How to find exaxt shell location

[zong11]

Someone has added shell in my server. Thatswhy he is adding many php files in my all sites... is there anyway to find exact shell file or that shell php. Any command or any way to check that shell location???

[MRatWork]

How to make sure 'Someone has added shell in my server'.

Info here 'sh /script/sysinfo'.

[zong11]

A. Kloxo-MR: 6.5.0.f-2016040502

B. OS: CentOS release 6.7 (Final) x86_64

C. Apps:
   1. MySQL: mysql55-5.5.48-1.ius.el6.x86_64
   2. PHP: php53u-5.3.29-1.ius.el6.x86_64
   3. Httpd: httpd-2.2.31-1.mr.el6.x86_64
   4. Lighttpd: --uninstalled--
   5. Nginx: --uninstalled--
   6. Qmail: qmail-toaster-1.03-1.3.55.mr.el6.x86_64
      - with: courier-imap-toaster-4.1.2-1.3.18.mr.el6.x86_64
   7. Dns: bind-9.9.7-1.mr.el6.x86_64

D. Php-type (for Httpd/proxy): php-fpm_worker

E. Memory:
                total       used       free     shared    buffers     cached
   Mem:         15944      15162        781          1        402      11285
   -/+ buffers/cache:       3474      12469
   Swap:            0          0          0

[MRatWork]

Update '/etc/httpd/conf/httpd.conf' where change from 'LoadModule cgi_module modules/mod_cgi.so' to '#LoadModule cgi_module modules/mod_cgi.so' and then restart webserver.

[zong11]

Permissions denied

[MRatWork]

This is text file. Need edit with vi or nano.

[zong11]

ok... how to protect server from future addition of shell by hackers... is there any command to run for that???

[MRatWork]

Update your Kloxo-MR.

No access using 'shell' from outside.

[zong11]

I want to remove pending mails from qmail... i am running this '/usr/local/lxlabs/kloxo/bin/misc/qmHandle -D' command but it replies permissions denied.  I have already run 'sh /script/fix-chownchmod'

So please tell me commands to remove that pending mails?

[MRatWork]

Use 'perl /usr/local/lxlabs/kloxo/bin/misc/qmHandle -D' or 'sh /script/mailqueue -D'. It's the same.

[zong11]

Someone adding PHP in my WordPress sites like start.php; general.php and many more. So above var command will solve this or required to run any other command.

[MRatWork]

Someone adding PHP in my WordPress sites like start.php; general.php and many more. So above var command will solve this or required to run any other command.

So, your wordpress (main, themes and or plugins) may have hacked code.

Usually I am using wordfence for prevent/warning in wordpress.

[zong11]

Even wordfense also can't prevent this file addition. Also due to wordfense in 24hrs 1hr my disc i/o going above 98%. So please help me in this regard.

[MRatWork]

No trouble with wordfence if change 'Update interval in seconds (2 is default)' from '2' to '10' or more.

[zong11]

Where is that update interval setting in kloxo ? I didn't found that.