08 Jun 2017
Suddenly your monitoring system has detected a lot of messages in mail service queue. Possible your host is spam-infected. First of all check who initiates sending of e-mails. In our case it was unknown script error2.php.
Let's check script content.
As you see script error2.php was obfuscated. It was used associated array and base64 decoder in order to get decoded string that will be passed to eval function. Let's replace eval to echo and look at decoded string content.
In web server logs we have found POST requests to script error2.php.
Let's check suspected script on VirusTotal.
Then let's check malicious scripts against AI-Bolit. It is Antivirus / Malware Scanner For Websites and Hosting.
$ php ai-bolit.php --help
$ php ai-bolit.php -j /PATH/TO/FILE
There are not any detections. Ok, let's try to use paranoic mode.
$ php ai-bolit.php -x 2 -j /PATH/TO/FILE
Success! Malicious code was detected.