I recently had a complaint of 'abuse' , with my mail server sending out spam. First, one of my users complained that email was bouncing back, then Linode notified me that I'd been flagged for abuse. I also found that Spamcop had blacklisted my server. In the Abuse report from Linode, this line stood out: X-PHP-Originating-Script: 33:.page93.php(241) : eval()'d code I didn't catch on right away, but that's a warning that a php file (.page93.php) is sending out the email. This clicked with me when I Googled around and stumbled into this post (http://goo.gl/9l7wmk). To confirm, I followed these steps:
- running 'mailq' at the command line told me there were 3,700+ emails in the queue. That alone should have been a sign.
- copied the message ID of one of them, and ran 'postcat -vq [messageId] | less' so I could look for that 'X-PHP-Originating-Script' line. It was there, and when I repeated this test for a few more, I found it was there every time.
- I ran 'find -name ".page93.php /" and that turned up exactly one entry, in a ckeditor uploads folder.
- Googling around showed that I must have missed a ckeditor vulnerability warning along the way - this isn't an uncommon problem, apparently.
- To increase safety, I made some permissions adjustments in Apache, too, as described here: http://stackoverflow.com/questions/9133024/www-data-permissions