We have a shared hosting cgi-server with apache2+php fcgi and dma as mta (it forwards messages to mail relay) - it's Debian Wheezy - on it and with ability for clients to run perl/cgi scripts.There's one client with 70+ sites, and he had been spamming from his ftp-account like crazy. Thing is he doesn't know where the spam script originates from and so do we.
The process(es) who is sending out spam is perl-script hidden as crond - when you check /proc/$PID/cwd it's always /tmp and the file who started the process is already deleted. strace on the process doesn't help - all you see is system calls to make another mail message and headers etc. Searching through the access logs of his few most visited sites for repetitive/suspicious GET/POST requests gets us nowhere.
Should I say regular grep on .php/.cgi/*.pl for base64,eval,fopen,gzinflate and their combinations gives zero result.
The question is - are there any more effective methods/software to find the spam script(s) or to watch which script ran what? Thanks.
I think, the mal-script here, is not in the usual .pl/.cgi/.fcgi/.fpl extension form, but still executing on system level as a cgi script. You need to check Apache Handlers/Apache MIME types, to see what other extensions are being run as cgi script. Once you narrow down on that, a simple grep should work.