XF 1.2 thousands of emails keep sending out of my forum

[xml]

Hi all,

I upgraded fron 1.1.1 to 1.2.5 last wednesday and every thing went ok and the forum is running without any issue. But suddenly yesterday thousands of spam emails going out of my dedicated server and when I check WHM in the Mail Queue Manager I see many emails waiting to to be sent as shown on the attached image.

I tried to track down the source of those emails as suggested on this website:
http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

using the command:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

and the output is:

1 /root/rkhunter-1.4.2

  15 /root

  17

  174 /

  647 /usr/local/cpanel/whostmgr/docroot

  1482 /home/vbcom/public_html/community

  2119 /etc/csf

1482 email is being sent from my xenforo community and it wasnt me who is sending those emails. is there any new email features in xf1.2.5 that send auto emails? I am realy lost here

my forum is large
4 mil post
70,000+ members

 

[Paul B]

What is the content of the email?
That may help to determine the cause.

 

[xml]

here is the content of one of those emails:

This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
washibgton28.sa@gmail.com
SMTP error from remote mail server after RCPT TO:<washibgton28.sa@gmail.com>:
host gmail-smtp-in.l.google.com [74.125.129.26]:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 s1si4955692pav.74 - gsmtp
tobyleewilson@gmail.com
SMTP error from remote mail server after RCPT TO:<tobyleewilson@gmail.com>:
host gmail-smtp-in.l.google.com [74.125.129.26]:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 s1si4955692pav.74 - gsmtp
shaheanflores2@gmail.com
SMTP error from remote mail server after RCPT TO:<shaheanflores2@gmail.com>:
host gmail-smtp-in.l.google.com [74.125.129.26]:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 s1si4955692pav.74 - gsmtp
------ This is a copy of the message, including all the headers. ------
Return-path: <webmaster@domain.com>
Received: from [109.229.230.160] (port=2094 helo=indexsignal.com)
by indexsignal.softlayer.com with esmtpa (Exim 4.82)
(envelope-from <webmaster@domain.com>)
id 1WJgbN-0005iN-K1; Sat, 01 Mar 2014 12:53:07 +0300
Message-ID: <A0B55188.3E18EC21@domain.com>
Date: Sat, 01 Mar 2014 09:53:05 +0000
From: "webmaster@domain.com" <webmaster@domain.com>
MIME-Version: 1.0
To: <shaheanflores2@gmail.com>
Subject: New brideagency with real people
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-OutGoing-Spam-Status: No, score=0.1
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title></title> </head> <body> <p> <a href="https://dl.dropboxusercontent.com/u/272678569/kg8qX9F.html">En
joy a world of hot fantasies</a> </p>
<p>calumny, I never was touched, or even attacked by her baleful tooth:</p> <p>and though I wantonly exposed myself to the rage of both civil</p> <p>and religious factions, they seemed to be disarmed, in my behalf, of</p> <p>their wonted fury. My friends never had occasion to vindicate any one</p> <p>circumstance of my character and conduct: not but that the zealots, we</p> <p>may well suppose, would have been glad to invent and propagate any</p> <p>story to my disadvantage, but they could never find any which they</p> <p>thought would wear the face of probability. I cannot say there is</p> <p>no vanity in making this funeral oration of myself, but I hope</p> <p>it is not a misplaced one; and this is a matter of</p> </body> </html>

I replaced my website name with domain word

 

[Mike]

1400 emails for a forum that large isn't a lot -- I'm pretty sure we send more than that here (or at least a similar amount).

The email is definitely coming from within your server, but there isn't any indication that it came from within XenForo (XenForo emails would always be sent using UTF-8 for example), so if it's being sent from within the XF directory, there may well be another script there that has been dropped in the directory. What are the list of files in your community directory?

 

[xml]

Here is the list of files in forum directory

root@hostl [~]# ls -lahtr /home/vbcom/public_html/community
total 560K
-rw-r--r-- 1 vbcom vbcom 1.1K Feb 25 00:58 rgba.php
-rw-r--r-- 1 vbcom vbcom 1.4K Feb 25 00:58 payment_callback.php
drwxr-xr-x 4 vbcom vbcom 4.0K Feb 25 00:58 install_disable/
-rw-r--r-- 1 vbcom vbcom 1.1K Feb 25 00:58 htaccess.txt
-rw-r--r-- 1 vbcom vbcom 510 Feb 25 00:58 fb_channel.php
-rw-r--r-- 1 vbcom vbcom 1.2K Feb 25 00:58 deferred.php
-rw-r--r-- 1 vbcom vbcom 359 Feb 25 00:58 css.php
-rw-r--r-- 1 vbcom vbcom 1.8K Feb 25 00:58 admindav.php
-rw-r--r-- 1 vbcom vbcom 416 Feb 25 00:59 index.php
-rw-r--r-- 1 vbcom vbcom 415 Feb 25 00:59 admin.php
-rwxr-xr-x 1 vbcom vbcom 1.3K Feb 26 13:29 .htaccess*
drwxrwxrwx 4 vbcom vbcom 4.0K Feb 26 13:30 data/
drwxrwxrwx 6 vbcom vbcom 4.0K Feb 26 13:40 internal_data/
-rw-r--r-- 1 vbcom vbcom 21K Feb 26 13:45 title.jpg
-rw-r--r-- 1 vbcom vbcom 155K Feb 26 13:47 capital-option-gold-index-signal2.gif
-rw-r--r-- 1 vbcom vbcom 9.9K Feb 26 14:00 warning.png
-rw-r--r-- 1 vbcom vbcom 20K Feb 26 14:00 advertencia.png
-rw-r--r-- 1 vbcom vbcom 19K Feb 26 14:01 advertencia.jpg
drwxr-xr-x 9 vbcom vbcom 4.0K Feb 26 14:46 js/
drwxr-xr-x 4 vbcom vbcom 4.0K Feb 26 14:50 styles/
drwxr-xr-x 29 vbcom vbcom 4.0K Feb 26 15:56 ../
drwxr-xr-x 12 vbcom vbcom 4.0K Feb 26 16:10 library/
drwxr-xr-x 2 vbcom vbcom 4.0K Feb 26 16:37 images/
drwxr-xr-x 9 vbcom vbcom 4.0K Feb 26 20:54 ./
-rw-r--r-- 1 vbcom vbcom 249K Feb 26 20:54 QK_org.gif

 

[xml]

Finally I was able to recover from this issue after reading this post
http://forums.cpanel.net/f43/spammers-hijacking-email-accounts-392661.html

after changing the email account password the spam emails stopped