Twice now, I’ve had user accounts hacked, with php files installed that allow the hacker to send email out through our server. The first one was rather easy to detect and remove, but this second attack proved much more difficult. Here’s how I finally succeeded.
First, as all of my web servers relay mail out through a mail server, I put a block on the IP Address, so the mail server would reject the spam and not send it on out. That solves the initial problem, but prevents legitimate mail from going out from that server.
Second I used:
sudo postsuper -d ALL
to wipe out all of the queued mail. I followed that up with:
sudo postqueue -p
to retrieve the mail headers and, more important, the Queue IDs. With any of the queued messages that are obviously junk:
sudo postcat -q ZZZ
Where ZZZ is the Queue ID. The results of that command is a dump of the message, including the full headers. In there is the originating source of the message. In my case it was:
A search through my web logs turned up one place where this URL had been hit heavily (a CMS Made Simple site hosted here) but examining the file didn’t immediately show me anything from which I could draw a conclusion.
But… scanning that directory turned up some other files, including a nice little page the hackers used to send mail:
Further searching turned up another bit of trouble:
The customer (’s developer) has been informed and the files removed.