Spam & Viruses

Learner

Learner

Verified User
Joined
Jul 13, 2023
Messages
38
Hi,

I installed ClamAV and SpamAssasin (hope I wrote that correct, not main language English).

Trying to run it, but I have like a Trojan Horse on the server and my main website of my business is keep sending spam mails and some websites my virus scanner gives a warning of Trojan.

Could someone guide me trough this how to stop and prevent this ? Not sure if I did all correct, don't think so because problem keeps popping up.

Thank you so much in advanced for the help.
 
Learner said:
Trojan Horse on the server and my main website of my business is keep sending spam mails and some websites my virus scanner gives a warning of Trojan.
Click to expand...

Spamassasin int not going to help Blockcracking maybe, Maldet and Clam AV or RootkitHunter can help but no guarantee
First check your logs who the abuser is , mostly its an script on the website or the email credentials are leaked

Preventing outgoing spam | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com
 
I would for sure install Clamav and install Maldetect like @Active8 said.
Mostly they can detect and remove most of the culprit.

However, often it can come back due to the use of a leak script. Maldetect can point to which script of theme it is and then you can update or remove it.
It's no guarantee indeed but often this will fix things. Combined with your own insight with removing the malicious scripts and leak theme's and/or scripts.
 
I've still having the Trojan Horse on 1 of my websites, plus it keeps sending spam, now with gmail some mails expirience a bounce.

Kind of n00b here that is why name = learner hehe

I know some basic Linux and logics of an VPS but not good enough to protect me against this and solving this issues as mentioned above.
 
Have you installed Maldetect like @Active8 advised? If yes, then run it and see the logs.
Normally if configured correctly it will remove the malware, however, the cause of the malware can still be there. That can be a malicious script or a leak script or theme in Wordpress for example.
I would just suspend that 1 website until the issue is resolved, to begin with.
 
Yes I did, now I am scanning with command

Code: 
maldet -a /

Taking forever.
 
Logically. Why not only scan the home directory's or even that 1 website if it's only that website?
Because it's seldom that a piece of malware gets to the OS.

maldet -a /home/user/
or for all home directory's
maldet -a /home/

Speed is also depending on your resources like cpu and ram.
 
Dumb, that went indeed faster !

But resources I think are good:

4 x 2,2 Ghz CPU
5.120 MB RAM
200 GB SSD
200 GB Backup space
10 TB Traffic

Result of the scan

Code: 
[root@mijnvps home]# maldet -a /home/xxx
Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks <[email protected]>
            (C) 2023, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(29814): {scan} signatures loaded: 17637 (14801 MD5 | 2053 HEX | 783 YARA                                                                                         | 0 USER)
maldet(29814): {scan} building file list for /home/xxx, this might take awh                                                                                        ile...
maldet(29814): {scan} setting nice scheduler priorities for all operations: cpun                                                                                        ice 19 , ionice 6
maldet(29814): {scan} file list completed in 0s, found 24750 files...
maldet(29814): {scan} found clamav binary at /usr/bin/clamdscan, using clamav sc                                                                                        anner engine...
maldet(29814): {scan} scan of /home/xxx (24750 files) in progress...
maldet(29814): {scan} clamscan returned an error, check /usr/local/maldetect/log                                                                                        s/clamscan_log for details!
maldet(29814): {scan} clamscan returned a fatal error in scan results, check /us                                                                                        r/local/maldetect/logs/clamscan_log for details; quarantine has been disabled!

maldet(29814): {scan} scan completed on /home/xxx: files 24750, malware hit                                                                                        s 0, cleaned hits 0, time 129s
maldet(29814): {scan} scan report saved, to view run: maldet --report 240207-171                                                                                        4.29814
[root@xxx home]#
 
Yep, seems good, however, I can't see if there is a malware hit, because that went off the screenshot.
Learner said:
scan completed on /home/xxx: files 24750, malware hit
Click to expand...
What did it say after "malware hit", was it 0?

However there is a fatal error:
clamscan returned an error, check /usr/local/maldetect/log
So I would at least have a look as to what fatal error this is or what it says, to be sure it's nothing in the infected website which caused it.

Also on outgoing mail, normally you have a mail queue present. Often also returned or refused mails. Check those mails in the mail queue manager because normally it will state somewhere which account and which script was sending the mails.
 
I reinstalled clamav and than did the scan again now it says:
Code: 
maldet(3722): {scan} scan completed on /home/XXX: files 24765, malware hits                                                                                                                                                              0, cleaned hits 0, time 305s
 0, cleaned hits 0, time 305s

And the error is gone of fatal error. But still the site when opened on desktop makes my virusscanner BEEPING like crazy:

1707326840122.png
 
Seems it's not your website which is infected but the CDN you're using.
The fatal error should still be present in the logfile in fact.

I hope it's not your PC which is infected.
Try a run with ADWCleaner from Malwarebytes.com which is trustable. You do -not- need to remove pre-installed stuff, only found problems.

However, when I put cdn-hncip.nitrocdn.com in my browser it redirects to nitropack.io and I don't have malware notices yet.

Maybe you can give me your website per pm then I can have a look.
 
It’s possible that some JS of his site is infected and that nitro CDN serves it to you when you visit his site
 
Possible yes. Which is why I asked for the website name to have a look, and because I asked for the statement of the clamd error in the log.
 
Richard G said:
Possible yes. Which is why I asked for the website name to have a look, and because I asked for the statement of the clamd error in the log.
Click to expand...
I have send in private the website and after reinstalling the error went away it was this before that:

Code: 
ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: Connection refused
ERROR: Could not connect to clamd on 127.0.0.1: Connection refused

Also tried without the CDN and also tried on with emptying the cache. Still same problem happening.
 
You must log in or register to reply here.
Back
Top