How to find which script has been exploited by spammer?

Jeff75

Well-Known Member
Apr 11, 2003
555
0
166
One of my servers is blacklisted with spamcop. I was told that a spammer has exploited a script on one of the accounts, but all of the headers just show that it was sent by nobody using the server's main IP address.

Can someone tell me how to find which script is being used so I can shut it down?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Other than trawling your scripts, you should enable extended exim logging by adding the following to the first box in the Exim Configuration Editor in exim:

log_selector = +arguments +subject

This will provide you with additional information in /var/log/exim_mainlog that shows a cwd=/home/... line to the directory for the script that sends out email through exim. Using the mail ID you can then tie the two together to identify the likely script.

I've explained in more detail in this article:
http://www.configserver.com/free/spammers.html#outbound