Finding scripts responsible for Email / Spam

Sometimes you will find that your servers IP address is becoming blacklisted because of spaming coming from your server. This is normally caused by vulnerable PHP scripts existing on your server (such as non upgraded WordPress installations). If you'd like to find out how to find those scripts, keep reading!

The default MTA (Mail Transfer Agent) in cPanel/WHM is exim. With exim, there are specific log file(s) that we can use to help find out what scripts are responsible for emails coming from your server. For this article, we will be using the /var/log/exim_mainlog log file:

1. Login to your server via SSH
2. Type in the following command at the command prompt:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | grep home | awk '{print $3}'


The above command will provide you the locations of the PHP scripts that are sending out email, along with the dates and times, and email ID. Please note it won't give the exact name of the location, only the directory in which the script resides.

Once you have the location where the script is, you can use the “cd” command to change directory to that location and look for scripts which don't belong.

Scripts that are likely responsible for spam will be shown in the output very frequently and without much time in between (sometimes not even a second in between). We've observed a commonality of spam scripts being in /theme or /gallery directories, especially among WordPress installations.

  • 82 Utilisateurs l'ont trouvée utile
Cette réponse était-elle pertinente?

Articles connexes

Adding Additional Modules to PHP via WHM

Additional modules can be added to PHP via the WHM control panel. Below are instructions on how...

Video Tutorial: Create Hosting Account in WHM

Please do not hesitate to contact us if you need any further assistance.

cPanel: How to Clear Brute Force Logs via SSH

Login into your VPS via SSH and enter: echo "delete from brutes; delete from logins;" | mysql...

Video Tutorial: Managing DNS Zones in WHM

Please do not hesitate to contact us if you need any further assistance.

Video Tutorial: What is the difference between WebHost Manager (WHM) and cPanel

Please do not hesitate to contact us if you need any further assistance.