The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Find scripts responsible for sending out spam

Discussion in 'E-mail Discussions' started by CraftyPanda, Mar 18, 2015.

  1. CraftyPanda

    CraftyPanda Well-Known Member

    Joined:
    Nov 15, 2012
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi guys,

    I have followed the below instructions to try and track down spam sending scripts, but for some reason the phpmail.log is not getting anything written to it.

    Does anyone else have any experience with this method and had similar issues?



    Edit /usr/local/lib/php.ini and add below lines

    mail.add_x_header = On
    mail.log = /var/log/phpmail.log

    And create a file called /var/log/phpmail.log , give full permission or exim user permission then restart Apache
    touch /var/log/phpmail.log
    chmod 777 /var/log/phpmail.log
    service httpd restart

    You can find the exact php script from "/var/log/phpmail.log", creating spam mails (it will also log all mails send using php mail function)
     
  2. dmacomber

    dmacomber Member

    Joined:
    Oct 9, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    In my case I had to edit /home/"TheSite"/public_html/php.ini

    The next question after deleting the malicious script is to find out how it got there and what to do when it keeps coming back.
     
  3. CraftyPanda

    CraftyPanda Well-Known Member

    Joined:
    Nov 15, 2012
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi Dmacomber,

    So just to be clear, do you create a blank php.ini file in the clients public html folder with only the lines

    mail.add_x_header = On
    mail.log = /var/log/phpmail.log

    ?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,743
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Individual php.ini files are only acceptable if you are using suPHP. In those cases, the global php.ini still works unless you already have an individual php.ini in the account. Since you don't already have one, it's not going to resolve your issue. You can try using a command like this one to track down the source of SPAM:

    Code:
    awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
    Thank you.
     
  5. dmacomber

    dmacomber Member

    Joined:
    Oct 9, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    CrazyPanda,

    Again, in my case, here is my /home/domain/public_html/php.ini file

    Code:
    ..... [/home/.../public_html]# cat php.ini
    register_globals = Off
    extension=pdo.so
    extension=pdo_mysql.so
    mail.add_x_header = On
    mail.log = /var/log/phpmail.log
    
     
  6. CraftyPanda

    CraftyPanda Well-Known Member

    Joined:
    Nov 15, 2012
    Messages:
    84
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Thank you for this information. So i ran the command and its listed various account paths, one of which was the accounts sending out spam, i deleted the folder and the spam seems to have stopped, so thank you for that.

    Please can yuo tell me what this command is actually outputting? Suspicious file paths? scripts that are sending mail right now?

    Thanks again
    Andy
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,743
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The command checks /var/log/exim_mainlog for the paths of scripts in the /home directory that are sending emails, and then sorts them from highest to lowest, based on the number of emails found in the log from that path.

    Thank you.
     
Loading...

Share This Page