Detecting PHP email spam scripts on your server

Detecting PHP email spam scripts on your server

In this article I am describing how to identify PHP scripts that are being used for email spamming through a Postfix mail server on an Debian based server.

I just recognized last week an unnormal high workload on my server, causing the fast-cgi PHP instances not working well anymore. There was a noticeable delivery of HTTP 500 error pages to the browsers.

When starting to investigate that problem I came up, that there is no root kit installed on my server, but the mail server load was distinctly above average.

So I went up to show all emails that are currently in the mail queue:

There are a lot of spam mails in the queue (requests: 211122) that haven´t been delivered, yet. Based on the feedback in some of those mails I came to the knowledge, that my server was blacklisted for mail spamming. You can check , if your server is blacklisted or not at mxtoolbox.com.

In my case, there were a lot of mails issued from three different domains, I am hosting.

To get more information from those mails, you can call them by their ID with postcat, like presented below:

Taking a deeper look to line 14, where the header information „X-PHP-Originating-Script“ was stated, you get the information where this mail was orginated from.

In that case, a script, named stats.php, belonging to the user with the ID 10001 was used for sending this mail. You might have to check multiple of your mails to find all spam sending scripts on your server. If you did not get these information presented, you can check another article about necessary changes to your PHP configuration.

First we are checking, which username is cloaked behind that user ID.

In that case, a user called „USERNAME“ owns the spam sending script. In the next step we are going to check, if there is a script called stats.php that belongs to the user.

This works for me, as I name the virtual host web directories according to the username. Otherwise, you can just try to get the script in another way:

You should now take a look to all of these scripts and check if they have suspicious code in them.

If some of the scripts only have a preg_replace statement, they are is very likely a malicious one.

You can move the scripts to another directory not avaliable through your webserver or also delete them.

 

Just a final hint:

If you really have a lot of mails in your queue, you can delete all mails in the postfix mail queue with the following statement. But keep in mind, that this will also delete unobtrusive ones!

 

 [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

3 Comments

  1. Marcel 14. Januar 2015 at 18:28 - Reply

    I just had the same problem on my server. I was able repair it with this tutorial and another one I found in the web. I had more than 10.000 mails in the postfix queue

    So thanks for the help!

    • Sven Seiler 16. Januar 2015 at 19:34 - Reply

      You are welcome. Good to know I was able to help others with this issue, as well!
      Have a nice weekend
      Sven

  2. Juan Clearst 1. Februar 2015 at 00:25 - Reply

    While trying to solve this stupid issue I found your website. Thanks it worked for me.

Leave A Comment