First time situation.

[Bluejet]

I received a message about a customer account mail rely and that there was a compromised word press script on their site. So I tried the following:

Suspending the email accounts it didn't work.
Blocking the I.P.'s, but they seem to have changed faster than I could block them.

So, I finally suspended the customers account and it seemed to work, although I am not sure that is what actually stopped it.

My questions are: Did I handle it correctly? Or is there a better way to do fix it? Or is there a standard way to handle it?

 

[Ohm J]

put "mail" into disable_functions
inside /usr/local/php{XX}/lib/php.ini

or disabled for that User

PHP-FPM | Directadmin Docs

 

[Richard G]

If you put mail in the disabled_functions, then nobody can use php mail anymore.

Normally we also just suspend the user and have him change passwords and update scripts.

Also it's a good idea to install Maldetect because that can also often find malicious scripts in websites, especially wordpress.

 

[Zhenyapan]

also in DA email you can check disk path where from emails was sent and check this script.
and you can set for this account daily email limit 1 email, so you can unblock it and let customer solve problem

 

[Bluejet]

Thank you for the advice. I have made a note of everything.