How to find malware script in plesk vps.

Why malicious scripts Generated,

Malicious scripts generated if there is a full permission on particular directory or if user have full permissions. full permission means “777” permission on particular directory or user have “777” permission.

How to disable Malicious Script

Follow the below steps to disable Malicious scripts.

1.Run following Command.

[root@ghk  ~] # postqueue -p |wc -l

at this steps you will get number of spam mails in the queue.

[root@ghk  ~] # postqueue -p |wc -l

266 -> Number of spam mails in the Queue

2. Run following command

[root@ghk  ~]# postqueue -p

At this step, you will see list of queue mails.

[ root@ghk  ~ ]# postqueue -p 

286TE2D263E -> Queue id      836  sat Apr

3. Run following command.

[root@ghk  ~]# postcat -q Queue_id

[root@ghk  ~] # postcat -q  286TE2D263E->Queue_id

Here you will get all description of that mail. Find lines as below in the description.

X.PHP-Originating-Script: 10002:text.php-> Name of Script

In above image , “text.php” is the name of script.

4.Run following command.

[root@ghk  ~]#postqueue -p

Here you will get list of domains . Select any one among them.

2861E2D2631 8136  Sat Apr 8 00:17:58 MAILER-DAEMON

(Host or Domain name not found . Name service error for john@abc.com-> domain name

5. Run Below Command

[root@ghk  ~]# cd /var/www/vhosts

6. Now run following commnd

[root@ghk  ~]# cd john@abc.com

” john@abc.com” this is name of domain which is taken from srtep 4.

7. Run Below command

# find . -iname “text.php”

Here “text.php” this is name of script which found in step 3.

You will get list of spam mail files as below

httpdocs/pictures_library/plesk/text.php

httpdocs/pictures_library/plesk/redax/prext/text.php

8. Run following command.

[root@ghk ~ ]#  cat httpdocs/pictures_library/plesk/text.php

After fired above command you can see spam code .

9. Run following command.

 [root@ghk ~]# chmod 000  httpdocs/pictures_library/plesk/text.php

10. Run following command to deferred  all mails.

[root@ghk ~] # postsuper -d ALL deferred

11. Again check mail in the queue using following command

[root@ghk ~]# postqueue -p |wc -l

 

How  to scan all server with single command to find Malicious Scripts.

Use following script to scan the server.

[root@ghk ~]# maldet -a path-of-domain

Example:- maldet -a /var/www/vhost