oops, its not the horse photo blog, its the wedding photo blog:
however, i still know they are not sending this spam on purpose. i'm assuming it was hacked. i've run the site through some online site scanners like urlvoid and sucuri.net but both say the site is clean. I've been manually looking at .php files for suspicious code in the sites home directory but thats not efficient and i dont even know if i'd know a malicious script if i saw it.
this may be unrelated or taking off on a tangent, but in my googling on this issue, i came across info about the timthumb exploit. (http://www.exploit-db.com/wordpress-timthumb-exploitation/). I ran the suggested find command on this specific site's directory:
find . | grep php | xargs grep -s timthumb
and didn't find anything. But when I moved up to the /home directory, I found 3 other sites with timthumb. Running those 3 through sucuri.net confirmed they contained infected code. I deleted the infected images and changed the permissions on the upload directory so no one can use it. I dont know if this could be related to the fact that a different site on the server is sending spam or a separate problem.
Also, are there more tools/scanners/scripts/whatever that can be run on the all the directories on the server to check for issues or am I mostly limited to going through each site site one at a time?
I did a write a little bash script that lists the directory and version of wordpress (and am quite proud of myself too) but this is not really my thing and i would imagine its a common need, but brief searching didnt find anything.