31 December 2015

How To Find The Source Of Spam Email Malware In Server


Mass mail (spam) is a very common malware in any cPanel/WHM based web server. It always send massive emails like monster and then causes our web server's IP being blocked and so we couldn't send (real) email. The question is : how to find the source of spam email  malware in our web server?

Luckily, Linux is built with many useful and powerful tools. We could use cat and grep to seek the malware source. Here are the steps :

1. Find out the users who send mass mail. Command :
grep 'cwd=/home' /var/log/exim_mainlog  | awk -F/ '{print $3}' | sort | uniq -c | sort -n -k 1

We will get the list of users who send mass mail in a day, like this :

2. Seek the source script. Command :

cat /var/log/exim_mainlog | grep user | grep 'date'

Example :

cat /var/log/exim_mainlog | grep forumriau | grep '2015-12-31'

We will get the output like this :

As shown in the output, we get the malware path is in : 
/home/forumriau/public_html/wp-admin/network

3. Deactivate the source by changing its permission into 0000 and immune the folder. Command :
chmod -Rf 0000 /home/forumriau/public_html/network
chattr -R +i /home/forumriau/public_html/network

4. Repeat step 2 - 3 per account.

No comments: