How to find spam mailing scripts on cPanel servers
Spam sent from virtual and dedicated servers is a problem for most providers. Programs like WordPress can open holes in your server security. This is done either through outdated plugins installed on the account or outdated software installs.
It’s important to always keep software updated to the latest versions. When you fail to update your software. A user can see what version of the software you are using. That information can be used to target a specific area of your site. If you have a cPanel VPS server, you can use this guide to find spam mailing scripts which have been uploaded.
Find Spam Scripts
Login to your server by ssh and issue the following command;
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -nThis will search the Exim log and pull back a list of sites and the number of emails they have sent, the information will look like this
20 /home/First2Host/public_html/servers
287 /home/First2Host1/public_html
10623 /home/First2Host2/public_html/dedicatedThe numbers next to each path are the number of emails that have been sent. You can easily see that the user First2Host2 has sent 10623 of which all of these will be spam.
If you want to see what files are in the folder you can dig further. Using the accounts username issue the following command
ls -lahtr /First2Host2/public_html/dedicateddrwxr-xr-x 17 First2Host2 First2Host2 4.0K Apr 23 1:25 ../
-rw-r--r-- 1 First2Host2 First2Host2 5.6K Apr 23 1:27 mailer_script.php
drwxr-xr-x 2 First2Host2 First2Host2 4.0K Apr 23 1:27 ./So, from the returned list here, you can clearly see there is a mailing script in the account. All the software should also be updated to the latest versions.
Additional Resources
How was this article – How to find spam mailing scripts on cPanel servers
More from cPanel
How To Install A Cloudflare Origin SSL Certificate In cPanel
Free SSL Certificates from places like cPanel or Let's Encrypt are great. When Let's Encrypt first introduces free SSL Certificates …
Create a SWAP partition on CentOS, RHEL and AlmaLinux without a reboot
SWAP is a memory type that Linux NVMe VPS Servers use to process requests. Memory will be held in SWAP …
Help fixing Error: last request failed: [AUTH] Authentication failed.
The Error: last request failed: [AUTH] Authentication failed error can be caused by a range of things. It could be …
1 Comment
[…] should follow our guide on Compromised accounts to find out which account is sending the spam emails and suspend itas soon as you have run the […]