admin account used for spam

[Bramus]

Seems like one of my servers has been compromised and from the "admin" user a lot of emails were send / are still sending.

I checked with Malware Detect and there were some strange php scripts, i removed all of these scripts.
I changed the admin password to a new password
I Changed all the e-mail account passwords to a new password

But still there are a lot of mails going out of the system (yes i cleaned the queue). But when i look in /var/spool/exim/ there are a lot of mails sending from @domain.com of server with different names.

The headers tell me it is the user "admin", and sending from Exim directly. I added IP's to the CSF Deny that had open connections and were not familiar. but seems like still mail is going out.

Anyone has an idea / can help me finding the cause / script that is sending mails?

 

[nobaloney]

I'm not clear on whether the email is being sent through a connection to the server port or through the sendmail interface. You can block 127.0.0.1 from eing ble to send through a port connection. You can also block the sendmail interface. However either will result in problems with other server email so be careful what you decide to do.

Jeff

 

[Arieh]

Some files come to mind which you can check and who haven't been mentioned in this thread:

/var/log/exim/mainlog
/home/admin/.php/php-mail.log
/home/admin/.php/php-mail.log.1 through 4

 

[Richard G]

You can also check some mail in the mailqueue with the mailqueue editor, see if the mail is authenticated mail.
If it is, also check the computer that admin is using with anti malware tools and change passwords again afterwards.