Finding scripts responsible for Email / Spam

Sometimes you will find that your servers IP address is becoming blacklisted because of spaming coming from your server. This is normally caused by vulnerable PHP scripts existing on your server (such as non upgraded WordPress installations). If you'd like to find out how to find those scripts, keep reading!

The default MTA (Mail Transfer Agent) in cPanel/WHM is exim. With exim, there are specific log file(s) that we can use to help find out what scripts are responsible for emails coming from your server. For this article, we will be using the /var/log/exim_mainlog log file:

1. Login to your server via SSH
2. Type in the following command at the command prompt:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | grep home | awk '{print $3}'

The above command will provide you the locations of the PHP scripts that are sending out email, along with the dates and times, and email ID. Please note it won't give the exact name of the location, only the directory in which the script resides.

Once you have the location where the script is, you can use the “cd” command to change directory to that location and look for scripts which don't belong.

Scripts that are likely responsible for spam will be shown in the output very frequently and without much time in between (sometimes not even a second in between). We've observed a commonality of spam scripts being in /theme or /gallery directories, especially among WordPress installations.

Was this answer helpful?

 Print this Article

Also Read

How to Install / Use CSF - A better IPTables

CSF (ConfigServer Firewall) is a free firewall that can be installed which relies on iptables and...

Video Tutorial: Managing DNS Zones in WHM

Please do not hesitate to contact us if you need any further assistance.

Hotmail not receiving your emails?

PTR (rDNS) and SPF setup on your domain is recommended which help hotmail servers to view emails...

Best Practices for DDoS Attacks and Brute Force

DDoS Attacks Wanting to protect your server from any future DDoS attacks? You can setup a free...

Video Tutorial: How to setup a Cron Job in cPanel

Please do not hesitate to contact us if you need any further assistance.