Results 1 to 7 of 7

Thread: Finding spam sending PHP scripts on my server

  1. #1
    Join Date
    Feb 2014
    Beans
    2

    Unhappy Finding spam sending PHP scripts on my server

    Hello,

    Someone hacked one of my website and he is spamming and i can't find the file who is sending this spam

    the file is named : LICENSE.php

    but there is allot of file named like that so i tried to filter with some thing like that : find . -name "LICENSE.php" -exec grep -Hn "mail(" {} \; but no result it seems like the file is crypted

    there is some information on Mail queue

    Received: by neoglob.lpm-dz.net (Postfix, from userid 33)
    id ED89F2E287C3; Thu, 13 Feb 2014 23:38:13 +0000 (UTC)
    To: <snip>
    Subject: =?UTF-8?B?4pqgIFtEb2N1bWVudF0gTsKwIDogNTYwNjY0OTA0Lg==?=
    X-PHP-Originating-Script: 10046:LICENSE.php
    From: CICBANQUE <NO-REPLAY@b.cic.fr>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="aab6952989d747177bc4ac20372a4ba4"
    Message-Id: <20140213234332.ED89F2E287C3@neoglob.lpm-dz.net>
    Date: Thu, 13 Feb 2014 23:38:13 +0000 (UTC)


    but im a noob user so i dont how to exploit this information so please help me

    Othmane
    Last edited by cariboo; February 15th, 2014 at 04:23 AM. Reason: removed email address for safety

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Finding spam sending PHP scripts on my server

    If your website has been compromised, it is best to usually determine how they got access and figure out how to fix it and then reinstall the server and restore your data from backups because you can't be sure that is the only file they touched.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Feb 2014
    Beans
    134

    Re: Finding spam sending PHP scripts on my server

    Quote Originally Posted by CharlesA View Post
    If your website has been compromised, it is best to usually determine how they got access and figure out how to fix it and then reinstall the server and restore your data from backups because you can't be sure that is the only file they touched.
    +1 on a clean wipe.
    most likely the mail command has been obfuscated. try and look for 'eval' with
    Code:
    $ find . -type f -name '*.php' -exec grep -i -l 'eval' '{}' \;
    Maybe that will narrow it down for you.
    It will probably look like extra confusing code with no coments
    Last edited by fugu2; February 15th, 2014 at 04:20 AM.

  4. #4
    Join Date
    Feb 2014
    Beans
    2

    Re: Finding spam sending PHP scripts on my server

    Thanks for answer, im going to check =)

  5. #5
    Join Date
    Jun 2011
    Beans
    357

    Re: Finding spam sending PHP scripts on my server

    I agree with the above posters. Your best bet is to wipe the server's copy of the website and restore it from backups.

  6. #6
    Join Date
    Nov 2008
    Location
    Storybrooke
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Finding spam sending PHP scripts on my server

    Also, make sure you firewall port 25 outgoing if you can - and log attempts to send out using that port. Then, there will be no spam, and you will know when someone is trying to send spam out.
    Ubuntu Forums Moderation Staff
    Don't waste your energy trying to change opinions ... Do your thing, and don't care if they like it.

  7. #7
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Finding spam sending PHP scripts on my server

    Quote Originally Posted by sandyd View Post
    Also, make sure you firewall port 25 outgoing if you can - and log attempts to send out using that port. Then, there will be no spam, and you will know when someone is trying to send spam out.
    +1.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •