Website Hacked. Sending spams. Help finding malicious code.

Hey guys,
New to the forum so I'll introduce myself. I'm Jugal, a freelance web developer from Mumbai, India.
Apart from making websites, I also offer web hosting to my clients.

I have a dedicated server running Windows Server 2008 with IIS 7 and Parallel Plesk installed.
I have more than 250 domains hosted here, most of which process PHP forms and thus, mail() function.

There has been an attack on my server where one of the php script containing mail() function is being exploited to send spams to random email id's. I have been getting bounceback emails from invalid id's this bot is sending spams to. So far, the count has been more than 12,000.

I suspect, the method described here is being used to carry out this operation: hxxp://wxw.astahost.c om/index.php?s=&showtopic=18363&view=findpost&p=121159 (Sorry, had to.)
So maybe one of my client used a weak php email code which hacker (bot) is enjoying to send spams to. (Or maybe not?)

Now, what I want to do is to hunt down the vulnerable mail() function responsible for this. Finding "mail()" by using Notepad++ seems unreasonable as from 250 domains, many of them are ecommerce scripts, form processors, wordpress blogs, etc. counting up to more than 1,000 search results and it'll be impossible to check the same manually.

Anyone, any idea how do I do this? Is there a tool for windows / apache to monitor all SMTP requests and to trace it to the responsible domain / .php file?
Or can we write a php program or anything to monitor the same?

Or just ANY solution to hunt the responsible domain at least, so that I can delete it.

I'm very much tensed. Hopefully, it's weekend so maybe I have 2 days to fix this else my clients are gonna call up and complain of those spams.

Hoping for a solution here!

Thanks,
Jugal

Since this was posted back in October, I do hope you managed to get the problem under control, if not, or if someone else enters these forums with a similar issues, here are some pointers:


Firstly why are you not using a cheaper Unix-like system? Are you also hosting .NET or windows specific applications? It might be an idea to separate the Apache hosted applications onto a Unix-like server and keep your Windows hosted applications on the Windows server. I refer to Apache here, as you note you are using Apache later in your message.


Have you checked the "From" address for these spam messages? If you have a secure SMTP server setup, it shouldn't allow relaying mail for domains which you do not personally host. The "From" address should tell you the exact domain, or at least the one which the spams know is on your server.


I do believe Windows has a netstat program which can tell you which application is connecting to the SMTP port. If this doesn't help, you should check your mail server logs to see if there are any hints on where it is coming from.


PowerShell has a command very similar to the Unix GREP command which you can use to scan through files for say "mail(". You can create a PowerShell script to scan through multiple directory structures. I'll leave the scripting up to you. PHP also has a GREP-like command as well, and it can also go through directory structures.