[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

How to Run CPanel? Scripts to Detect Spamming Scripts on Website

Someone has found a way to insert a spamming script (sends out emails) into one of my Joomla websites.  I'm not sure if they found access through one of the Joomla pages or by accessing the server files directly (sites are run on a VPS).

The server tech support folks suggest running some scripts to help determine the location of the spamming script.

This is not something I've done before and am unsure how to proceed.  I have a VPS account (under which I run several websites).  Only one appears to be affected.

The type of scripts being suggested are shown below.

Are these scripts from the affected domain's CPanel (if so, do I cut and paste them and where?) or from the Root WHM?

Thx
--------------------------
Sample Scripts:

To get a sorted list of email sender in exim mail queue.

==========================================
# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n
=================================================================

 Script to check script that will originate spam mails:
==================================================================
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
 
 # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
 
 # grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg
===================================================================

In order to find “nobody” spamming, issue the following command
==================================================================
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n
===================================================================

summary of mails in the mail queue.
======================================================
exim -bpr | exiqsumm -c | head
======================================================
0
qeng
Asked:
qeng
  • 5
  • 4
4 Solutions
 
GaryCommented:
The scripts should be run from the root
Here's a more detailed version of what your host gave you
http://www.sudosu.in/2013/02/exim-useful-scripts-to-find-origin-of.html

Report back on the findings

Make sure Joomla and all extensions are upto date and not on the VEL
0
 
qengAuthor Commented:
Thanks for the sudosu reference Gary.  It is indeed more detailed.

So I gather I run those scripts from the WHM then?  Any links (or examples) you can send me on how to do that?
0
 
GaryCommented:
If you have SSH access run them from there, else yes the WHM
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
qengAuthor Commented:
All of my websites are run under a master VPS account (a reseller account I guess).  The WHM gives me access to all of the domains and root level functionality.  I have SSH access (though have never used it).

How do I run/execute the scripts?
0
 
GaryCommented:
Just enter them exactly as is (without the #)
0
 
qengAuthor Commented:
Gary, thanks for staying with me on this.  Sorry for the newb questions but I have to work my way through this for the first time.

I don't know where (in WHM, or Cpanel) I 'enter' them.  Which function do I invoke which will let me enter those scripts?

ps  I've tried googling instructions on how to do this but most instructions skip this front end stuff, likely assuming readers have some familiarity with running scripts (the instructions tend to describe what the scripts do and various means of accessing the servers, not how to run the scripts).
0
 
GaryCommented:
I don't know WHM but apparently you cannot do root commands through it
Do you have SSH access? You should do.
If not then your host probably has a virtual terminal in your hosting control panel - the thing where you can stop and restart your server etc (well most do anyway)

There is a plugin for WHM that gives you a virtual terminal - I've no idea how well it works
http://www.configserver.com/cp/cse.html
0
 
qengAuthor Commented:
Gary,

Thx for the suggestions.  What I was looking for were instructions akin to the following:


"You need to run the scripts from your VPS console after SSH'ing to your VPS server as root user. The root password of the VPS server is XXXXXXXXX . Please use the details below to SSH to your server on different operating systems:

==
1. To log into your VPS from a Mac:

-Open the Terminal application (Utilities).
-On the command line, enter the SSH command(without the $ sign) followed by your server's name and the user you will login as (in this case, root):

$ ssh root@12.34.5.678 -p12345

-When prompted, enter your server's root password.

2. To log into your VPS from a Windows machine:

(etc.)

3. To log into your VPS from a Linux distribution, such as Ubuntu:

(etc.)


To exit:

Simply type "exit" on the command line and hit Enter.
==

Now, you can execute the commands as given the URLs (disregarding all before and including the # character). For example:

==

root@vps [~]# hostname

I was able to run the scripts I needed using those instructions.
0
 
qengAuthor Commented:
Appreciated Gary staying connected.  I kept this open for a few days while I was attempting to resolve the underlying issue on the server.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now