How to find spam mailing scripts on cPanel servers

How to find spam mailing scripts on cPanel servers

Spam sent from virtual and dedicated servers is a problem for most providers. With programs like WordPress and Joomla, it’s become easier for malicious users to upload files to users accounts through either outdated plugins installed on the account or outdated base installs. It’s important to always keep software updated to the latest versions. When you fail to update your software a user can see what version of the software you are using and then use that information to target specific areas of your site. If you have a dedicated or VPS server, you can use this guide to find spam mailing scripts which have been up

Login to your server by ssh and issue the following command

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

This will search the Exim log and pull back a list of sites and the number of emails they have sent, the information will look like this

20 /home/First2Host/public_html/servers
287 /home/First2Host1/public_html
10623 /home/First2Host2/public_html/dedicated

Free cPanel VPS License

The numbers next to each path are the number of emails that has been sent and this way you can easily see that the user First2Host2 has sent 10623 of which all of these will be spam. The users account should be suspended.

If you want to see what files are in the folder you can dig further. Using the accounts username issue the following command

ls -lahtr /First2Host2/public_html/dedicated

A directory list will be returned like the below;

drwxr-xr-x 17 First2Host2 First2Host2 4.0K Apr 23 1:25 ../
 -rw-r--r-- 1 First2Host2 First2Host2 5.6K Apr 23 1:27 mailer_script.php
 drwxr-xr-x 2 First2Host2 First2Host2 4.0K Apr 23 1:27 ./

So from the returned list here, you can clearly see there is a mailing script in the account. This needs to be removed and all passwords on the account changed. All the software should also be updated to the latest versions.

Additional Resources

How to find spam mailing scripts on cPanel servers
18 5 100%
cPanel VPS Server

cPanel

1 Comment

  • How to clear the Exim mail queue using ssh says:
    October 11, 2016 at 9:45 am

    […] should follow our guide on Compromised accounts to find out which account is sending the spam emails and suspend itas soon as you have run the […]

Comments are closed.

Select Language
We are currently updating our website. Please accept our apologies for any disruption you may see.
+