user's SMTP login to access the server from multiple locations. CSF/LFD can be setup to detect this - edit /etc/csf/csf.conf to turn on distributed SMTP attack checking. You'll need to set at least these config variables (vary values as appropriate): Once that's done, restart CSF with the "csf -r" command, followed by "service lfd restart" and check /var/log/lfd.log for lines warning you of the attacks. Simplest way of stopping the attacks is to change the POP account password in cPanel, which will then result in the bad guys getting banned in the firewall. If this yields results, contact the user and get them to virus check their PC (ie any with those credentials saved) as it is almost certainly infected. Don't send them a new password until it is disinfected (you could also 'break' it by sending a password of abc123def as abc 123 xdef (remove x and spaces)). Interestingly, and paradoxically, we used to have 1-2 distributed SMTP attacks per week until we developed a script to deal with them automatically, and then they actually went away. Wondering whether someone noticed or they just got less fashionable!! My comment about your specific situation is this: you'd suffer a lot less grief if you hire an admin to do the appropriate parts of this for you, and to educate you a little. Server admin isn't a short learning curve and there's no shame in borrowing knowledge from experts, we've all done it, some of us many times. Last edited by brianoz; 04-07-2016 at 04:47 AM. Reason: clarification

Add to Favourites Print this Article