virus is sending spam from my VPS

[Mutikasa]

How can i check virus and stop it?

 

[msk19994]

Check your email logs
if someone is sending span it might be like

lowest numbered MX record points to local host
2015-07-01 17:45:56 1ZAKCy-0000FV-9B Frozen
2015-07-01 17:45:56 1Z9agZ-0002T7-Ic Unfrozen by errmsg timer
2015-07-01 17:45:56 1Z9agZ-0002T7-Ic == emma_pearson@example.com routing defer (-51): retry time not reached
2015-07-01 17:45:56 1Z9cXy-000BTT-3V Message is frozen
2015-07-01 17:45:56 1Z9q09-0006fa-NN Message is frozen
2015-07-01 17:45:56 1ZA4em-0004wO-Ub Message is frozen
2015-07-01 17:45:56 1Z9eYc-0009vp-83 Message is frozen

and then check file id example

exim -Mvh 1ZAYWc-000BFL-JS

it might have something like

[COLOR=#2E8B57][FONT=Monaco]180P Received: from admin by [/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]example.com[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco] with local (Exim 4.72)[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]        (envelope-from <brenda_logan@[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]example.com[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]>)[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]        id 1ZAYUI-000Ayr-7S[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]        for dmazaster@[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]example.com[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]; Thu, 02 Jul 2015 09:00:46 +0200[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]022T To: dmazaster@[/FONT][/COLOR][COLOR=#2E8B57][FONT=Monaco]example.com[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]035  Subject: 1 HotDown4Tonight Message[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]065  X-PHP-Originating-Script: 502:system93.php(1487) : eval()'d code[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]037  Date: Thu, 2 Jul 2015 07:00:46 +0000[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]046F From: Brenda Logan <brenda_logan@imgrill.com>[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]059I Message-ID: <abc2fae24dd2622a98f42271ee11734c@example.com>[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]014  X-Priority: 3[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]068  X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]018  MIME-Version: 1.0[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]085  Content-Type: multipart/alternative;[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]        boundary="b1_abc2fae24dd2622a98f42271ee11734c"[/FONT][/COLOR]
[COLOR=#2E8B57][FONT=Monaco]032  Content-Transfer-Encoding: 8bit[/FONT][/COLOR]

in above case the file is system93.php
use

find /home -type f -name "system93.php"

after deleing the file then type

exim -bp|grep "<"|awk {'print $3'}|xargs exim -Mrm

to remove the mail queue

 

[Mutikasa]

You are talking about exim. Is procedure the same for sendmail?

 

[msk19994]

first check the error logs and post the output

 

[Mutikasa]

Let's see. These are the last errors from mail.err.1. Mail.err is empty

Aug 29 22:47:49 vps1 sendmail[28010]: r7TKln1n028010: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 29 22:47:49 vps1 sendmail[28010]: r7TKln1n028010: SYSERR(root): putbody: write error: No space left on device
Aug 29 22:47:49 vps1 sendmail[28010]: r7TKln1n028010: SYSERR(root): Error writing control file qfr7TKln1n028010: No space left on device
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 227 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOM031263: low on space (SMTP-DAEMON needs 0 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: SYSERR(root): returntosender: cannot select queue for root
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwON031263: low on space (SMTP-DAEMON needs 0 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: SYSERR(root): returntosender: cannot select queue for postmaster
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: SYSERR(root): putbody: write error: No space left on device
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: SYSERR(root): putbody: write error: No space left on device
Aug 31 00:47:58 vps1 sendmail[31263]: r7UMlwOL031263: SYSERR(root): Error writing control file qfr7UMlwOL031263: No space left on device
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 227 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6Q001888: low on space (SMTP-DAEMON needs 0 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: SYSERR(root): returntosender: cannot select queue for root
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6R001888: low on space (SMTP-DAEMON needs 0 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: SYSERR(root): returntosender: cannot select queue for postmaster
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: SYSERR(root): putbody: write error: No space left on device
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: low on space (SMTP-DAEMON needs 389 bytes + 100 blocks in /var/spool/mqueue-client), max avail: 0
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: SYSERR(root): putbody: write error: No space left on device
Aug 31 02:47:58 vps1 sendmail[1888]: r7V0lw6P001888: SYSERR(root): Error writing control file qfr7V0lw6P001888: No space left on device

 

[msk19994]

try using
grep -i r7V0lw6P001888 /var/log/maillog

 

[Mutikasa]

You have new mail in /var/mail/root

that's what it says.

I have found this in var/mail/root

Failed FTP Logins:  (103.43.94.30): root - 14 Time(s)
  (103.43.94.30): admin - 14 Time(s)
  (103.43.94.30): anonymous - 1 Time(s)
  (103.43.94.30): test - 15 Time(s)
  (103.43.94.30): ftp - 16 Time(s)
  (103.43.94.30): administrator - 15 Time(s)

 

[msk19994]

these look like ftp logs //// Not mail logs check the other one r7UMlwON031263

 

[Mutikasa]

That's the report for the previous day activity.
Only mails i see in mail.log are actually root to root. I don't see anything to other email addresses. I think my server is not sending email, it's just that the spammer is using my domain as a "from" or something. Could that be possible? My host told me yesterday that it appears i have "Virus: cysc.spamvertized has infected your system and is sending out spam without you knowing about it".
But i really can't find any trace of outgoing emails


__________________
Added after 9 Hours 3 minutes:

I simply cannot find anything. Ive told my host and blocked outbound port 25.
He says the issue is resolved

 

[tunerita]

Did scan your server using any antivirus? Also, make sure your server is not open relay. If its configured as open relay anyone can send mail through your server.

 

[msk19994]

Try scanning via https://sitecheck.sucuri.net//

 

[Mutikasa]

Try scanning via https://sitecheck.sucuri.net//

nothing. i scanned with rkhunter, chckroot, maldetect. nothing. I really think there is no virus on my server.

 

[SpeedVID.]

Use MAldet as your Linux server malware tool, you can simply find-out the infected files from the Linux file system.

1. How can I install Maldet on server ?

Step I: SSH to your server
Step II: Download the tar file and install it.

# wget[/URL]link-to-maldetect-latest
# tar -xzvf maldetect-current.tar.gz
# cd maldetect-*
# sh install.sh

2. Do a maldet scan:
maldet -a /path/to/scan OR maldet --scan-all /path/to/scan


3. View the scan report
[FONT=proxima_nova_rgregular]# maldet -e SCAN ID[/FONT][FONT=proxima_nova_rgregular]# maldet --report SCAN ID

4. [/FONT]Quarantine all malware results from a previous scan
# maldet -q SCAN ID
# maldet –quarantine SCANID

NOTE. Don't forget to take a complete backup before running the quanrantine command.

Hope that helps!