• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to locate a php script spammer on server with Plesk 11.5, CentOS, Postfix

hardbrasil

Regular Pleskian
Hi fellas, i would like to share how i find spammer on server,

Spammer that introduce a php script sometimes can get us a big headach to find them on all websites,

first of all,

1) Install a mailgraph on your server to monitor you postfix
http://mailgraph.schweikert.ch/
2) By this graphic you can have a visual about yout MTA health, is possible to see the amount of emails send and the grafic that represents a normal
behavior and an unsual situation. Comparing those you can see very fast is something wrong is happen.
3) Configure an queue allert on your MTA to send you an email if queue rise up 1000 emails (depends of volume that your server send emails you can put this alert more up or more down)

Now when your server start to send spam you can try all those procedures:

1) Go to "Tool and settings" > "Server-wide mail settings" > "Mail queue"
You gone see the domain that is used to send the spam msg

2) log to your ssh account an run this # last -n 100
to show you the latest 100 FTP access on server. My server has few domains 130, so is easy to see and help to discovery if the hacker use the FTP account to send files
i all of my cases he use a exploit on CMS, was never by FTP password.
So you can cross information if there is a FTP user access on the same domain that is sending spam

3) You can access the spammer domain ftp files and look for date modifications in files an folders.
Look into all folders that have chmod 777 and modified date on period of the spammer start,
will be easy to find those files and folders, generally they put on root httpdoc folder but sometimes they insert into a any folder.

3.1) Sometimes the hacker change the date i dont know how, but difficult even more to find those files.
In this case you can access through Plesk panel the domain account in question and access "Manage Log Files" than look for "access_log.processed"
than you gone find all files submitted by POST command and where they are!

4) To check if all files was killed, go to Mail Queue on admin Plesk, and press "refresh" on queue line, if the number drops and there is no Bounce new message,
mean that you remove the spammer

5) Now you need to fix the exploit, Change FTP and Database password, put 444 for configuration.php and look on Log file what is the folder that was exploited, there is a clue to start the investigation.

6) Note the IP and create a IP blacklist on Plesk Firewall, add it!

7) you can run this command on shell to locate those php scripts

scan report was created by running following command on a shell prompt.

maldet -a /var/www/vhosts/?/httpdocs/

Above command will scan httpdocs directory for all domains on the server. Scanning might take few hours depending on the data size that needs to be scan.
Once the scanning is completed, you will get a report id.

For example, when I executed the scan report id was 041535-0206.21942 and to view complete scan report you will need to execute following command:

maldet --report 041535-0206.21942

8) You have the suggestion of atomicturtle above that is very helpfull too
 
Last edited:
Back
Top