Here some notes about how to troubleshoot a server that got compromised by a php script.
Check email queue
- Qmail -> qmHandle
- Postfix -> pmHandle / postqueue
# qmHandle -s
Total messages: 7357
Messages with local recipients: 0
Messages with remote recipients: 7357
Messages with bounces: 0
Messages in preprocess: 0
Get some email IDs
# qmHandle -l | head
1348989 (16, 16/1348989)
Subject: failure notice
Date: 30 Jun 2015 07:42:59 +0100
Size: 5093 bytes
42240113 (15, 15/42240113)
Check for X-PHP header in the mail message
Look for the UID and script that sent the message
# qmHandle -m1348989 | grep X-PHP
X-PHP-Originating-Script: 48:wp-content.php(1) : eval()'d code
Find the script and UID
# grep 48 /etc/passwd => this was Apache ==> this means that the code was injected via Apache
=> permissions issue??
# locate wp-content.php
Move away the file(s) and chown 000
!! if the file starts with – , you need to user chown — 000 filename
Disable execution php following this how to
Delete all the messages containing that header
# qmHandle -h'X-PHP-Originating-Script: 48:wp-content.php'
Calling system script to terminate qmail...
Stopping : Looking for messages with headers matching X-PHP-Originating-Script: 48:wp-content.php
Message 1345933 slotted for deletion.
Message 42240608 slotted for deletion.
Message 1346796 slotted for deletion.
Message 42240391 slotted for deletion.
Message 42241954 slotted for deletion.
Deleted 113 messages from queue
Restarting qmail... Starting qmail: [ OK ]
Check the queue:
See the content of a message:
postcat -q <ID from postqueue output>
Check for “X-PHP-Originating-Script” header, which generally gives you the name of the script that generate the email
If they are sent to a specific domain, you can block some domains in Postfix following this guide