SPAM problems on my Gigas server

From GIGAS DOCS
Jump to: navigation, search

Here you can see some premises so you can solve the problem that you may have in your server regarding spam and related.

A) If in the warning in the ticket you have received there is the text "X-PHP-Originating-Script:" te most probable is that a website of the affected machine is compromised so you have to locate the script that is sending spam and remove it from the exact path. Afterwards, you must continue by updating CMS, CMS plugins or fixing the website code.

In this example case what appears after colon is the name of the script that is sending (spam) mail:

X-PHP-Originating-Script: 33:brwy.php

So:

  1. Lets search "brwy.php" in the machine filesystem:
    root@hostname:~# find / -name *brwy.php*
    /var/www/dominio/wp-content/uploads/brwy.php
  2. Once the file has been located, lets create the path “/root/INFECTED_FILES/”:
    root@hostname:~# mkdir /root/INFECTED_FILES/
  3. Lets move the detected file to that path:
    root@hostname:~# mv /var/www/dominio/wp-content/uploads/brwy.php /root/INFECTED_FILES/
  4. Lets proceed to empty mail queue and check if mail queue continues growing. If not, from this point you are no longer sending spam. The task of emptying the mail queue can be carried out in different ways depending on your MTA (mail service). The most common are postfix, qmail and exim. There is plenty of information on this subject on the Internet.
  5. As we noted before, you must update your CMS (WordPress, Joomla!, Drupal, etc) and its plugins or fix the bugs in its code so this problem will not happen again.

B) To the contrary, if the message contains a warning with something similar to "X-Mailer: Microsoft Office Outlook", the password may be two weak and might have been "guessed" or the computer that connects to this mail account may have some sort of virus or malware.

If this is the case, you must change the password of the mail account of the warning and check the computer that uses this mail account for viruses and malware.

If you have doubts or need further information remember we are available 24x7, 365 days chat, phone and ticket.