Find scripts responsible for sending out spam

CraftyPanda

Well-Known Member
Nov 15, 2012
93
2
58
cPanel Access Level
Root Administrator
Hi guys,

I have followed the below instructions to try and track down spam sending scripts, but for some reason the phpmail.log is not getting anything written to it.

Does anyone else have any experience with this method and had similar issues?



Edit /usr/local/lib/php.ini and add below lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

And create a file called /var/log/phpmail.log , give full permission or exim user permission then restart Apache
touch /var/log/phpmail.log
chmod 777 /var/log/phpmail.log
service httpd restart

You can find the exact php script from "/var/log/phpmail.log", creating spam mails (it will also log all mails send using php mail function)
 

dmacomber

Member
Oct 9, 2014
6
0
1
cPanel Access Level
Root Administrator
In my case I had to edit /home/"TheSite"/public_html/php.ini

The next question after deleting the malicious script is to find out how it got there and what to do when it keeps coming back.
 

CraftyPanda

Well-Known Member
Nov 15, 2012
93
2
58
cPanel Access Level
Root Administrator
In my case I had to edit /home/"TheSite"/public_html/php.ini

The next question after deleting the malicious script is to find out how it got there and what to do when it keeps coming back.
Hi Dmacomber,

So just to be clear, do you create a blank php.ini file in the clients public html folder with only the lines

mail.add_x_header = On
mail.log = /var/log/phpmail.log

?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Individual php.ini files are only acceptable if you are using suPHP. In those cases, the global php.ini still works unless you already have an individual php.ini in the account. Since you don't already have one, it's not going to resolve your issue. You can try using a command like this one to track down the source of SPAM:

Code:
awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
Thank you.
 

dmacomber

Member
Oct 9, 2014
6
0
1
cPanel Access Level
Root Administrator
CrazyPanda,

Again, in my case, here is my /home/domain/public_html/php.ini file

Code:
..... [/home/.../public_html]# cat php.ini
register_globals = Off
extension=pdo.so
extension=pdo_mysql.so
mail.add_x_header = On
mail.log = /var/log/phpmail.log
 

CraftyPanda

Well-Known Member
Nov 15, 2012
93
2
58
cPanel Access Level
Root Administrator
Hello,

Individual php.ini files are only acceptable if you are using suPHP. In those cases, the global php.ini still works unless you already have an individual php.ini in the account. Since you don't already have one, it's not going to resolve your issue. You can try using a command like this one to track down the source of SPAM:

Code:
awk '/cwd=\/home\// {print $3}' /var/log/exim_mainlog|sort|uniq -c|sort -n
Thank you.
Hi Michael,

Thank you for this information. So i ran the command and its listed various account paths, one of which was the accounts sending out spam, i deleted the folder and the spam seems to have stopped, so thank you for that.

Please can yuo tell me what this command is actually outputting? Suspicious file paths? scripts that are sending mail right now?

Thanks again
Andy
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
The command checks /var/log/exim_mainlog for the paths of scripts in the /home directory that are sending emails, and then sorts them from highest to lowest, based on the number of emails found in the log from that path.

Thank you.
 
  • Like
Reactions: Gino Viroli