How to find malicious PHP script that sends emails from my domain?

Asked Dec 22 '20 at 09:16

Active Dec 22 '20 at 09:44

Viewed 137 times

My organization mail has been blocked by a malicious PHP script for several days. I learned that spam messages are sent via the mail() function.

How can I find and delete this script on my server? I have tried searching for functions in PHP files through FileZilla and Total Commander, but this is ineffective.

~ Apache, PHP 7.2 (hosted from my service provider)

edited Dec 22 '20 at 09:44

asked Dec 22 '20 at 09:16

carn fex

2

Does this answer your question? How do I deal with a compromised server? – Gerald Schneider Dec 22 '20 at 09:18
1

The problem its unlikely to be in the server. It's probably a compromised outlook client or webmail account. The details you offer are insufficient. What kind of server, what e-mail service, what context ? – Overmind Dec 22 '20 at 09:30
@Overmind its Apache server with PHP 7.2 (hosting from service provider) – carn fex Dec 22 '20 at 09:44
Did you check the maillogs? – FelixJN Dec 22 '20 at 10:57
@Fiximan how can I do this? unfortunately, the address from spam is sent does not appear on the list of email accounts of my organization.(it's like fake account) – carn fex Dec 22 '20 at 11:54
There are files like mail.log, mail.info etc in /var/log. Also syslog should show mailing events. The files are quite massive, so search them with grep KEYWORD <file> for e.g. a target address to get info quicker. – FelixJN Dec 22 '20 at 12:04
The best course of action is to reinstall the server and restore from known good backups. Otherwise you will be likely left with malware, whatever you try to do. – Tero Kilkanen Dec 22 '20 at 19:29
If your server is not secure and you can send messages without being authenticated reinstalling will not do anything. – Overmind Dec 23 '20 at 08:32

How to find malicious PHP script that sends emails from my domain?

0 Answers0