Cant find script sending spam

madpato

• March 20, 2018 14:53

Hello I have a customer whos sending spam via some specific script, my problem is i cant find it. I have suspended the account to stop the activity but when its active it starts to span process which i cant trace or kill because process manager says it no longer exists. I have run maldet and clamav on the account, changed account"s password but still happens as soon as i unsuspend the account. I do have CSF installed and it sends me a report with this: [removed] I am also attaching a screenshot of the process manager swarming with those ghost process. I have dealt with these before but usually CSF sends me the location of the script or clamav founds the problem. Can anyone help me on how to uncover this i was thinking to post this also on CSF forum but wanted to try my luck here first. Regards.

• 

  cPanelMichael

  • March 20, 2018 19:59

  Hello, Try running the following command to see if it provides more information about the directory the email is coming from: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
  Thank you.

  0
• 

  madpato

  • March 20, 2018 20:16

  with that found out that is the public_html folder i will have to check all the files there. Thanks it helped me to narrow the search.

  0

Please sign in to leave a comment.