We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Evo 1.0.14 sending spam email (solved)

    • 19403
    • 15 Posts
    migiel Reply #11, 9 years, 6 months ago
    Hi Gallenkamp, i'm not sure if i can do that.
    My host gives only limited access to C-panel. I will ask if they can install it for me.
    Thanks!
      • 19403
      • 15 Posts
      migiel Reply #12, 9 years, 6 months ago
      Hi pmfx, yes i did install it via the Modx extra's page, i never looked at the release date.
      Maybe better look for an other solution.


      Still no undelivered spam mail received though, so i'm pretty sure that, in my case, it was TinyMCE that was sending the spam.
      My site i actually very basic, so if i find the time i will port it to Revo.
      • gallenkamp Reply #13, 9 years, 6 months ago
        @Migiel

        How big is your site in total? If you can download the whole ftp and zip it into a dropbox or just your webspace, I can download it at my server and scan it there. Then I can zip it and let you download it. you clean your webspace and upload the cleaned files from me.
        If you answer within one hour or so, we can do it now. It's 10pm here, but I will be up for another two or three hours.
          • 28173
          • 409 Posts
          Spheerys Reply #14, 9 years, 5 months ago
          Quote from: paulp at Oct 14, 2014, 10:23 AM
          If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:


          grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


          The above will list the accounts that have been sending out emails like below:


          434 /home/site1/public_html/blog
1012 /home/site2/public_html/blog
2129 /home/site3
16808 /home/site4/public_html/assets/docs


          From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:

          ls -lahtr /home/site4/public_html/assets/docs


          This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.

          -rwxrwxrwx  1 burysted burysted  16K Mar  1  2010 license.txt*
-rwxrwxrwx  1 burysted burysted   70 Mar  1  2010 index.html*
-rw-r--r--  1 nobody   nobody    32K Oct 20  2010 db.php


          This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them

          Very nice tip, but if somebody have the same for the file /var/log/mail.log (postfix/dovecot), I'm interested smiley
            • 19403
            • 15 Posts
            migiel Reply #15, 9 years, 4 months ago
            @gallenkamp, Thanks... but i had to change the whole site to Revo, i had that coming anyway.
            @Spheerys, thanks for you info!