For spam, its normally from a PHP script so you can use this one liner below in SSH, it will show you which directories are being used to send out email, you can easily tell which ones are malicious as they will be in the hundreds, thousands and even hundreds of thousands in extreme cases. Just go to that directory and you will find the PHP script, if there are many PHP scripts, you can easily tell which one it is by grepping the access logs to see which PHP script is being spam posted, Ill post that grep below:
Code:
# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
# grep POST /home/$user/access-logs/*
To stay on top of spam though, I personally use CSF. More specifically I rely on:
LF_SCRIPT_ALERT = "1"
LF_SCRIPT_LIMIT = "25"
This will alert you anytime a 'cwd' shows up in the mail logs which is that directory, if CSF see's it 25 times in an hour, it will alert you. To help a bit more, I also use:
LF_SCRIPT_ACTION
You can create a bash script that is triggered anytime that LF_SCRIPT_LIMIT is met, I have a bash script that emails me useful information, Ill be happy to share:
pastebin.com/N9jGE3Z1
I place that script in ~ and chmod it executable
Code:
# chmod +x ~/csf.lf_script_perm_action
I would advise reading over the documentation for CSF so you have a better understanding but that is the jist of it, for script alerts specifically, CSF goes way beyond that.
CSF will also alert you if the mail queue reaches a certain limit. Example:
LF_QUEUE_ALERT = "2000"
As for malware, you can use clamav, its pretty good although do not rely on it 100% as it still doesn't pick up everything. Especially if your talking about a hacked WP site, don't ever just delete the malicious files and think the problem is resolved because it won't be. I wrote an article here that helps reinstall WP without loosing any data:
bigscoots.com/portal/knowledgebase/article/17/how-to-clean-reinstall--a-wordpress-site-after-being-hacked/
I can also provide you with some commands that I use to help find those malicious scripts as they are fairly common and use the same methods:
Code:
# find `pwd` -type f -iname '*.php' -exec echo {} \; -exec head -1 {} \; |grep -B1 'GLOBALS\|preg_replace\|array_diff_ukey\|gzuncompress\|gzinflate\|post_var'
With that command you would go into the infected cpanel accounts public_html and it will list all the files that contain more than likely malicious code on the first line.
The most common files you will find, for me anyways, are found using this:
Code:
for i in USER; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
Just replace USER with the cpanel user, you can also do more than one like:
Code:
for i in USER USER2 USER3; do find /home/$i/public_html/ -type f -iname '*.php' | xargs grep -l 'sF=\|qV=' >> infected ; done
Where ever you run that command, it will create a file called infected with the exact path to the infected files.
Umm, so clamAV, you can install from SSH using:
Code:
/scripts/update_local_rpm_versions --edit target_settings.clamav installed
/scripts/check_cpanel_rpms --fix --targets=clamav
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
freshclam
but you can also install it from WHM using "manage plugins".
If you want to scan manually using it, you can do:
Code:
clamscan -ri /home/USER/public_html/
There are lots more config options you can use but to much to go into, just google it
but cPanel has a good write up here as well
Configure ClamAV Scanner - Documentation - cPanel Documentation
Check out the "ClamAV Scanner cron job" at the bottom of the page.
I hope this helps!
