I'm new to linux, and it appears that my server was blacklisted in the CBL. It looks like one of my Wordpress installations was compromised, and some Malware was installed.
I ran ClamAV, and it found these Malicious files in the outdated Wordpress installation.
I have removed the entire installation from the server, when I run ClamAV again it does not find anything suspicious or infected in the system.
Also, I have added the following to my php.ini file to find spam sending PHP scripts on my server:
mail.add_x_header = On mail.log = /var/log/phpmail.logI am still seeing spam entries in my mail.log file, but nothing is showing at all in /var/log/phpmail.log? This file is completely empty.
Here are some examples of the entries I'm seeing in mail.log:
Mar 28 19:31:23 localhost sm-mta[23577]: t2Q7MUvi008463: to=<>, delay=2+12:08:53, xdelay=00:00:01, mailer=esmtp, pri=16680851, relay=mx2.free.fr. [212.27.42.58], dsn=4.0.0, stat=Deferred: 451 too many errors from your ip (xxx.xxx.xxx.xxx), please visit
Mar 28 19:31:26 localhost sm-mta[25413]: t2R8l6nK026010: to=<>, delay=1+10:44:20, xdelay=00:02:06, mailer=esmtp, pri=10740867, relay=verison.net. [72.52.10.14], dsn=4.0.0, stat=Deferred: Connection timed out with verison.net.
Mar 28 19:31:30 localhost sm-mta[7658]: t2Q71Y5L002621: to=<>, delay=2+12:29:56, xdelay=00:03:09, mailer=esmtp, pri=16140966, relay=gmail.co. [74.125.228.214], dsn=4.0.0, stat=Deferred: Connection timed out with gmail.co.
Mar 28 19:31:31 localhost sm-mta[17713]: t2RFxunZ004247: to=<>, delay=1+03:31:35, xdelay=00:08:25, mailer=esmtp, pri=7680920, relay=yahoo.co. [98.137.236.150], dsn=4.0.0, stat=Deferred: Connection timed out with yahoo.co.I can't seem to figure out what could be causing the spam entries in the mail log.
Any ideas as to what else I can do?
EDIT: also have confirmed that I am not running an open relay in sendmail
1 Answer
Most likely the malware ClamAV found is covering its tracks in some way.
You can see it's sending spam and you've isolated it to at least a Wordpress exploit, so disable the Wordpress installation(s) in question by re-naming the docroot directory. Then re-install WP manually to the latest version.
Always best to run a rootkit check after that if you can too.
