A user who never updated their Joomla 1.7 install was recently compromised and mysql basically shut down from the amount of spam trying to be sent from that domain. The server Ip has been blacklisted. The page at http://www.abuseat.org/ after doing a lookup for the ip gives some indications. I stopped Postfix I installed Linux Malware Detect and found 2 files that were quarantined by LMD from the Joomla install. I then used postsuper -d ALL which deleted 9000+ messages, but mailq was already accumulating 100s of messages seconds later. Any other suggestion about how to find the malware? Is it in the database for the domain? Anyway to block postfix for that domain so I can turn postfix back on?
Try to scan your server with ISPProtect as well, it finds Malware that Maldetect can't find. Code: cd /tmp wget http://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz ./ispp_scan Just enter "trial" when it asks for the license key. That's possible but in most cases only the files are affected. That's not that easy as the mails were probaly send trough localhost and blocking localhost will block all sites on this server. Just keep an eye on the mailqueue the next days.
Thanks for a fast rely. I installed and ran ISSProtect and it has found 32 hits for malware in the Joomla install. I am going through them now. I also saw in the email header of a queued email from the offending domain X-PHP-Originating-Script: 5009:list.php
In case that a file with this nae has not been found by the scan, try to find it by name. e.g.: cd /var/www/yourdomain.tld/web find . | grep list.php and then check the files with that name for suspect code.
Again thanks for the quick help. It seems like I found the offending script... buried in plugins/editors/jckeditor/jckeditor/plugins/link/images/list.php It was installed or modified yesterday. Removing it and the mailq has remained empty. ISPProtect also picked up that file as suspect. Unfortunately LMD did not pick it up and quarantine it. As a side note it looks like form the quarantined lists and from the ISPProtect scan on other domains that people look like they are getting plenty of malware in templates and theme files (perhaps downloading free templates?). However, it is a bit scary if they are not all being picked up and quarantined. I think in this case it is a very outdated Joomla install. I just checked the user table for the domain in the database and see there are a bunch of fake admins in there with .ru email addresses. I removed them.
We disabled all Joomla 1.x sites on our servers if the customer did not upgrade them. Too much trouble for little or no money. I'm wondering when to do that for all 2.x sites? There have not been any patches for that for a while.