WHM server and Prestashop outgoing spam

Portal Home > Knowledgebase > Articles Database > WHM server and Prestashop outgoing spam

Posted by vaarsn, 06-30-2015, 04:45 AM
Hello, During the last 2 weeks I'm having the problem with outgoing spam. I'm getting a tons of reports from the CSF and from the EXIM, since a lot of messages located in its queue. For example today I found a script which sends the spam under: /home/username/public_html/js/tiny_mce/plugins/lists/file.php. But when I'm deleting it in 12 hours it appears somewhere else under the account's folder. I tied everything, killed spam files, changed account's password, changed all child FTP passwords on accounts located on "~username" but no luck. I installed and configured mod_security, I installed mod_ruid2 module as well, switched from suphp to dso. Also I performed the malware scan and removed harmful script, but for some reason I'm still getting the same issue. I checked the cron jobs for that account again. I'm still sure that it's something wrong with WHM, since I had similar issues on my other servers with Wordpress. Could you please help me to determine what exactly causes the issue and destroy it completely? It looks like WHM security breach, since the last few months nobody touched the account. I can't get any resolution from WHM support as well.
Posted by my247webhosting, 06-30-2015, 02:50 PM
There should be some hidden script which is creating this file again to send spams We would recommend you to scan all files and folder right from home directory to get root cause of this issue
Posted by vx|brian, 06-30-2015, 03:05 PM
I think what you've just ran into is a very common problem when an account gets compromised. The problem here is that even if you're deleting the file sending spam, the hacker has placed a backdoor file which allows him to upload it again (or he's exploiting the vulnerability he used again in the first place). This is why it's strongly recommended to reinstall your application from scratch or restore from backup (for your files at least), as it would be near impossible for you to traverse all folders and identify which files are supposed to be there and which aren't.
Posted by vaarsn, 07-01-2015, 04:27 AM
It's going to be a headache. It's impossible to restore the account from backup, since there is a lot invoices and new records added to the site. Today I'm still getting the issue. This is what I found: Here is the part of the code of harmful script: Also every time it's dated by Sep 2014, I'm not sure why in case if it's created e.g. today. Is there any way to find the backdoor which creates these files?
Posted by CooliceHost, 07-01-2015, 05:55 AM
If files is from the same date you can use find and grep for base64_decode then verify one by one
Posted by vaarsn, 07-01-2015, 11:12 AM
Thank all for the suggestions and given help. I checked all files by date withing the home folder and I found the wso.php file, I decoded it and as I guessed it was web shell: http://www.stratigery.com/phparasites/wso.html Thread can be closed as resolved.
Posted by vaarsn, 07-03-2015, 02:39 AM
It looks like the problem wasn't resolved, so shell script still there. Guys, what is the best practices to determine unwanted shell scripts within the account? It's not possible to restore the account from the backup since it was replaced by a newer version.