Creation of spam scripts

M

MikeVrind

Verified User
Joined
Oct 12, 2008
Messages
47
Location
Netherlands
One of my users is having some trouble with a spam script on his website.
After deleting the file, another file got uploaded a couple of days later. It has obviously not much sense to look for suspicious files every time again and then removing them.

But how can I find out how a file is created? The owner of the files are 'apache'.
So I can rule out that the FTP information for this user are abused...

Each file gets uploaded in a directory that is chmodded to '0777' so the users himself can uploaden images and other files via an editor.
 
Use mod_ruid2. And tell your user to update his CMS (i suppose he does use one of those).

Search this forum for mod_ruid2, this will prevent folder (and files ofc) to need (and have) 777 permission and all uploaded file will be under owner "user" (the user owner of the website).

Regards
 
each file gets uploaded in a directory that is chmodded to '0777' so the users himself can uploaden images and other files via an editor.
Click to expand...

I'd guess all files are uploaded either via FTP (check FTP logs), or by Apache.
If by Apache, then POST method was used to upload a file (in most cases it's true).

I presume file is uploaded into a directory within public_html, so grep all records which contain POST in apache logs and manually read them line by line in order to find anything unusual. Note you should read logs of apache for that day, during which the file was uploaded (check created date). Also you can grep all records from apache which include requests of that file. If somebody has uploaded a malicious file, he would try to access it via HTTP/HTTPS, so find his IP(s). Then grep all records for that IP(s) from logs and learn them carefully.

That can help you to find a point of entrance, or a bugged script. Also you might have other malicious scripts, most of them can be found with maldet (http://www.directadmin.com/forum/showthread.php?t=42393&p=216079#post216079)

If you run this

Code: 
maldet -a /home/?/domains/?/public_html

you might be surprised how many malicious scripts you've got there.

Note, I'm available for this kind of job, as well as other posters here, including Andrea.
 
Right you are, but still there is a possibility that a PHP-shell was uploaded by FTP, and other files created with this PHP-shell will be owned on such a server (which has no mod_ruid2 installed and is not running suPHP) by Apache.
 
You must log in or register to reply here.
Back
Top