How to find which PHP file is currently running?

elisom · Feb 6, 2019

My server got hacked and a php files keep trying to send spam.

How can i find which files are running now?

cPanelLauren · Feb 6, 2019

Hi @elisom

The best thing to do is find the PHP file sending the spam. We have a script we run internally that might be helpful for you:

Code:

perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

The portion "Directories mail is originating from:"specifically.

There are of course other methods that can be used such as those noted in the threads as follows:
Cant find script sending spam
Check which script or file sending spam mail
Identify account sending spam?

elisom · Feb 6, 2019

Thank you. when i run it i get 0 results, but both devcot and exim sending mails non-stop

cPanelLauren · Feb 7, 2019

Hi @elisom

When you're running this or any of the suggestions I've provided are you logged in as the root user? I can confirm any one of the three commands I provided does work, I've used them all myself.

elisom · Feb 7, 2019

Yes. sure.

The script work - no error. but gives 0 results.

dalem · Feb 7, 2019

ditto works without issue

Thread starter	Similar threads	Forum	Replies	Date
	Find who deleted email accounts	Security	3	Jan 18, 2021
D	How to find out which site is vulnerable ?	Security	2	Nov 29, 2019
H	How to find IP address who viewed and uploaded file in my server	Security	2	Nov 16, 2019
W	Trying to find the cause of a php script exe:/usr/bin/php cmd:/usr/bin/php	Security	3	Jul 10, 2018
J	Using clamAV to find phpshell and other ...cool!	Security	3	Feb 8, 2007

Search

Search

How to find which PHP file is currently running?

elisom

Registered

cPanelLauren

Product Owner

elisom

Registered

cPanelLauren

Product Owner

elisom

Registered

dalem

Well-Known Member