How Find malware script in plesk vps using Commands with examples

Why Malicious Scripts Generated

Malicious scripts generated if there is a full permission on particular Directory or if user have full permissions. Full permission means "777" permission on particular directory or user have "777" permission.

How to disable Malicious Script

Follow the below steps to disable Malicious scripts.
1. Run Following Command.
     # postqueue -p | wc -l
     At this step, you will get number of spam mails in the queue.
2. Run Following Command.
    # postqueue -p
    At this step, you will see list of queue mails.
3. Run Following Command
    # postcat -q Queue_id
     Here you will get all description of that mail.
     Find lines as bellow in the description.
     In above image, "text.php" is the name of script.
4. Run Following Command.
    # postqueue -p
     Here you will get list of domains. Select any one among them.
5. Run Below Command
     # cd /var/www/vhosts/
6. Now run follwing command
     # cd twjericho@phecinc.com
        "twjericho@phecinc.com" is he name of domain which is taken from step 4.
7. Run Below Command
     # find . -iname "text.php"
        Here "text.php" is the name of script which found at step 3.
        You will get list of spam mail files as below.
8. Run following command
       # cat httpdocs/picture_library/plesk/text.php
          Spam file contains unstructured coding. If you are not able to understand meaning of code then consider as a spam file like as below.
9. Run following command
     # chmod 000 httpdocs/picture_library/plesk/text.php
       "chmod 000 httpdocs/picture_library/plesk/text.php" is the file which have unstructured coding.
10. Run following command to deferred all mails
     # postsuper -d  ALL deferred
11. Again check mail in the queue using following command
     # postqueue -p | wc -l
You will see, mail queue should be less as compare to previous mail queue.

How to scan all server with single command to find Malicious Scripts

Use following command to find Malicious Scrips on Server.
      # maldet -a path-of-domain
      Example: maldet -a /var/www/vhost

Related Commands

chmod: Used to Change Permission of File or Directory.
find: Used to find files.
 

Most Reading