Search for a malicious mail script

[paulw32]

Is there a way to search for files or scripts that are sending email within a specific account?

 

[cPanelLauren]

Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs.

You can very simply do the following:

grep cwd /var/log/exim_mainlog

You could also do something more detailed such as the following:

[[email protected] ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n

This will output the path and number of emails sent from that path

 

[paulw32]

Thanks. I'll give it a go and save it for any future issues.

 

[paulw32]

Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs.

You can very simply do the following:

grep cwd /var/log/exim_mainlog

You could also do something more detailed such as the following:

[[email protected] ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n

This will output the path and number of emails sent from that path

Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?

 

[paulw32]

Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?

Scratch that. All good. Thanks again