Find scripts responsible for sending out spam

[CraftyPanda]

Hi guys,

I have followed the below instructions to try and track down spam sending scripts, but for some reason the phpmail.log is not getting anything written to it.

Does anyone else have any experience with this method and had similar issues?



Edit /usr/local/lib/php.ini and add below lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

And create a file called /var/log/phpmail.log , give full permission or exim user permission then restart Apache
touch /var/log/phpmail.log
chmod 777 /var/log/phpmail.log
service httpd restart

You can find the exact php script from "/var/log/phpmail.log", creating spam mails (it will also log all mails send using php mail function)

 

[dmacomber]

In my case I had to edit /home/"TheSite"/public_html/php.ini

The next question after deleting the malicious script is to find out how it got there and what to do when it keeps coming back.

 

[CraftyPanda]

In my case I had to edit /home/"TheSite"/public_html/php.ini

The next question after deleting the malicious script is to find out how it got there and what to do when it keeps coming back.

Hi Dmacomber,

So just to be clear, do you create a blank php.ini file in the clients public html folder with only the lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

?

 

[cPanelMichael]

Hello,

Individual php.ini files are only acceptable if you are using suPHP. In those cases, the global php.ini still works unless you already have an individual php.ini in the account. Since you don't already have one, it's not going to resolve your issue. You can try using a command like this one to track down the source of SPAM:

awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n

Thank you.

 

[dmacomber]

CrazyPanda,

Again, in my case, here is my /home/domain/public_html/php.ini file

..... [/home/.../public_html]# cat php.ini
register_globals = Off
extension=pdo.so
extension=pdo_mysql.so
mail.add_x_header = On
mail.log = /var/log/phpmail.log

 

[CraftyPanda]

Hello,

Individual php.ini files are only acceptable if you are using suPHP. In those cases, the global php.ini still works unless you already have an individual php.ini in the account. Since you don't already have one, it's not going to resolve your issue. You can try using a command like this one to track down the source of SPAM:

awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n

Thank you.

Hi Michael,

Thank you for this information. So i ran the command and its listed various account paths, one of which was the accounts sending out spam, i deleted the folder and the spam seems to have stopped, so thank you for that.

Please can yuo tell me what this command is actually outputting? Suspicious file paths? scripts that are sending mail right now?

Thanks again
Andy

 

[cPanelMichael]

The command checks /var/log/exim_mainlog for the paths of scripts in the /home directory that are sending emails, and then sorts them from highest to lowest, based on the number of emails found in the log from that path.

Thank you.