I have a cPanel machine hosted for my customers. One customer is being missused, sending spam via a PHP Script. If I look in to my EXIM Mail queue there is a lot of Spam getting sent.
How can I locate the Script sending those mails?
If I go into detail with one mail, the X-PHP-SCRIPT is only “domain.tld/”
Here an Example:
Date:
Tue, 12 Apr 2016 07:00:12 +0000
From:
Stacey Ruiz <stacey_ruiz@domain.tld>
To:
frogleg3354@yahoo.com
Subject:
F$ck me deeply in my m0uth
Content-Transfer-Encoding:
8bit
Content-Type:
multipart/alternative;
boundary="b1_6b6f51ba2d97b6f13cdd28de69a7fce8"
Message-ID:
<6b6f51ba2d97b6f13cdd28de69a7fce8@domain.tld>
MIME-Version:
1.0
Received:
from ctm by cpanel-1.myserver.tld with local (Exim 4.86_1)
(envelope-from <stacey_ruiz@domain.tld>)
id 1apsJ2-0000aK-Fz
for frogleg3354@yahoo.com; Tue, 12 Apr 2016 09:00:12 +0200
X-Mailer:
PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
X-PHP-Script:
domain.tld/ for 127.0.0.1
X-Priority:
3I obviosly replaced the domain of the customer with “domain.tld”.
I changed already all the Passwords for all E-Mail Addresses, User Accounts, deleted all FTP Accounts, made a Virus Check. The customer is using the newest Update of WordPress (Update 1 week ago). I changed the password there as well. The wordpress page was even ok! No extra user in the Database, that was not supposed to be there… How is it then possible, that a script is getting up to the server? And how can I locate it?
I tried to access the Admin Area and was missspelling the “wp-admin”… I found this:
Can anyone help me?
Cheers!
Niklas
