On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi Gallenkamp, i'm not sure if i can do that.
    My host gives only limited access to C-panel. I will ask if they can install it for me.
    • Hi pmfx, yes i did install it via the Modx extra's page, i never looked at the release date.
      Maybe better look for an other solution.

      Still no undelivered spam mail received though, so i'm pretty sure that, in my case, it was TinyMCE that was sending the spam.
      My site i actually very basic, so if i find the time i will port it to Revo.
      • @Migiel

        How big is your site in total? If you can download the whole ftp and zip it into a dropbox or just your webspace, I can download it at my server and scan it there. Then I can zip it and let you download it. you clean your webspace and upload the cleaned files from me.
        If you answer within one hour or so, we can do it now. It's 10pm here, but I will be up for another two or three hours.
        • Quote from: paulp at Oct 14, 2014, 10:23 AM
          If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:

          grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

          The above will list the accounts that have been sending out emails like below:

          434 /home/site1/public_html/blog
          1012 /home/site2/public_html/blog
          2129 /home/site3
          16808 /home/site4/public_html/assets/docs

          From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:

          ls -lahtr /home/site4/public_html/assets/docs

          This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.

          -rwxrwxrwx  1 burysted burysted  16K Mar  1  2010 license.txt*
          -rwxrwxrwx  1 burysted burysted   70 Mar  1  2010 index.html*
          -rw-r--r--  1 nobody   nobody    32K Oct 20  2010 db.php

          This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them

          Very nice tip, but if somebody have the same for the file /var/log/mail.log (postfix/dovecot), I'm interested smiley
          • @gallenkamp, Thanks... but i had to change the whole site to Revo, i had that coming anyway.
            @Spheerys, thanks for you info!