Website Hacked. Sending spams. Help finding malicious code.

[jjm0109]

Hey guys,

New to the forum so I'll introduce myself. I'm Jugal, a freelance web developer from Mumbai, India.

Apart from making websites, I also offer web hosting to my clients.

 

I have a dedicated server running Windows Server 2008 with IIS 7 and Parallel Plesk installed.

I have more than 250 domains hosted here, most of which process PHP forms and thus, mail() function.

 

There has been an attack on my server where one of the php script containing mail() function is being exploited to send spams to random email id's. I have been getting bounceback emails from invalid id's this bot is sending spams to. So far, the count has been more than 12,000.

 

I suspect, the method described here is being used to carry out this operation: http://www.astahost.com/index.php?s=&showtopic=18363&view=findpost&p=121159

So maybe one of my client used a weak php email code which hacker (bot) is enjoying to send spams to. (Or maybe not?)

 

Now, what I want to do is to hunt down the vulnerable mail() function responsible for this. Finding "mail()" by using Notepad++ seems unreasonable as from 250 domains, many of them are ecommerce scripts, form processors, wordpress blogs, etc. counting up to more than 1,000 search results and it'll be impossible to check the same manually.

 

Anyone, any idea how do I do this? Is there a tool for windows / apache to monitor all SMTP requests and to trace it to the responsible domain / .php file?

Or can we write a php program or anything to monitor the same?

 

Or just ANY solution to hunt the responsible domain at least, so that I can delete it.

 

I'm very much tensed. Hopefully, it's weekend so maybe I have 2 days to fix this else my clients are gonna call up and complain of those spams.

 

Hoping for a solution here!

 

Thanks,

Jugal