: Identifying the file sending out spam email I'm trying to identify the cause of spam emails being spent out from one of my clients wordpress websites. while I can identify the folder i can't
I'm trying to identify the cause of spam emails being spent out from one of my clients wordpress websites. while I can identify the folder i can't identify the file.
I've added the following to the log_selector of my exim settings +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_recipients +received_sender +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
And then run grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print }' | awk '{print }' | sort | uniq -c | sort -n
Thanks to this I know what folders are sending out the spam. One of which was a deactivated Yoast plugin which I have updated which has solved one issue. However a custom plugin for the website is also identified as sending out spam, a few 100,000 a day.
I tried running grep "file-name.php" /home/account-name/access-logs/domain.co.uk | awk '{print }' | sort -n | uniq -c | sort -n on each of the files in the directory but only one returned results and this only showed a handful of single access by differing IP's, nothing like the expected 74,000 that the exim_mainlog displayed.
The plugin should be using mandrill to send email and was written by a 3'rd party before we took it over so debugging the scripts would take an extremely long time and is currently blacklisting the server on multiple blacklists.
For now I;m going to swap the site to its own IP address so I can at least clear out the other sites on the shared IP but I really do need to find the file in question causing the issue.
The server in question is a centos 5.x i think running WHM and Cpanel
More posts by @Lengel546
2 Comments
Sorted by latest first Latest Oldest Best
I eventually found the hack by running a malicious code scanner from github.com/mikestowe/Malicious-Code-Scanner to detect the main causes of the hack. This detected 90% of all the flies that has been modified to allow a post request to send a string that the hacked file would then run as php.
Then I ran cat example.co.uk | cut -d" -f2 | awk '{print " " }' | cut -d? -f1 | sort | uniq -c | sort -n on my raw access logs to find what files had post requests sent heavily to them to track down the files that were not detected correctly.
In PHP, the mail() function is used to send email.
In linux, you can navigate to the root folder where wordpress is installed (probably document root) and type:
grep mail( *.php
Then it will search all php files in the folder for any matches for mail( and the filenames listed on the far left is the file the match is found in. You may have to change to other folders if the mail function is not found.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.