customer's site tries to spam

Discussion in 'HOWTO-Related Questions' started by ac15, Jul 15, 2016.

  1. ac15

    ac15 Member

    one of my customer's sites tries to send out lots of spam mails, fortunately they all get caught in the firewall. it's a up-to-date joomla site, the spam is sent from the mail adress that was configured as joomla's $mailfrom-variable.
    i need to find out how and where these mails get sent from, i assume it's some unprotected or misconfigured php script.
    i was told the best way to find the source of the problem is to set "display_errors=on" in the site's custom php.ini settings. i did that, but i can't find where the server is writing these errors to. should be in the customer's log directory, right?
    did i miss anything? how can i find out how these spams are generated?
    please help!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to scan the website folder or whole /var/www folder with the free ispprotect trial to find potential malware files:

    Beside that, check the access.log for the website and grep for POST requests, most likele each sent spam mail is a POST request to a file which would normally not receive such requests or which normally does not exit in joomla at all.
    ac15 likes this.
  3. ac15

    ac15 Member

    do you ever sleep, till? :)
    thanks for replying, i'm trying out ispprotect right now.
  4. ac15

    ac15 Member

    ok, i'm back, ispprotect found a few outdated cms installations, the joomla site in question is at version 3.5.1. latest is 3.6.0, but the site's webmaster tells me she usually waits for the .1 release before installing. plus there are even older joomla versions on other customer webs that don't spam. it also generated a file "found_malware_201607...txt" that contains a few lines, but nothing in the folder of the spamming site. (side question, are these malware files quarantined automatically?)

    so i checked the site's access.log and it didn't contain the word POST at all. how should i proceed? if i turn on display_errors in php.ini, where will the results be logged?

    thanks for the support!
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    No, ISPProtect don't quarantines be default to ensure that the site dies not stops working when one of the scripts s an infected part of a required file. But you can let ispprotect quarantine the files even after the finished scan:

    I don't think that this option will help you here to find the script as it just shows errors that are logged in the error.log of the website are now shown in the page itself.

    What you can do is that you check the spam emails in the mailqueue with the postcat command, it will show you the mail headers and newer php versions will add a header there which shows the name of the script that has sent the email.
    ac15 likes this.

Share This Page