Found out origin of spam script

danieldj

Registered
Feb 22, 2016
1
0
1
Austria
cPanel Access Level
Root Administrator
Hello everyone,

I have an issue/problem that may not be cPanel related, but I maybe there are cPanel on-board tools that will help me to solve the issue. In use is CENTOS 7.2 x86_64 and WHM 11.52.3 (build 1). Using CSF, Modsecurity (Comodo) and cPanel tools (cphulk, ...).

There is a script on a client's site, that is sending a huge amount of spam mails. Finding the script isn't the problem when using the command:

Code:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | awk '{print $1}' | sort | uniq -c | sort -n
Further, I can find many connections to this script in the user's access log from differnt IPs. Therefore, blocking the IPs isn't possible. We delete the file(s), but it gets created again.

My question is: How can I determine the origin of the files? Who/what creates it and how does it get on the server? Is it possible to get those information?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463