1

My organization mail has been blocked by a malicious PHP script for several days. I learned that spam messages are sent via the mail() function.

How can I find and delete this script on my server? I have tried searching for functions in PHP files through FileZilla and Total Commander, but this is ineffective.

~ Apache, PHP 7.2 (hosted from my service provider)

carn fex
  • 11
  • 2
  • 2
    Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Gerald Schneider Dec 22 '20 at 09:18
  • 1
    The problem its unlikely to be in the server. It's probably a compromised outlook client or webmail account. The details you offer are insufficient. What kind of server, what e-mail service, what context ? – Overmind Dec 22 '20 at 09:30
  • @Overmind its Apache server with PHP 7.2 (hosting from service provider) – carn fex Dec 22 '20 at 09:44
  • Did you check the maillogs? – FelixJN Dec 22 '20 at 10:57
  • @Fiximan how can I do this? unfortunately, the address from spam is sent does not appear on the list of email accounts of my organization.(it's like fake account) – carn fex Dec 22 '20 at 11:54
  • There are files like `mail.log`, `mail.info` etc in `/var/log`. Also `syslog` should show mailing events. The files are quite massive, so search them with `grep KEYWORD ` for e.g. a target address to get info quicker. – FelixJN Dec 22 '20 at 12:04
  • The best course of action is to reinstall the server and restore from known good backups. Otherwise you will be likely left with malware, whatever you try to do. – Tero Kilkanen Dec 22 '20 at 19:29
  • If your server is not secure and you can send messages without being authenticated reinstalling will not do anything. – Overmind Dec 23 '20 at 08:32

0 Answers0