Hi, This is a common issue with popular web applications like wordpress and opencart, exploiting vulnerabilities in either plugin or themes. These spamming scripts mainly abuse the php mail function. So, the first step is to disable php mail and use SMTP for all mails. Once mail is disabled, all requests to mail function can be logged as an error.
Do a fresh installation of opencart and once the malicious script is injected again through any vulnerability, the requests to mail function will be in the error log. Look for access and error logs for the nearby date/hours to figure out how exactly the file was injected. Once you get an idea of how it is happening, install an intrusion detection software like fail2ban to block any malicious requests. On Wednesday 17 February 2016 10:24 AM, JeevZ wrote: > Hello, > > This is an offtopic, a help seeking message. > > We have done a project on OpenCart which is residing in our VPS. > Somehowm one malicious script is creating Spam Emails. We have found > out that php file and cleared it. But this repeats again and > dynamically such spam sending scripts are being generated. This makes > entire vps server fail and other serious problems. > > We have inspected for base64 encryption and other normal method find > such malicious code but none to find. We have changed passwords > several times but still the issue persists. > > > Is there any one here who has some experience on this ? the problem is > we cannot locate which files creates spam sending scripts dynamically. > > > please help > > > thank you > > > ** > Jai Bhim > -- JeevZ -- > > *Jeevachaithanyan Sivanandan > +919446196667 > http://jeevanism.wordpress.com/ > -- I Take Refuge On The Enlightened Wisdom -- > -- ബുദ്ധം,ധർമം, സംഘം ശരണം ഗച്ഛാമി -- > * > > > > > > > > This email has been sent from a virus-free computer protected by Avast. > www.avast.com <https://www.avast.com/sig-email> > > -- > -- > "Freedom is the only law". > "Freedom Unplugged" > http://www.ilug-tvm.org > > You received this message because you are subscribed to the Google > Groups "ilug-tvm" group. > To control your subscription visit > http://groups.google.co.in/group/ilug-tvm/subscribe > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > > > > For details visit the google group page: > http://groups.google.com/group/ilug-tvm?hl=en > > --- > You received this message because you are subscribed to the Google > Groups "Free Software Users Group, Thiruvananthapuram" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- Regards, Manu Krishnan T V Co-Founder | DayScholars Innovations <http://www.dayscholars.com> SysAdmin | Cool-Works Web Solutions <http://www.coolwrks.com> Blogs at Bizzard.info <http://www.bizzard.info> & can be found in social networks as *@tvmanukrishnan <http://www.twitter.com/tvmanukrishnan>* -- -- "Freedom is the only law". "Freedom Unplugged" http://www.ilug-tvm.org You received this message because you are subscribed to the Google Groups "ilug-tvm" group. To control your subscription visit http://groups.google.co.in/group/ilug-tvm/subscribe To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For details visit the google group page: http://groups.google.com/group/ilug-tvm?hl=en --- You received this message because you are subscribed to the Google Groups "Free Software Users Group, Thiruvananthapuram" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
