Looking for Suspicious Files Question

[Arslan Asghar]

I am currently learning to manage Linux based hosting servers. However my server was attacked by shell attack and was compromised, now a lot of domains on my server are being used for phishing and other such malicious activities. Also, the email accounts on these domains are being used for spamming. Now that I am looking for suspicious files in the file directory of every domain. I have found out that "dovecot.index" and other such files whose names start by dovecot has a weird and suspicious-looking script. Please help me with this and guide me if dovecot is a virus or trojan or not? This is the script that I have found when I edit "dovecot.index" file. I have also attached the screenshot of this edit too.

- Removed -

 

[cPanelLauren]

For starters, dovecot index files are not suspicious files they appear this way because dovecot uses binary index and log files to improve performance accessing mail. In order to view the contents of the files, you would need to use

doveadm [-Dv] dump [-t type] path

This is explained in dovecot's wiki here: Tools/Doveadm/Dump - Dovecot Wiki

But really you shouldn't need to make any changes to or use this as it's not necessarily used to troubleshoot any issues beyond something a dev might be doing to debug a coding issue with dovecot.

If you're concerned you have malicious content on the server I'd suggest using a malware scanner such as ClamAv, Immunify360 or Linux Malware Detect. If you're unable to determine the source or if you don't feel comfortable with those tools, I'd suggest enlisting the assistance of a qualified system administrator. If you don't have one available you might find one here: System Administration Services.


Thanks!

 

[Arslan Asghar]

Thank you very much Luaren for your response. It's just that my previous server was hacked and compromised and was being used for phishing and spamming so my team migrated it to a secure server but the issue still continues even on the new server. So, I just wanted to confirm that which specific file in the file directory was being used for phishing and spamming so that I could manually remove it.

 

[cPanelLauren]

If it's an account level compromise migrating to a new server won't resolve the issue in most cases. If you have a specific problematic account I'd start the search with the files in that account. Malware scanners should be able to get you pointed in the right direction but if you're using a CMS a really common method of compromise is to take advantage of vulnerable/outdated plugins/themes/components etc. and I would suggest evaluating any of those if present on the account. A qualified system administrator should also be able to tell you from looking at the domain access logs and server activity the origin of the attack as well.

 

[Arslan Asghar]

Thank You Lauren once again. The issue is that the hacker has copied malicious code on almost every domain on my server. And now both my IPs and some domains are blocked and my team is facing a lot of issues at the moment. Luaren is there any command that will run scan over the file directories of all my domains through CLAMAV scanner. Please help me with is if you can?

 

[cPanelLauren]

You can use ClamAV to scan all users the documentation here goes over how to configure it: Configure ClamAV Scanner - Version 82 Documentation - cPanel Documentation

If you prefer to use the command line interface to run ClamAV, the binaries reside in the /usr/local/cpanel/3rdparty/bin/ directory:

1 2 3

/usr/local/cpanel/3rdparty/bin/clamscan /usr/local/cpanel/3rdparty/bin/clamdscan /usr/local/cpanel/3rdparty/bin/freshclam