The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Found out origin of spam script

Discussion in 'Security' started by danieldj, Feb 22, 2016.

  1. danieldj

    danieldj Registered

    Joined:
    Feb 22, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Austria
    cPanel Access Level:
    Root Administrator
    Hello everyone,

    I have an issue/problem that may not be cPanel related, but I maybe there are cPanel on-board tools that will help me to solve the issue. In use is CENTOS 7.2 x86_64 and WHM 11.52.3 (build 1). Using CSF, Modsecurity (Comodo) and cPanel tools (cphulk, ...).

    There is a script on a client's site, that is sending a huge amount of spam mails. Finding the script isn't the problem when using the command:

    Code:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | awk '{print $1}' | sort | uniq -c | sort -n
    Further, I can find many connections to this script in the user's access log from differnt IPs. Therefore, blocking the IPs isn't possible. We delete the file(s), but it gets created again.

    My question is: How can I determine the origin of the files? Who/what creates it and how does it get on the server? Is it possible to get those information?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page