Found out origin of spam script
Hello everyone,
I have an issue/problem that may not be cPanel related, but I maybe there are cPanel on-board tools that will help me to solve the issue. In use is CENTOS 7.2 x86_64 and WHM 11.52.3 (build 1). Using CSF, Modsecurity (Comodo) and cPanel tools (cphulk, ...).
There is a script on a client's site, that is sending a huge amount of spam mails. Finding the script isn't the problem when using the command:
Further, I can find many connections to this script in the user's access log from differnt IPs. Therefore, blocking the IPs isn't possible. We delete the file(s), but it gets created again. My question is: How can I determine the origin of the files? Who/what creates it and how does it get on the server? Is it possible to get those information?
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | awk '{print $1}' | sort | uniq -c | sort -nFurther, I can find many connections to this script in the user's access log from differnt IPs. Therefore, blocking the IPs isn't possible. We delete the file(s), but it gets created again. My question is: How can I determine the origin of the files? Who/what creates it and how does it get on the server? Is it possible to get those information?
-
Hello :) Try searching within the account for files or directories with insecure permissions. Also, you may want to change the account password, and ensure you are following the advice at this document: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Thank you. 0
Please sign in to leave a comment.
Comments
1 comment