My server send spam

Discussion in 'General' started by toux, Dec 9, 2010.

  1. toux

    toux New Member

    My server is sending spam emails.
    I change the password, I see on ssh file explorer, and I can't see mailing script, I desactiavet the mail function on php.ini, but still sneding emails.

    And I have strange images on a directory.

    Is there a solution, without format and reinstall?

    Thank you
     
  2. till

    till Super Moderator

    First you should check the system with the rkhunter and chkrootkit programs.
     
  3. toux

    toux New Member

    Hello Till,

    Thank you very much, I just installed Rkhunter and I see a good number of warings here:

    Performing file properties checks

    In

    Checking for rootkits...

    Performing check of known rootkit files and directories

    All green [not found]
    Here the summary:
    System checks summary
    =====================

    File properties checks...
    Required commands check failed
    Files checked: 137
    Suspect files: 34

    Rootkit checks...
    Rootkits checked : 245
    Possible rootkits: 1
    Rootkit names : Xzibit Rootkit

    Applications checks...
    Applications checked: 4
    Suspect applications: 4

    The system checks took: 1 minute and 11 seconds

    I run chkrootkit-0.49 and not show nothing infected and all good.

    How can I fix this errors? and prevent the spam, and the strange images upload.

    Thank you

    Toux
     
    Last edited: Dec 9, 2010
  4. edge

    edge HowtoForge Supporter

    The best thing to do is take the server off-line, and do a reinstall!

    If your server has been compromised to/by a hacker, the hacker could have added many ways to access your server.

    So if you fix one problem, the other might still be there and beeing abused by the hacker(s)
     
  5. Olgierd

    Olgierd New Member

    you check what proccess i to active on your server and stop it, then chceck why. Spam can be send by cgi script for example.

    You download all log files on your desktop and analize it. Check who use shell, ftp last time and what was change. Check you upgrade.

    you disable fopen in php.ini for suphp, fast-cgi etc.

    If a hacker has no access to root, you have chance fix the server, other way is better reinstall all.
     

Share This Page