How to Run CPanel? Scripts to Detect Spamming Scripts on Website

Someone has found a way to insert a spamming script (sends out emails) into one of my Joomla websites.  I'm not sure if they found access through one of the Joomla pages or by accessing the server files directly (sites are run on a VPS).

The server tech support folks suggest running some scripts to help determine the location of the spamming script.

This is not something I've done before and am unsure how to proceed.  I have a VPS account (under which I run several websites).  Only one appears to be affected.

The type of scripts being suggested are shown below.

Are these scripts from the affected domain's CPanel (if so, do I cut and paste them and where?) or from the Root WHM?

Thx
--------------------------
Sample Scripts:

To get a sorted list of email sender in exim mail queue.

==========================================
# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
=================================================================

 Script to check script that will originate spam mails:
==================================================================
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
 
 # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
 
 # grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
===================================================================

In order to find “nobody” spamming, issue the following command
==================================================================
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
===================================================================

summary of mails in the mail queue.
======================================================
exim -bpr | exiqsumm -c | head
======================================================
qengAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
The scripts should be run from the root
Here's a more detailed version of what your host gave you
http://www.sudosu.in/2013/02/exim-useful-scripts-to-find-origin-of.html

Report back on the findings

Make sure Joomla and all extensions are upto date and not on the VEL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
qengAuthor Commented:
Thanks for the sudosu reference Gary.  It is indeed more detailed.

So I gather I run those scripts from the WHM then?  Any links (or examples) you can send me on how to do that?
0
GaryCommented:
If you have SSH access run them from there, else yes the WHM
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

qengAuthor Commented:
All of my websites are run under a master VPS account (a reseller account I guess).  The WHM gives me access to all of the domains and root level functionality.  I have SSH access (though have never used it).

How do I run/execute the scripts?
0
GaryCommented:
Just enter them exactly as is (without the #)
0
qengAuthor Commented:
Gary, thanks for staying with me on this.  Sorry for the newb questions but I have to work my way through this for the first time.

I don't know where (in WHM, or Cpanel) I 'enter' them.  Which function do I invoke which will let me enter those scripts?

ps  I've tried googling instructions on how to do this but most instructions skip this front end stuff, likely assuming readers have some familiarity with running scripts (the instructions tend to describe what the scripts do and various means of accessing the servers, not how to run the scripts).
0
GaryCommented:
I don't know WHM but apparently you cannot do root commands through it
Do you have SSH access? You should do.
If not then your host probably has a virtual terminal in your hosting control panel - the thing where you can stop and restart your server etc (well most do anyway)

There is a plugin for WHM that gives you a virtual terminal - I've no idea how well it works
http://www.configserver.com/cp/cse.html
0
qengAuthor Commented:
Gary,

Thx for the suggestions.  What I was looking for were instructions akin to the following:


"You need to run the scripts from your VPS console after SSH'ing to your VPS server as root user. The root password of the VPS server is XXXXXXXXX . Please use the details below to SSH to your server on different operating systems:

==
1. To log into your VPS from a Mac:

-Open the Terminal application (Utilities).
-On the command line, enter the SSH command(without the $ sign) followed by your server's name and the user you will login as (in this case, root):

$ ssh root@12.34.5.678 -p12345

-When prompted, enter your server's root password.

2. To log into your VPS from a Windows machine:

(etc.)

3. To log into your VPS from a Linux distribution, such as Ubuntu:

(etc.)


To exit:

Simply type "exit" on the command line and hit Enter.
==

Now, you can execute the commands as given the URLs (disregarding all before and including the # character). For example:

==

root@vps [~]# hostname

I was able to run the scripts I needed using those instructions.
0
qengAuthor Commented:
Appreciated Gary staying connected.  I kept this open for a few days while I was attempting to resolve the underlying issue on the server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.