Search for a malicious mail script

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs.

You can very simply do the following:
Code:
grep cwd /var/log/exim_mainlog
You could also do something more detailed such as the following:

Code:
[[email protected] ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
This will output the path and number of emails sent from that path
 
  • Like
Reactions: paulw32

paulw32

Member
Jul 5, 2020
17
6
3
Australia
cPanel Access Level
Root Administrator
Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs.

You can very simply do the following:
Code:
grep cwd /var/log/exim_mainlog
You could also do something more detailed such as the following:

Code:
[[email protected] ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
This will output the path and number of emails sent from that path
Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?