Show spam script on linux webserver

Sometimes a website on a shared server is compromised by a hacker. Most of the time they use the website to spam the WWW around. It can be hard to find the specific script who is responsible for the spam. Here I will describe a method you can use to find and eliminate the script.

First stop postfix to stop the mail flood

# service stop postfix

Now get the mailque and write down the message id (yellow)

# mailq

mailq.png

Get the message header

# postcat -vq A9CC9182699 |more

message header

Now see the yellow text above. You have find the culprit. Now find the file location:

# find /var/www/web/ -name *addwp.php*

Eliminate the process and patch the website.

Delete the queue (USE THIS WITH CAUTION!!!!)

# postsuper -d ALL

And start postfix

# service start postfix

To find and kill a spamming perl script try this:

Find the process:

lsof -i :25
readlink -f /proc/{PID of process}/exe
kill PID

Check and delete the (sendmail) QUEUE:

cd /var/spool/mqueue/
ls 
nano queue file
rm -f *

It can be very difficult to find a specific perl spam script because the path is not always visible. To find the script do a locate and isolate/rename the files.

locate *.pl |grep /var/www/

For more commands see my blog article: https://blog.wapnet.nl/2014/04/linux-find-out-what-a-process-is-doing/

I found another nice tool to find suspicious scripts: http://cbl.abuseat.org/findbot.pl

Author: Thomas Faddegon

Do you like my posts and want to do something back? You can buy me a beer :)