User Account - File being created/sending spam via local mail server

We use WHM to manage a multitude of our websites. One of these sites appear to have a vulnerability somewhere that is allowing a file to either be uploaded or created in the accounts public_html folder, which is them attempting to send spam out.

As Im not a developer or have a huge knowledge of Linux, I am at a bit of a loss on how to track down what is allowing the uploading/creation of the file. I suspect once the file is there, the hacker/bot/whatever is simply opening the url for the file which then causes it to start sending spam using the local mail server.

As a workaround I thought I might have been able to change the public_html folder to read only, but that broke the website its running. I also thought I might be able to configure the mail server to dump the emails as its using the full domain as the sender address - whilst we send emails from this host, its from a different domain - but I do not know where to begin for that.

I realise this is unlikely to be WHMs fault, rather the poor coding of the website but I hope someone here can point me in the right direction to stop this.

 

Turns out its very similar to this Help my server is sending spam and my abuse department is mad at me! (A HOWTO) - Hosting Security and Technology Tutorials - Web Hosting Talk

Whilst I've not yet ascertained the exact method they are using to get the files onto the server, I've identified several other files and removed them. The vulnerability appears to be related to an old joomla install, but I'll keep digging.

 

Yes, I can see in the access logs the file being accessed. The only trouble is I have not seen the precursor URL that is creating the file in the first place - usually by the time Im alerted to the issue the logs are overwritten so I can only see entries of the url to the spam file being accessed and generating the emails. I'll start archiving the logs so I can track it down.

In the meantime I'm blocking IPs and investigating what I can do on the exim side.

Most of this is implemented, I have hourly rates/high failure rate/suEXEC configured. So it does restrict the amount and allows me to simply delete the queue when the vulnerability is used to spam.

 

Have performed numerous things since my last post.

I updated CSF and went through and applied its recommendations. I've also installed mod_security. I also collated a list of the IPs using the hack and blocked them (I realize that is only a stop gap measure). Its now been four days and have not had a re-occurrence.

FTP logging has been enabled for the get go, but that has shown nothing (its rarely used) so I know they are not using that as the vector.

I will trawl through messages and see if the account(s) have been compromised, we are overdue for password changes anyway.


Thank you quizknows, Michael and Peter, appreciate your responses.