User's site is constantly getting phpmailer uploaded, despite changing passwords.

[edjones]

CHMOD'd everything 755, even the ones that are normally 777 (drupal site, sites/default/files is usually 777). We changed passwords, and no matter what, within days, the phpmailer script is back up, pumping out emails under addresses that don't exist. Any way to prevent this?

 

[Raimo]

The main thing is to check the software (Drupal) first, is it up to date?
Chmod 777 should only be needed when you have mod_php. In that case, are the script files owned by apache or by the DA user?
Look at the date/time of the script - check FTP logs for the script name and check logins to FTP around the same time.

 

[LawsHosting]

If all is lost and you can't find the cause immediately, block mail() access......

FWIW, these days, with suphp/mod_ruid2, you shouldn't need to use 777 on an server...... Maybe install mod_security2 and maldet.....

 

[zEitEr]

Hello,

With custombuild 2 you can install php+suhosin+uploader-checker+clamav, this set should give an additional layer of protection against malware uploaded through web-forms. Of course you won't get 100% protection but still it worths trying. Of course users homedirs should be clean and be without backdoors, and php shells.