Determine if Email account or server hacked

[Bestrafung]

This morning there were a lot of SPAM email messages sent through our server from one of our clients' legitimate email accounts. I'm trying to determine whether it was their email account or the server itself that was hacked. If I go to Mail Delivery Reports > View Relayers I get about 34 pages of details for this account. One of the examples is provided below. It appears that the server is being used as a SMTP relay. As best I understand it this means the email account itself is compromised correct? Or could it be something else? I'm already changing the password while I continue to look into this.

Event: success success
User: xxxxxxx
Domain: xxxxx.com
Sender: [email protected]
Sent Time: May 22, 2014 11:07:11 AM
Sender Host: 03b553ef.pediting.me
Sender IP: 198.98.122.186
Authentication: forwarder
Spam Score:
Recipient: [email protected]
Delivered To: [email protected]
Delivery User: -remote-
Delivery Domain:
Router: lookuphost
Transport: remote_smtp
Out Time: May 22, 2014 11:07:11 AM
ID: 1WnUb5-00008h-Et
Delivery Host: mx2.hotmail.com
Delivery IP: 65.55.92.136
Size: 5.59 KB
Result: Message accepted

 

[cPanelMichael]

Hello

Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX:

exigrep [email protected] /var/log/exim_mainlog

Also, if any of the messages are still in the queue, view the headers with a command such as:

exim -Mvh messageID

Thank you.

 

[Bestrafung]

Hello

Search for the email address in /var/log/exim_mainlog using the "exigrep" utility to get a better idea of how the messages were sent out. EX:

exigrep [email protected] /var/log/exim_mainlog

Also, if any of the messages are still in the queue, view the headers with a command such as:

exim -Mvh messageID

Thank you.

Thanks for the response. I changed the password for that account but after 20 minutes or so the spammers were at it again. I'm running a ClamAV scan on the user's home directory now. The client has already run full AV and malware scans on all workstations used to access this account. I'm still not sure what is going on. I'll include a sample output from "exigrep [email protected] /var/log/exim_mainlog" as soon as scan finishes and the load returns to acceptable levels.

 

[coroy]

Me also encountered this kind of problem. Is there any command determine what file is executing or sending an email?

Thank you.

 

[triantech]

Hello,

- To list the folders from which mails can be generated ( will include valid scripts too )

# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

- To list which mail account is reporting highest activity :

# exim -bpr | grep "<*@*>" | awk '{print $4}'|grep -v "<>" | sort | uniq -c | sort -n