I have a very interesting story about our webserver. Our web server send a lot of spam emails since couple of days, but we can not see any mail queue in qmail smtp server logs. Than our server's ip adres is blocked and listed in spam blacklist. We have checked our websites with some malware programs, such as Malware detect Linux, ClamAv virus scanner for Linux, but there were no php scripts or java scripts. But our server is still sending a lot of spam mails.
This was a very big challenge for me because, I have limited experience with Linux systems, But I am very familiar to command shell that because of the old DOS systems.
Step by step i have used some virus and malware programs on websites and the server local files to locate this malware;
Securi Security Plugin for Wordpress
Anti-Malware Plugin from GOTMLS.net for Wordpress
Malware detect Linux from R-fx Networks
ClamAV Virus scanner for Linux
I have scanned all files on the server with ClamAv virus scanner.
I have scanned all vhosts folders with Malware detect Linux
I have scanned all websites with Anti-Malware Plugin GOTMLS.net
There were no infected file or files.
Ok, So far no resolution.
Today, I have found very useful information on internet, so I have begun to work and THAT's it!!!
I have found the malware infection and deleted file and others, and our server has stop to send spam emails,
What I have done is;
I have checked out my smtp port whether it was intensively used or not with this command;
watch 'netstat -na | grep :25'
I have seen lot of smtp connections and that means malware is active.
Then I have checked out all cronjobs of all users with this command;
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done | more
And TATAA!!!! one of my FTP users has a cronjob with the strange command,
Then I have edited this cronjob with this command,
crontab -u username -e
I have removed the cronjob line and than deleted the file in TEMP folder, and after that I have rebooted my server.
I have checked out smtp connections again and there were no connections any more.
If you want to learn how to the hacker has hacked your website, you can look at the creation date of this file in TEMP folder, than you can look at all log files of your website from that date. Then you can see your website's security hole and you can fix it.