Check which script or file sending spam mail

sahil3x1

Registered
Oct 23, 2012
1
0
51
cPanel Access Level
Root Administrator
how i can check which script or file sending spam mail

i made ticket 2-3 times that one of my account sending spam mails n they told that php
file sending that remove that file can you tell me that command so i can check myself every time and how i can stop them
 

Eminds

Well-Known Member
Nov 10, 2016
319
32
28
India
cPanel Access Level
Root Administrator
It needs a course of commands to find the script that is spamming , the logs and the outputs needs to be monitored.

still.... use the below command to see from where the spams are initiating.

head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
 
  • Like
Reactions: ebuka

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Hi,
You have to find out spamming php script using below command also.
Code:
tail -n 1000 /var/log/exim_mainlog | grep /home
The above command will display the spam script path.
 
  • Like
Reactions: ebuka

samuelmf

Well-Known Member
May 22, 2006
143
9
168
Perú
I have used the comands

head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr | head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
Output:

Code:
[email protected] [/]# head -1 /var/log/exim_mainlog | awk '{print $1}' ; awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr| head --lines 15 | egrep -v ' cwd=(/$|/etc/csf|/var/spool/exim)' ; tail -1 /var/log/exim_mainlog | awk '{print From $1}'
2022-01-16
1128 cwd=/usr/local/cpanel/whostmgr/docroot
92 cwd=/home/wwwcep
11 cwd=/home/peihap/public_html
4 cwd=/tmp
4 cwd=/home/oronegro/public_html
3 cwd=/home/wwwcep/public_html
3 cwd=/home/nortepalmeras/public_html
2 cwd=/home/pelccom/public_html
2 cwd=/home/cafepassmar/public_html
2 cwd=/home/bruckenenergyser/public_html
1 cwd=/root
1 cwd=/home/peihap/public_html/wp.peihap/wp-admin
2022-01-16
[email protected] [/]# tail -n 1000 /var/log/exim_mainlog | grep /home
[email protected] [/]#
Empty

My exim queue is still recieving email from peihap to send to gmail and other providers
I couldn't find the cause
 

quietFinn

Well-Known Member
Feb 4, 2006
1,648
323
438
Finland
cPanel Access Level
Root Administrator
  • Like
Reactions: cPanelAnthony