Finding spam sending scripts in Plesk

I take great care in keeping client websites up to date with the latest security updates for their content management systems and plugins. I also take measures to ensure that sites hosted by me do not send email spam.

One of these measures is to implement “Outgoing Mail Control” within Plesk. This simply limits the number of emails that users can send via email accounts, their domains and subscriptions. This can be set server-wide but can also be overridden for individual domains.

However, I also try and ensure that sites use SMTP to send email rather than Sendmail so that emails are always authenticated.

It was much to my surprise, therefore that I started receiving notifications that one domain was trying to breach the outgoing mail sending limit by several hundred messages per hour.

I examined the domain, scanned it with a malware scanner but everything looked normal. Of course a WordPress installation contains thousands of files so it can be extremely difficult to spot suspicious looking files.

As it happens the domain didn’t need Sendmail enabled so I disabled this which immediately stopped the problem. However, I was concerned as to the root cause of the issue and didn’t want to leave a malicious script on the site.

The warnings provided no clue as to who was sending the emails, where to or the content of the message so I had what appeared to be very little to go on.

Turns out it was quite easy to locate the offending script. By going into “Tools & Settings > Mail Server Settings > Mail Queue” I could see some of the offending messages.

Clicking on the message brought up the message headers which contained information similar to the following:

Received: by ******************* (Postfix, from userid 10043)
	id DEE07A026DD; Sat, 20 Jun 2015 20:07:09 +0000 (GMT)
Subject: 1 Pending Insta Affair Alert
X-PHP-Originating-Script: 10043:view41.php(1505) : eval()'d code
Date: Sat, 20 Jun 2015 21:07:09 +0100

The offending script was indicated by X-PHP-Originating-Script as being view41.php. After locating this file I could see it contained malicious code and simply deleted it.

To be on the safe side I also changed the FTP and login passwords for the account.

comments powered by Disqus