Find source of abuse

[datznoah]

I am having an issue where there is abuse detected coming from our IP, mores specifically someone is brute forcing mail servers from what I can tell.

I have upgraded our Immunify360 license and settings just thinking this was some malware on someone’s domain and though that would be that, but unfortunately abuse reports are still coming in. I’m having a really hard time tracking down which account is doing this and going through every account has basically been ruled out for times sake.

Any suggestions for ways to figure out the cause? Anyone have a similar experience?

 

[Active8]

Starting with your mail logs is your fist option, but i have found an copy &paste in my scrapbook, maybe it helps

There is an easy method to find spammer php script in your home path. Directadmin logs these spammer scripts which are using phpmailer or similar things. To find this:

Go to your home path
cd /home
Find your log files
find ./ -type f -size +1k -name "php-mail.log"
After this find operation, you can see your log files. It means, users that have this log file are could be the potential spammer.

Tailf your log file.
tailf /home/user/.php/php-mail.log


You can see spammer scripts.!!
mail() on [/home/user/domains/domain.com.tr/public_html/modules/mod_users_latest/files.php(1947) : eval()'d code:775]: To: [email protected] -- Headers: Date: Sat, 28 Jan 2017 15:51:47 +0300 From: Flora <[email protected]> Message-ID: <[email protected]> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_3f796c9fb6de893f060882897f360bea" Content-Transfer-Encoding: 8bit
Remove this peace of shit.
rm /home/user/domains/domain.com.tr/public_html/modules/mod_users_latest/files.php
You can easiliy get rid of these spammer scripts using this method. Don t forget to clear your mail queue after this operation.