How To: Find and clear injected spam scripts in SME hosting

  Email

I will be using SME07 as an example.
[cc]
exim -bpc —– to see mail queue count
exim -bp —— to see all emails in the queue
[/cc]
Input the following command to list out all directories with scripts that are sending out emails
[cc]
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
[/cc]
You will get something like this:
[cc]
102 /home/newlifefl/public_html
117 /home/onecochra/public_html
159 /home/tropics8/tidopenanghostel.com
175 /home/astervox
211 /home/europahil/public_html
215 /home/goldentropics/kakitrip.com/wp-includes/theme-compat
224 /home/goldentropics/kakitrip.com/wp-content/themes/twentyfifteen/js
232 /home/shoponlin/public_html/wp-admin
241 /home/playbo5826/public_html
342 /home/mauinsons/fashionstars.com.my
1040 /home/heavensource
1991 /home/sjriac1322/myskygift.com
2117 /etc/csf
2694 /
5027 /home/goldentropics/kakitrip.com/wp-content/plugins/newsletter/subscription
6394 /root
7798 /home/goldentropics/kakitrip.com/wp-content/plugins/contact-form-7-dynamic-text-extension
12001 /home/goldentropics/kakitrip.com/wp-content/plugins/contact-form-7/includes
14893 /home/rakyatholdingsco/public_html/wp-content/uploads/2017/03
14924 /home/rakyatholdingsco/public_html/_notes
[/cc]
Now, let’s say there are lot of sent emails in the mail queue from “kakitrips.com” which look like spam, you would need to go into all the directories of kakitrips.com listed above.
[cc]
[root@sme07 js]# cd /home/goldentropics/kakitrip.com/wp-includes/theme-compat
[root@sme07 theme-compat]# ll
total 36
-rw-r–r– 1 goldentropics goldentropics 222 Jun 10 2016 wiefniowe.php
-rw-r–r– 1 goldentropics goldentropics 2112 Jul 6 2016 comments.php
-rw-r–r– 1 goldentropics goldentropics 970 Mar 28 2016 embed-404.php
-rw-r–r– 1 goldentropics goldentropics 3198 Jul 6 2016 embed-content.php
-rw-r–r– 1 goldentropics goldentropics 479 Mar 28 2016 embed.php
-rw-r–r– 1 goldentropics goldentropics 438 May 25 2016 footer-embed.php
-rw-r–r– 1 goldentropics goldentropics 1059 Jul 6 2016 footer.php
-rw-r–r– 1 goldentropics goldentropics 704 May 25 2016 header-embed.php
-rw-r–r– 1 goldentropics goldentropics 1893 Jul 6 2016 header.php
-rw-r–r– 1 goldentropics goldentropics 4060 Jul 6 2016 sidebar.php
[/cc]
Notice that there is a weird PHP file named ‘wiefniowe.php’.
If you vi this file, you will notice that it is in fact an injected script.
Next, you can do one of the following to stop the spam:
[cc]
chmod 000 wiefniowe.php —— will make the file unreadable
rm -f wiefniowe.php —— deletes the file permanently
[/cc]
Once that’s done, you need to make sure all subsequent folders have their right permissions to prevent injections in the future.
[cc]
cd /home/goldentropics
find . -type f -exec chmod 644 {} \; —— change all file permissions to 644 recursively
find . -type d -exec chmod 755 {} \; —— change all directory permissions to 644 recursively
[/cc]
If all the folders have the right permissions, you would probably need to patch up the respective plugins, extensions, etc, from which the injection occured.